A Wizard-based Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps
作者: Amir Sharif , Roberto Carbone , Silvio Ranise , Giada Sciarretta
关键词:
摘要: Many available mobile applications (apps) have poorly implemented Single Sign-On and Access Delegation solutions leading to serious security issues. This could be caused by inexperienced developers who prioritize the implementation of core functionalities and/or misunderstand critical parts. The situation is even worse in complex API scenarios where app interacts with several providers. To address these problems, we propose a novel wizard-based approach that guides integrate multiple third-party Identity Management (IdM) providers their apps, (i) “enforcing” usage best practices for native (ii) avoiding need download SDKs understanding online documentations (a list known IdM configuration information embedded within our approach), (iii) automatically generating code enable communication different effectiveness proposed has been assessed implementing an Android Studio plugin using it providers, such as OKTA, Auth0, Microsoft, Google.
sci-hub.st 参考文章(6)
Nat Sakimura, J. Bradley, Naveen Agarwal, Proof Key for Code Exchange by OAuth Public Clients RFC. ,vol. 7636, pp. 1- 20 ,(2015)
John Bradley, William Denniss, OAuth 2.0 for Native Apps RFC. ,vol. 8252, pp. 1- 21 ,(2017)
Ronghai Yang, Wing Cheong Lau, Shangcheng Shi, Breaking and Fixing Mobile App Authentication with OAuth2.0-based Protocols applied cryptography and network security. pp. 313- 335 ,(2017) , 10.1007/978-3-319-61204-1_16
Danfeng Yao, Gang Wang, Fang Liu, Chun Wang, Andres Pico, Measuring the Insecurity of Mobile Deep Links of Android usenix security symposium. pp. 953- 969 ,(2017)
Duc Cuong Nguyen, Dominik Wermke, Yasemin Acar, Michael Backes, Charles Weir, Sascha Fahl, A Stitch in Time: Supporting Android Developers in WritingSecure Code computer and communications security. pp. 1065- 1077 ,(2017) , 10.1145/3133956.3133977
Daniel Fett, John Bradley, Torsten Lodderstedt, Andrey Labunets, OAuth 2.0 Security Best Current Practice ,(2020)