Cross-platform access control for mobile web applications

Proceedings - 2012 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2012

Volumn , Issue , 2012, Pages 37-44

  Lyle, John ^a   Monteleone, Salvatore ^c   Faily, Shamal ^a   Patti, Davide ^c   Ricciato, Fabio ^b  

^a UNIVERSITY OF OXFORD   (United Kingdom)

^b TELECOM ITALIA   (Italy)

^c UNIVERSITY OF CATANIA   (Italy)

Author keywords

access control; api; middleware; policy; synchronization; web applications; webinos

Indexed keywords

ACCESS CONTROL POLICIES; API; COMMON PLATFORM; CONSISTENT ACCESS; CROSS-PLATFORM; GEOLOCATIONS; IN-CAR SYSTEMS; JAVASCRIPT; MOBILE WEB; PERSONAL DEVICES; POLICY SYSTEMS; SECURITY AND PRIVACY; WEB APPLICATION; WEB-ENABLED DEVICES; WEBINOS;

ACCESS CONTROL; MIDDLEWARE; PUBLIC POLICY; SYNCHRONIZATION;

WORLD WIDE WEB;

EID: 84866751160     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/POLICY.2012.9     Document Type: Conference Paper

References (35)

1. A. Taivalsaari and T. Mikkonen, "The web as an application platform: The saga continues," in Software Engineering and Advanced Applications (SEAA), 2011 37th EUROMICRO Conference on, September 2011, pp. 170 -174.
2. "Geolocation API Specification: W3C Editor's Draft," http://dev.w3.org/ geo/api/spec-source.html, February 2010.
3. "Device APIs Working Group Website," http://www.w3.org/2009/ dap/, December 2011.
4. "Bmw connecteddrive," April 2012. [Online]. Available: {http://www.bmw.com/com/en/insights/technology/connecteddrive/ 2010/infotainment/information/internet information.html}
5. L. Jedrzejczyk, B. A. Price, A. K. Bandara, and B. Nuseibeh, "On the impact of real-time feedback on users' behaviour in mobile location-sharing applications," in Proceedings of SOUPS '10. ACM, 2010, pp. 14:1-14:12. [Online]. Available: http://doi.acm.org/10.1145/1837110.1837129
6. The W3C, "Mobile Web Application Best Practices," December 2010. [Online]. Available: http://www.w3.org/TR/2010/REC-mwabp-20101214/
7. The Wholesale Application Community, "Glossary of terms," August 2011. [Online]. Available: http://www.wacapps.net/glossary
8. M. Zalewski, The Tangled Web: A Guide to Securing Model Web Applications. No Starch Press, 2011.
9. "Widget Access Request Policy: W3C Recommendation," February 2012. [Online]. Available: http://www.w3.org/TR/widgets-access/
10. W. Enck, M. Ongtang, P. McDaniel, W. Enck, M. Ongtang, and P. McDaniel, "Understanding Android Security," Security Privacy, IEEE, vol. 7, no. 1, pp. 50 -57, Jan - Feb 2009.
11. A. P. Felt, K. Greenwood, and D. Wagner, "The effectiveness of application permissions," in Proceedings of the 2nd USENIX conference on Web application development, ser. WebApps'11. Berkeley, CA, USA: USENIX Association, 2011, pp. 7-7. [Online]. Available: http://dl.acm.org/citation.cfm? id=2002168.2002175
12. A. Beresford, A. Rice, N. Skehin, and R. Sohan, "Mock-droid: trading privacy for application functionality on smartphones," in Proceedings of HotMobile 2011, 2011. [Online]. Available: http: //www.cl.cam.ac.uk/research/ dtg/android/mock/
13. M. Nauman, S. Khan, and X. Zhang, "Apex: extending android permission model and enforcement with user-defined runtime constraints," in Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, 2010, pp. 328-332. [Online]. Available: http://doi.acm.org/10.1145/1755688.1755732
14. M. Conti, V. Nguyen, and B. Crispo, "Crepe: Context-related policy enforcement for android," in Information Security, ser. Lecture Notes in Computer Science, M. Burmester, G. Tsudik, S. Magliveras, and I. Ilic, Eds. Springer Berlin / Heidelberg, 2011, vol. 6531, pp. 331-345. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-18178-8 29
15. N. Reddy, J. Jeon, J. A. Vaughan, T. Millstein, and J. S. Foster, "Application-centric security policies on unmodified android," UCLA Computer Science Department, Tech. Rep. 110017, 2011. [Online]. Available: http://fmdb.cs.ucla.edu/Treports/acp-tr.pdf
16. "SEAndroid Website," http://selinuxproject.org/page/SEAndroid, March 2012.
17. "WAC Specifications 2.1," http://specs.wacapps.net/, January 2012.
18. S. Godik and T. Moses, "EXtensible Access Control Markup Language (XACML) version 1.1," http://www.oasis-open.org, May 2005.
19. "Primelife policy language," http://www.primelife.eu/results/ documents/153-534d, August 2010.
20. Claudio A. Ardagna et al., "Advances in access control policies," in Privacy and identity management for life. Springer, 2011, pp. 327-341.
21. D. Lin and A. Squicciarini, "Data protection models for service provisioning in the cloud," in Proceedings of SACMAT. ACM, 2010, pp. 183-192. [Online]. Available: http://doi.acm.org/10.1145/1809842.1809872
22. Y.-G. Kim, C.-J. Mon, D. Jeong, J.-O. Lee, C.-Y. Song, and D.-K. Baik, "Context-aware access control mechanism for ubiquitous applications," in Advances in Web Intelligence, ser. Lecture Notes in Computer Science. Springer Berlin / Heidelberg, 2005, vol. 3528, pp. 932-935. [Online]. Available: {http://dx.doi.org/10.1007/11495772 37}
23. A. Corradi, R. Montanari, and D. Tibaldi, "Context-based access control management in ubiquitous environments," in Network Computing and Applications, 2004. (NCA 2004). Proceedings. Third IEEE International Symposium on, aug.-1 sept. 2004, pp. 253-260.
24. Mazurek et al., "Access control for home data sharing: Attitudes, needs and practices," in Proceedings of the 28th international conference on Human factors in computing systems, ser. CHI '10. New York, NY, USA: ACM, 2010, pp. 645-654. [Online]. Available: http://doi.acm.org/10.1145/1753326. 1753421
25. M. Baldauf, S. Dustdar, and F. Rosenberg, "A survey on context-aware systems," International Journal of Ad Hoc and Ubiquitous Computing, vol. 2, no. 4, pp. 263-277, June 2007.
26. H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter, "The multi-principal os construction of the gazelle web browser," in Proceedings of the 18th conference on USENIX security symposium, ser. SSYM'09. Berkeley, CA, USA: USENIX Association, 2009, pp. 417-432. [Online]. Available: http://dl.acm.org/citation.cfm? id=1855768.1855794
27. R. S. Cox, S. D. Gribble, H. M. Levy, and J. G. Hansen, "A safety-oriented platform for web applications," in Proceedings of the 2006 IEEE Symposium on Security and Privacy, ser. SP '06. Washington, DC, USA: IEEE Computer Society, 2006, pp. 350-364. [Online]. Available: http://dx.doi.org/10. 1109/SP.2006.4
28. K. Singh, A. Moshchuk, H. J. Wang, and W. Lee, "On the incoherencies in web browser access control policies," in Security and Privacy (SP), 2010 IEEE Symposium on, may 2010, pp. 463-478.
29. C. Ai, J. Liu, C. Fan, X. Zhang, and J. Zou, "Enhancing personal information security on android with a new synchronization scheme," in Wireless Communications, Networking and Mobile Computing (WiCOM), 2011 7th International Conference on, sept. 2011, pp. 1-4.
30. The webinos consortium, "User expectations of privacy and security," March 2011. [Online]. Available: http://webinos.org/blog/2011/ 03/16/d2-3-industry-landscape-ipr-licensing-governance/
31. -, "Use cases and scenarios," March 2011. [Online]. Available: http: //webinos.org/blog/2011/03/22/webinos-report-use-cases-and-scenarios/
32. E. R. B. Parducci, H. Lockhart, "XACML v3.0 Privacy Policy Profile Version 1.0," http://docs.oasis-open.org/xacml/3.0/xacml-3.0-privacy-v1- spec-cd-03-en.pdf, March 2010.
33. C. A. Ardagna, S. De Capitani di Vimercati, S. Paraboschi, E. Pedrini, and P. Samarati, "An xacml-based privacy-centered access control system," in Proceedings of the first ACM workshop on Information security governance, ser. WISG '09. ACM, 2009, pp. 49-58.
34. "Bondi architecture and security requirements appendices," http://bondi.omtp.org/1.01/security/BONDI-Architecture-and-Security-Appendices- v1-01.pdf, July 2009.
35. The webinos consortium, "Phase 1 device, network and server-side api specifications," November 2011. [Online]. Available: http://webinos.org/ blog/2011/11/01/webinos-report-phase-i-device-network-and-server-side-api- specifications/