Security & Trust

A Wizard-Based Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps

This page contains complementary material related to the following paper:
  • Title: A Wizard-Based Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps
  • Authors: Amir Sharif, Roberto Carbone, Silvio Ranise, Giada Sciarretta
  • DOI: 10.5220/0007930502680275
  • Acceptance News: Link

Abstract

Many available mobile applications (apps) have poorly implemented Single Sign-On and Access Delegation solutions leading to serious security issues. This could be caused by inexperienced developers who prioritize the implementation of core functionalities and/or misunderstand security critical parts. The situation is even worse in complex API scenarios where the app interacts with several providers. To address these problems, we propose a novel wizard-based approach that guides developers to integrate multiple third-party Identity Management (IdM) providers in their apps, by (i) “enforcing” the usage of best practices for native apps, (ii) avoiding the need to download several SDKs and understanding their online documentations (a list of known IdM providers with their configuration information is embedded within our approach), and (iii) automatically generating the code to enable the communication with the different IdM providers. The effectiveness of the proposed approach has been assessed by implementing an Android Studio plugin and using it to integrate several IdM providers, such as OKTA, Auth0, Microsoft, and Google.

Complementary Material

Tools

mIDAssistant is an Android Studio plugin that guides native mobile app developers with secure integration of Single Sign-On Login (OpenID Connect) and Access Delegation (OAuth 2.0) solutions within their apps.

It provides a wizard-based approach that guides developers to integrate multiple third-party IdM providers within their native apps. The mIDAssistant Plugin aims to support native app developers for integration of IdM Providers which are either fully-compliant with the RFC 8252, or which are currently not fully compliant with RFC 8252 but that can be still used in a secure manner. The current version of mIDAssistant is able to:

  • Enforce the usage of best current practices (BCP) for native apps set out in RFC 8252 - OAuth 2.0 for Native Apps with thanks to the integration of AppAuth.
  • Avoid the need to download several SDKs and understanding their online documentations (a list of known IdM Providers with their configuration information is embedded within our tool).
  • Automatically integrating the secure customized code to enable the communication with the different IdM Providers.
  • Support Amazon, Auth0, Google, IBM, Microsoft, OKTA, Ping, and Yahoo as OpenID Connect IdM Providers.
  • Support Box, DropBox, Google, and Microsoft as OAuth 2.0 IdM Providers.

Related Tools

Involved People

Roberto Carbone

Roberto Carbone

Silvio Ranise

Silvio Ranise

Giada Sciarretta

Giada Sciarretta

Amir Sharif

Amir Sharif