Date of Completion

7-31-2017

Embargo Period

7-27-2017

Keywords

Access Control; API; Data Management; Mobile Applications

Major Advisor

Dr. Steven A. Demurjian

Associate Advisor

Dr. Jinbo Bi

Associate Advisor

Dr. Bing Wang

Associate Advisor

Dr. Thomas Agresta

Field of Study

Computer Science and Engineering

Degree

Doctor of Philosophy

Open Access

Open Access

Abstract

In the last decade, mobile computing as evidenced by the emergence of mobile devices (smartphones, phablets, tablets) has dominated personal and business computing. Users of traditional computing devices (e.g., PCs, laptops, etc.) are transitioning to mobile devices to perform daily tasks such as managing emails, playing games, viewing/editing documents, paying bills, managing healthcare data, etc. The majority of these tasks can be performed through the means of mobile applications, which is a piece of software specifically made to run on a mobile device. Mobile applications (apps) can contain data that ranges from being non-sensitive to highly-sensitive. Specifically, for those apps that contain highly-sensitive data (e.g., banking apps, electronic health records (EHRs), etc.), there is a need to provide authentication and authorization mechanisms in order to secure the application’s data. Many mobile apps provide basic user authentication, and, after successful authentication, the user has access to all of its features. Nevertheless, even though there are critical requirements for mobile apps to secure highly-sensitive data, developers have failed to establish sophisticated and multi-faceted authorization mechanisms within the mobile computing design and development process. Specifically, an argument can be made that mobile computing would significantly benefit through the adoption of the three classic access control models: Role-Based Access Control (RBAC), Mandatory Access Control (MAC), and Discretionary Access Control (DAC).

The overall high-level focus of this dissertation is to propose and realize a configurable framework for RBAC, MAC, and DAC for mobile applications that is capable of supporting access control in different security layers. Security is controlled from three perspectives. The first perspective is for the user interface in terms of which screens and/or their components are accessible to a user under RBAC with optional delegation via DAC. This security layer focuses on modifications to the UI. The second perspective is to control the mobile application’s API services in order to define the API services that can be invoked by a particular user based on RBAC and/or MAC permissions with optional delegation via DAC. This security layer between the UI and mobile application API replicates the mobile application’s API by creating a mirrored set of services that invoke the original API services so that each call can be intercepted to add RBAC, MAC, and or/ DAC security checks. The third perspective focuses on interactions between the services of the mobile application’s API and server-side APIs for the various data servers, to again control whether the user via the mobile application service is authorized to invoke specific server-side APIs by RBAC and/or MAC with optional delegation via DAC. This security layer between the two different APIs (mobile app and server-side) is accomplished through the creation of a server interceptor API associated with a cloud computing infrastructure to intercept invocations for RBAC, MAC, and DAC checks. In support of these three perspectives, there is a unified mobile computing and security model with RBAC, MAC, and/or DAC can be leveraged to define and enforce UI and service-based permissions in a mobile application. Choosing security features from one or more of these three perspectives provides for the dynamic combination of access control models and configuration options to allow for custom security on a mobile-app-by-mobile-app basis. The final step is the ability for the framework to provide human assisted processes and automated algorithms for access control security enforcement code generation and interceptors. The end result is that the mobile app can secure the data that can be managed (e.g., inserted, retrieved, updated, deleted) via it’s APIs from differing and complementary perspectives, creating multiple additional security layers for RBAC, MAC, and/or DAC that are then adaptable to different mobile apps.

Download
COinS