A Wizard-based Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps

Many available mobile applications (apps) have poorly implemented Single Sign-On and Access Delegation solutions leading to serious security issues. This could be caused by inexperienced developers who prioritize the implementation of core functionalities and/or misunderstand security critical parts. The situation is even worse in complex API scenarios where the app interacts with several providers. To address these problems, we propose a novel wizard-based approach that guides developers to integrate multiple third-party Identity Management (IdM) providers in their apps, by (i) “enforcing” the usage of best practices for native apps, (ii) avoiding the need to download several SDKs and understanding their online documentations (a list of known IdM providers with their configuration information is embedded within our approach), and (iii) automatically generating the code to enable the communication with the different IdM providers. The effectiveness of the proposed approach has been as sessed by implementing an Android Studio plugin and using it to integrate several IdM providers, such as OKTA, Auth0, Microsoft, and Google

Аналiз методiв захисту та загроз на публiчнi OAuth клiєнти

Стаття присвячена дослiдженню атак та способiв захисту публiчних OAuth 2.0 клiєнтiв, зокрема вивченню атаки перехоплення коду авторизацiї для схем, що реалiзують Authorization Code Grant flow, а також здiйсненню аналiзу побудови методiв захисту на основi алгоритму Proof Key for Code Exchange

Social Login Acceptance: A DIF Study of Differential Factors

Social login has become an increasingly popular alternative for traditional user registration. Although a single sign-on protocol is commonly considered to have the advantage of removing barriers at the registration stage, mismanagement of these technological features may lead to user turnover or abandonment. Thus, a better understanding of who may better accept social login for which type of service is essential for a business that decides to adopt social login protocols. This research in progress tested various user characteristics using a differential item functioning approach that aims to explore systematic differences from user groups (rather than individual differences from latent traits) for social login acceptance

Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience

Over the last few years, there has been an almost exponential increase of the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication elements of different categories are required. Many different such solutions are available, but they usually cover the scenario of a user accessing web applications on their laptops, whereas in this paper we focus on native mobile applications. This changes the exploitable attack surface and thus requires a specific analysis. In this paper, we present the design, the formal specification and the security analysis of a solution that allows users to access different mobile applications through a multi-factor authentication solution providing a Single Sign-On experience. The formal and automated analysis that we performed validates the security goals of the solution we propose

FlexiTop: A flexible and scalable network monitoring system for Over-The-Top services

Nowadays, the demand of Over-The-Top (OTT) services such as multimedia streaming, web services or social networking is rapidly increasing. Consequently, there is a wide interest in studying the quality of these services so that Internet Service Providers (ISP) can deliver the best experience to their clients. For this purpose, we present FlexiTop, a flexible and scalable system to actively monitor these OTT services, which allows an operator to obtain metrics with a limited resource usage. Due to the continuous evolution of OTT services, this system was designed with different approaches that can be extrapolated to future situations. By looking at the results, the proposal meets all the expectations and requirements and therefore it proves its success. The proposed design was implemented and validated with different alternatives whenever it was possible, both in wired and wireless networks. Moreover, long-time testing was performed to both ensure its stability and analyze the obtained dataThis work has been partially supported by the Spanish Ministry of Economy and Competitiveness and the European Regional Development Fund under the project TRÁFICA (MINECO/FEDER TEC2015-69417-C2-1-R

Identity Provider Deployment Based on Container Technology

Identity Providers are an integral part of Identity Federations. Many different and complex technologies are needed to create an Identity Provider. In order to be able to fully utilize all the benefits of Identity Federations, adequate hardware resources are needed for Identity Provider deployment. Containers address the complexity and resources issues, while enabling faster deployment and keeping the functionalities and core concepts intact at the same time. Containers cannot be perceived as a replacement for virtual machines or bare metal servers, as they are meant to co-exist and have already found a wide range of use cases. This paper proposes using containers for easier implementation of Identity Providers, while lowering resource usage and complexity imposed by deployment requirements

Security Architecture for Swarms of Autonomous Vehicles in Smart Farming

Nowadays, autonomous vehicles are incorporated into farms to facilitate manual labour. Being connected vehicles, as IoT systems, they are susceptible to cyber security attacks that try to cause damage to hardware, software or even living beings. Therefore, it is important to provide sufficient security mechanisms to protect both the communications and the data, mitigating any possible risk or harm to farmers, livestock or crops. Technology providers are aware of the importance of ensuring security, and more and more secure solutions can be found on the market today. However, generally, these particular solutions are not sufficient when they are part of complex hybrid systems, since there is no single global solution proposal. In addition, as the number of technologies and protocols used increases, the number of security threats also increases. This article presents a cyber-security architecture proposal for swarms of heterogeneous vehicles in smart farming, which covers all of the aspects recommended by the ISO 7798-2 specification in terms of security. As a result of this analysis, a detailed summary of the possible solutions and available technologies for each of the communication channels of the target system as well as some recommendations are presented.ECSEL JU (H2020–EU.2.1.1.7.–ECSEL RIA) and the Spanish Ministry of Economic Affairs and Digital Transformatio

Protection of Information and Communications in Distributed Systems and Microservices

Distributed systems have been a topic of discussion since the 1980s, but the adoption of microservices has raised number of system components considerably. With more decentralised distributed systems, new ways to handle authentication, authorisation and accounting (AAA) are needed, as well as ways to allow components to communicate between themselves securely. New standards and technologies have been created to deal with these new requirements and many of them have already found their way to most used systems and services globally. After covering AAA and separate access control models, we continue with ways to secure communications between two connecting parties, using Transport Layer Security (TLS) and other more specialised methods such as the Google-originated Secure Production Identity Framework for Everyone (SPIFFE). We also discuss X.509 certificates for ensuring identities. Next, both older time- tested and newer distributed AAA technologies are presented. After this, we are looking into communication between distributed components with both synchronous and asynchronous communication mechanisms, as well as into the publish/subscribe communication model popular with the rise of the streaming platform. This thesis also explores possibilities in securing communications between distributed endpoints and ways to handle AAA in a distributed context. This is showcased in a new software component that handles authentication through a separate identity endpoint using the OpenID Connect authentication protocol and stores identity in a Javascript object-notation formatted and cryptographically signed JSON Web Token, allowing stateless session handling as the token can be validated by checking its signature. This enables fast and scalable session management and identity handling for any distributed system