Practical out-of-band authentication for mobile applications
Authors: 
Kapil Singh, Larry KovedAuthors Info & Claims
Article No.: 3, Pages 1 - 6
Abstract
Mobile devices create new opportunities and challenges for authentication. On one hand, the readily-available sensors provide new opportunities for authentication credentials, such as biometrics and context of the device. On the other hand, mobile applications rely on network services to create rich functionality that often require protection of their sensitive data. The ability for the mobile application developer to adopt a wide range of authentication protocols and techniques is an intractable challenge for adopting new authentication technologies.
In this paper, we propose a flexible framework that enables an out-of-band authentication channel for mobile applications. The framework allows applications to delegate authentication to an independent security service on the client that, in turn, supports an extensible range of authentication protocols. Importantly, the approach presented in this paper does not require any modification of the underlying system, thus not requiring support from the operating system or hardware vendor. Our server-driven approach supports administration and enablement of new authentication techniques and security policies with minimal to no client application modifications. We show the viability of our design by means of a framework prototype and integrating it with a representative authentication system built in-house. We also discuss security and non-security challenges of realizing this approach.
References
[1]
http://developer.android.com/reference/android/app/Activity.html.
[2]
FriendCaster for Facebook. http://friendcasterapp.com/.
[3]
Google Cloud Messaging for Android. http://developer.android.com/google/gcm/index.html.
[4]
IBM Security Access Manager for Enterprise Single Sign-On. http://www-01.ibm.com/software/tivoli/products/access-mgr-esso/.
[5]
Java#8482; Authentication and Authorization Service (JAAS) Reference Guide. http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html.
[6]
RSA SecurID. http://www.emc.com/security/rsa-securid.htm.
[7]
W3C RFC 2616, Hypertext Transfer Protocol -- HTTP/1.1, section 10 Status Codes Definitions. http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html.
[8]
Will Your Next TV Manual Ask You to Run a Scan Instead of Adjusting the Antenna? http://www.symantec.com/connect/blogs/will-your-next-tv-manual-ask-you-run-scan-instead-adjusting-antenna.
[9]
Higgins Personal Data Service, 2009. http://www.eclipse.org/higgins/.
[10]
T. Book, A. Pridgen, and D. S. Wallach. Longitudinal Analysis of Android Ad Library Permissions. In Mobile Security Technologies (MoST), San Francisco, CA, May 2013.
[11]
D. Chappell. Introducing Windows CardSpace, Apr. 2006. http://msdn.microsoft.com/en-us/library/aa480189.aspx.
[12]
R. T. Fielding. Architectural Styles and the Design of Network-based Software Architectures. PhD thesis, 2000. AAI9980887.
[13]
C. Lai, L. Gong, L. Koved, A. Nadalin, and R. Schemers. User Authentication and Authorization in the Java#8482; Platform. In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC), Phoenix, AZ, Dec. 1999.
[14]
J. H. Saltzer and M. D. Schroeder. The Protection of Information in Computer System. Proceedings of the IEEE, 63(9): 1278--1308, 1975.
[15]
S. Shekhar, M. Dietz, and D. S. Wallach. AdSplit: Separating Smartphone Advertising from Applications. In Proceedings of the 21st USENIX Security Symposium, Bellevue, WA, Aug. 2012.
[16]
T. Tong and D. Evans. GuarDroid: A Trusted Path for Password Entry. In Moble Security Technologies (MoST), San Francisco, CA, May 2013.
[17]
Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In IEEE Symposium on Security and Privacy, San Fransisco, CA, May 2012.
Index Terms
- Practical out-of-band authentication for mobile applications
Recommendations
Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityAnonymous authentication allows one to authenticate herself without revealing her identity, and becomes an important technique for constructing privacy-preserving Internet connections. Anonymous password authentication is highly desirable as it enables ...
A novel implementation of signature, encryption and authentication (SEA) protocol on mobile patient monitoring devices
Mobile patient monitoring devices are becoming an integral part of healthcare industry and these devices will eventually become the method of choice for accessing and implementing health checks for patients located in remote areas. The thrust behind ...
An empirical study of SMS one-time password authentication in Android apps
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications ConferenceA great quantity of user passwords nowadays has been leaked through security breaches of user accounts. To enhance the security of the Password Authentication Protocol (PAP) in such circumstance, Android app developers often implement a complementary ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2013
41 pages
Copyright © 2013 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
- ACM: Association for Computing Machinery
- Commemorative Organization for the Japan World Exposition '70
- IFIP
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2013
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
Middleware '13
Sponsor:
Acceptance Rates
Overall Acceptance Rate 5 of 23 submissions, 22%
Upcoming Conference
MIDDLEWARE '24
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 195Total Downloads
- Downloads (Last 12 months)3
- Downloads (Last 6 weeks)0
Reflects downloads up to 16 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in