POAuth: privacy-aware open authorization for native apps on smartphone platforms

Authors:
Mohammad Nauman;Sohail Khan;Abu Talib Othman;Shahr ulniza Musa;Najeeb Ur Rehman
Affiliations:
MIIT, Universiti Kuala Lumpur, Malaysia/FAST NUCES, Peshawar;MIIT, Universiti Kuala Lumpur, Kuala Lumpur, Malaysia;MIIT, Universiti Kuala Lumpur, Kuala Lumpur, Malaysia;MIIT, Universiti Kuala Lumpur, Kuala Lumpur, Malaysia;FAST National University of Computer and Emerging Sciences, Peshawar, Pakistan
Venue:
Proceedings of the 6th International Conference on Ubiquitous Information Management and Communication
Year:
2012

Citing 14
Cited 0

A practical guide to trusted computing

A practical guide to trusted computing
Please Permit Me: Stateless Delegated Authorization in Mashups

ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Hot today, gone tomorrow: on the migration of MySpace users

Proceedings of the 2nd ACM workshop on Online social networks
What is Twitter, a social network or a news media?

Proceedings of the 19th international conference on World wide web
SAuthMash: mobile agent based self authorization in mashups

Proceedings of the 7th International Conference on Frontiers of Information Technology
Social-Networks Connect Services

Computer
Developer's Guide to Social Programming: Building Social Context Using Facebook, Google Friend Connect, and the Twitter API, The

Developer's Guide to Social Programming: Building Social Context Using Facebook, Google Friend Connect, and the Twitter API, The
Beyond kernel-level integrity measurement: enabling remote attestation for the android platform

TRUST'10 Proceedings of the 3rd international conference on Trust and trustworthy computing
µTSS: a simplified trusted software stack

TRUST'10 Proceedings of the 3rd international conference on Trust and trustworthy computing
Mobile application development: web vs. native

Communications of the ACM
xDAuth: a scalable and lightweight framework for cross domain access control and delegation

Proceedings of the 16th ACM symposium on Access control models and technologies
Protecting location privacy using location semantics

Proceedings of the 17th ACM SIGKDD international conference on Knowledge discovery and data mining
Introduction to the Special Issue: Mining Social Media

International Journal of Electronic Commerce
Specification and Standardization of a Java Trusted Computing API

Software—Practice & Experience

Quantified Score

Hi-index	0.00

Visualization

Abstract

Smartphones are increasing in popularity and it is widely believed that their market share will continue to rise in the future. Due to the limited capabilities of smartphones compared to the PC, web-based services accessed through native applications are quickly becoming the de-facto standard on these devices. Allowing secure access to data residing on web-based services is a hot security issue targeted by many protocols. OAuth is the most popular of these and is in use by a vast majority of industry leaders. However, it suffers from some limitations the primary of which is that once a resource consumer is authorized access to a web service, it can access the data residing on that service from anywhere and at any time. This leads to severe privacy concerns. In this paper, we propose extensions to the core OAuth protocol that cater to this problem by introducing the concept of device-specific authorization using the constructs of Trusted Computing. We provide the details of our proposed protocol and describe the proof-of-concept developed to demonstrate the feasibility of our approach. The end results is a light-weight, user-friendly protocol that provides device-specific authorization for smartphones thus enhancing privacy without sacrificing the simplicity of the core OAuth protocol.