Development of a Secure Model for Mobile Government Applications in Jordan

This paper develops a secure model for mobile government (M-G) applications using effective privacy methods and validates the model through semi-structured interviews with eight Jordanian e-government experts. The experts emphasized the importance of M-G applications in enhancing services such as bill payments, civil services, civil defense, and police services. To improve privacy, the experts suggested methods such as strong textual passwords, data encryption, login tracking, SMS login confirmation, and signup confirmation. Based on these suggestions, a prototype with suggested privacy features was developed using Android programming, and a questionnaire was administered to 150 Jordanian citizens who confirmed the ease of use and usefulness of the proposed privacy model. This paper expands the acceptance of M-G applications and recommends privacy methods to improve their security. The study highlights the importance of security and privacy as acceptance factors for M-G applications in developing countries and suggests that further studies can investigate advanced privacy and suitable security methods for M-G applications in other developing countries

A Secure Password Manager Governance Framework for Web User Authentication

Existing password management frameworks fall short of providing adequate functionality and mitigation strategies against prominent attacks. Unfortunately, the architecture of these frameworks is not aligned with the distributed nature of web applications and is vulnerable to credential theft attacks by network-side, e.g. TLS Proxy in the Middle (TPitM), or front-end, e.g. cross-site scripting (XSS), eavesdropping adversaries. Browser-side frameworks, HTML Autofill and Credential Management API, are inherently vulnerable to XSS-credential theft. ByPass, a manager-to-server paradigm, is inherently vulnerable to TPitM-credential theft. Furthermore, all of the aforementioned frameworks employ an inaccurate app-to-credential mapping strategy, domain-based credential mapping, and might inadvertently divulge user's credentials to unintended (e.g. deceitful) web applications. We propose Berytus, a novel browser-based governance framework that mediates between web applications and password managers to orchestrate secure and programmable authentication sessions. It is positioned between the web application and the password manager, operating natively in the browser, and providing an API for each party. Berytus harmonises multiple password manager usage by requiring available password managers to register with it. Present frameworks do not couple specialised security facilities with their approach, rather their credential transfer security depends on the application of standardised security measures in the web/browser landscape to mitigate against prominent attack vectors, e.g. Content Security Policy for XSS mitigation. Conversely, the Berytus architecture equips web applications with certified app-specific cryptographic keys to streamline an authenticated and accurate app-to-credential mapping strategy. Furthermore, Berytus mediates an authenticated key exchange between the web application and the password manager to achieve app-level end-to-end encryption of credentials, which as we show, can streamline a confidential credential transfer communication that is immune to credential theft attacks via phishing, XSS, malicious browser extension code injection and TPitM. To assess the feasibility of Berytus, we extend Firefox to incorporate Berytus and develop Secret*, a Berytus-compatible password manager for programmable authentication and registration sessions. We make our code artefacts publicly available, provide a comprehensive security and functionality evaluation and discuss possible future directions

An Analysis of Modern Password Manager Security and Usage on Desktop and Mobile Devices

Security experts recommend password managers to help users generate, store, and enter strong, unique passwords. Prior research confirms that managers do help users move towards these objectives, but it also identified usability and security issues that had the potential to leak user data or prevent users from making full use of their manager. In this dissertation, I set out to measure to what extent modern managers have addressed these security issues on both desktop and mobile environments. Additionally, I have interviewed individuals to understand their password management behavior. I begin my analysis by conducting the first security evaluation of the full password manager lifecycle (generation, storage, and autofill) on desktop devices, including the creation and analysis of a corpus of 147 million generated passwords. My results show that a small percentage of generated passwords are weak against both online and offline attacks, and that attacks against autofill mechanisms are still possible in modern managers. Next, I present a comparative analysis of autofill frameworks on iOS and Android. I find that these frameworks fail to properly verify webpage security and identify a new class of phishing attacks enabled by incorrect handling of autofill within WebView controls hosted in apps. Finally, I interview users of third-party password managers to understand both how and why they use their managers as they do. I find evidence that many users leverage multiple password managers to address issues with existing managers, as well as provide explanations for why password reuse continues even in the presence of a password manager. Based on these results, I conclude with recommendations addressing the attacks and usability issues identified in this work