An Intercepting API-Based Access Control Approach for Mobile Applications

Yaira K. Rivera Sánchez; Steven A. Demurjian; Lukas Gnirke

doi:10.5220/0006354301370148

An Intercepting API-Based Access Control Approach for Mobile Applications

Yaira K. Rivera Sánchez, Steven A. Demurjian, Lukas Gnirke

2017

Abstract

Mobile device users employ mobile applications to realize tasks once limited to desktop devices, e.g., web browsing, media (audio, video), managing health and fitness data, etc. While almost all of these applications require a degree of authentication and authorization, some involve highly sensitive data (PII and PHI) that must be strictly controlled as it is exchanged back and forth between the mobile application and its server side repository/database. Role-based access control (RBAC) is a candidate to protect highly sensitive data of such applications. There has been recent research related to authorization in mobile computing that has focused on extending RBAC to provide a finer-grained access control. However, most of these approaches attempt to apply RBAC at the application-level of the mobile device and/or require modifications to the mobile OS. In contrast, the research presented in this paper focuses on applying RBAC to the business layer of a mobile application, specifically to the API(s) that a mobile application utilizes to manage data. To support this, we propose an API-Based approach to RBAC for permission definition and enforcement that intercepts API service calls to alter information delivered/stored to the app. The proposed intercepting API-based approach is demonstrated via an existing mHealth application.

Download

Paper Citation

in Harvard Style

K. Rivera Sánchez Y., A. Demurjian S. and Gnirke L. (2017). An Intercepting API-Based Access Control Approach for Mobile Applications . In Proceedings of the 13th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST, ISBN 978-989-758-246-2, pages 137-148. DOI: 10.5220/0006354301370148

in Bibtex Style

@conference{webist17,
author={Yaira K. Rivera Sánchez and Steven A. Demurjian and Lukas Gnirke},
title={An Intercepting API-Based Access Control Approach for Mobile Applications},
booktitle={Proceedings of the 13th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,},
year={2017},
pages={137-148},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006354301370148},
isbn={978-989-758-246-2},
}

in EndNote Style

TY - CONF
JO - Proceedings of the 13th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,
TI - An Intercepting API-Based Access Control Approach for Mobile Applications
SN - 978-989-758-246-2
AU - K. Rivera Sánchez Y.
AU - A. Demurjian S.
AU - Gnirke L.
PY - 2017
SP - 137
EP - 148
DO - 10.5220/0006354301370148