An Intercepting API-Based Access Control Approach for Mobile Applications

Yaira K. Rivera Sánchez, Steven A. Demurjian, Lukas Gnirke

2017

Abstract

Mobile device users employ mobile applications to realize tasks once limited to desktop devices, e.g., web browsing, media (audio, video), managing health and fitness data, etc. While almost all of these applications require a degree of authentication and authorization, some involve highly sensitive data (PII and PHI) that must be strictly controlled as it is exchanged back and forth between the mobile application and its server side repository/database. Role-based access control (RBAC) is a candidate to protect highly sensitive data of such applications. There has been recent research related to authorization in mobile computing that has focused on extending RBAC to provide a finer-grained access control. However, most of these approaches attempt to apply RBAC at the application-level of the mobile device and/or require modifications to the mobile OS. In contrast, the research presented in this paper focuses on applying RBAC to the business layer of a mobile application, specifically to the API(s) that a mobile application utilizes to manage data. To support this, we propose an API-Based approach to RBAC for permission definition and enforcement that intercepts API service calls to alter information delivered/stored to the app. The proposed intercepting API-based approach is demonstrated via an existing mHealth application.

References

  1. Abdunabi, R., Ray, I., & France, R., 2013. Specification and analysis of access control policies for mobile applications. 18th ACM Symposium on Access Control.
  2. Models and Technologies (SACMAT 7813). ACM, pp. 173- 184.
  3. Aich, S., Mondal, S., Sural, S., & Majumdar, A. K., 2009. Role Based Access Control with Spatiotemporal Context for Mobile Applications. Transactions on Computational Science IV: Special Issue on Security in Computing.
  4. Backes, M., Bugiel, S., Gerling, S., & von StypRekowsky, P., 2014. Android Security Framework: Extensible multi-layered access control on Android. 30th Annual Computer Security Applications.
  5. Conference, pp. 46-55.
  6. Beal, V., 2014. API - application program interface. [Online] Available.
  7. Benats, G. et al., 2011. PrimAndroid: privacy policy modelling and analysis for android applications. In Symposium on Policies for Distributed Systems and Networks (POLICY 7811). IEEE.
  8. Beresford, A., Rice, A., Skehin, N., & Sohan, R., 2011. MockDroid: trading privacy for application functionality on smartphones. 12th Workshop on Mobile Computing Systems and Applications. Phoenix, Arizona.
  9. Cappos, J., Wang, R., Yang, Y. & Zhuang, Y., 2014. Blursense: Dynamic fine-grained access control for smartphone privacy. [Online] Available at: DOI=10.1109/SAS.2014.6798970.
  10. Cobb, M., 2014. API security: How to ensure secure API use in the enterprise. [Online] Available at: http://searchsecurity.techtarget.com/tip/API-securityHow-to-ensure-secure-API-use-in-the-enterprise.
  11. Collet, S., 2015. API security leaves apps vulnerable: 5 ways to plug the leaks. [Online] Available at: http://www.csoonline.com/article/2956367/mobilesecurity/api-security-leaves-apps-vulnerable-5-waysto-plug-the-leaks.html.
  12. Connecticut General Assembly, 2015. Substitute for Raised H.B. No. 6722. [Online] Available at: https://www.cga.ct.gov/asp/CGABillStatus/CGAbillst atus.asp?which_year=2015&selBillType=Bill&bill_nu m=HB6722.
  13. Dellinger, A., 2015. This Instagram app may have stolen over 500,000 usernames and passwords. [Online] Available at: http://www.dailydot.com/technology.
  14. Developer Program, 2012. Benefits of APIs. [Online] Available at: http://18f.github.io/API-All-theX/pages/benefits_of_apis.
  15. Facebook, 2014. Facebook Graph API. [Online] Available at:https://developers.facebook.com/docs/
  16. Fadhel, A., Bianculli, D., Briand, L. & Hourte, B., 2016. A Model-driven Approach to Representing and Checking RBAC Contextual Policies. CODASPY 2016. ACM, pp. 243-253.
  17. Fernández-Alemán, J., Señor, I., Lozoya, P. & Toval, A., 2013. Security and privacy in electronic health records: A systematic literature review. Journal of Biomedical Informatics, 46(3), pp. 541-562.
  18. Ferraiolo, D. & Kuhn, R., 1992. Role-Based Access Control. NIST-NSA National (USA) Computer Security Conference, pp. 554-563.
  19. Ferraiolo, D. et al., 2001. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), Volume 4, pp. 224-274.
  20. FHIR, 2016. Welcome to FHIR. [Online] Available at: https://www.hl7.org/fhir/index.html.
  21. Flanders, D., Ramsey, M., & McGregor, A., 2012. The advantage of APIs. [Online] Available at: https://www.jisc.ac.uk/guides/theadvantage-of-apis.
  22. Hao, H., Singh, V. & Du, W., 2013. On the effectiveness of API-level access control using bytecode rewriting in Android. 8th ACM SIGSAC symposium on Information, computer and communications security. Hangzhou, China.
  23. HAPI FHIR, 2014. HAPI. [Online] Available at: http://hapifhir.io/
  24. Instagram, 2010. Instagram. [Online] Available at: https://www.instagram.com/
  25. Jin, X., Wang, L., Luo, T. & Du, W., 2015. Fine-Grained Access Control for HTML5-Based Mobile Applications in Android. 16th Information Security Conference (ISC), pp. 309-318.
  26. JWT, 2015. Introduction to JSON Web Tokens. [Online] Available at: https://jwt.io/introduction/
  27. Larson, S., 2015. Instagram restricts API following password breach, will review all apps going forward. [Online] Available at: http://www.dailydot.com/
  28. Lella, A., Lipsman, A. & Martin, B., 2015. The 2015 Mobile App Report. [Online] Available at: https://www.comscore.com/Insights/Presentationsand-Whitepapers/2015/The-2015-US-Mobile-AppReport.
  29. Microsoft Corporation, 2008. Mobile Application Architecture Guide. [Online] Available at: http://apparch.codeplex.com/releases/view/19798.
  30. REST API Tutorial, 2012. Learn REST: A RESTful Tutorial. [Online] Available at: http:// www.restapitutorial.com/
  31. Rindfleisch, T., 1997. Privacy, Information Technology, and Health Care. Communications of the ACM, 40(8), pp. 93-100.
  32. Rivera Sánchez, Y. K., Demurjian, S.A., & Baihan, M., 2017. An Access Control Approach for FHIR. 5th IEEE International Conference on Mobile Cloud Computing, Services, and Engineering (IEEE Mobile Cloud 2017).
  33. Rohrer, F., Zhang, Y., Chitkushev, L. & Zlateva, T., 2013. DR BACA: dynamic role based access control for Android. 29th Annual Computer Security Applications Conference. New Orleans, Louisiana, USA.
  34. Rouse, M., 2006. HTTP (Hypertext Transfer Protocol). [Online] Available at: http://searchwindevelopment. techtarget.com/definition/HTTP.
  35. Sandhu, R. & Samarati, P., 1994. Access Control: Principles and Practice. Communications Magazine, 32(9), pp. 40-48.
  36. Slim, 2015. Slim a micro framework for PHP. [Online] Available at: https://www.slimframework.com/
  37. Snapchat, 2011. Snapchat. [Online] Available at: https://www.snapchat.com/
  38. Snapchat, 2013. Finding Friends with Phone Numbers. [Online] Available at: http://blog.snapchat.com/post/ 71353347590/finding- friends-with-phone-numbers.
  39. Wang, Y. et al., 2014. Compac: enforce component-level access control in android. 4th ACM conference on Data and application security and privacy. San Antonio, Texas, USA.
  40. West, A., 2015. 5 Roles of Role Based Access Control. [Online] Available at: https://www.itouchvision.com/
  41. 5-roles-of-role-based-access-control-the-softwaresecurity-guard/
  42. Xu, Z. & Zhu, S., 2015. Semadroid: A privacy-aware sensor management framework for smartphones. 5th ACM Conference on Data and Application Security and Privacy. ACM, pp. 61-72.
  43. Zeman, E., 2015. Snapchat Lays Down The Law On Third-Party Apps. [Online] Available at: http://www.programmableweb.com/news/snapchatlays-down-law-third-party-apps/2015/04/07.
Download


Paper Citation


in Harvard Style

K. Rivera Sánchez Y., A. Demurjian S. and Gnirke L. (2017). An Intercepting API-Based Access Control Approach for Mobile Applications . In Proceedings of the 13th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST, ISBN 978-989-758-246-2, pages 137-148. DOI: 10.5220/0006354301370148


in Bibtex Style

@conference{webist17,
author={Yaira K. Rivera Sánchez and Steven A. Demurjian and Lukas Gnirke},
title={An Intercepting API-Based Access Control Approach for Mobile Applications},
booktitle={Proceedings of the 13th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,},
year={2017},
pages={137-148},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006354301370148},
isbn={978-989-758-246-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 13th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,
TI - An Intercepting API-Based Access Control Approach for Mobile Applications
SN - 978-989-758-246-2
AU - K. Rivera Sánchez Y.
AU - A. Demurjian S.
AU - Gnirke L.
PY - 2017
SP - 137
EP - 148
DO - 10.5220/0006354301370148