Electronic identification schemes have been built to simplify citizens access to online public administration services and reduce password fatigue via a single sign-on experience. To provide a precise specification for government and public service domains on how to protect the user’s identity information and activity from unintentional exposure, the OAuth working group together with the OpenID Connect foundation have published the International Government Assurance Profile (iGov) document. As the specification contains high-level concepts and brings together a lot of insights from already published documents to increase the baseline security and structure deployments, it may be unclear or misleading for mobile application developers. This is mainly due to the fact that firstly, they are not usually security experts and secondly, the aforementioned documents are not mostly designed for the native applications that can affect the implementation security based on the differences between the native and web environment. The aforementioned source of uncertainty for inexperienced developers can lead to various threats that can expose user’s resources. To avoid these problems, we demystify the iGov profile for non-security experts by extracting the wealth information from the iGov specifications, and we apply the best current practices for native applications within the iGov profile to conceptualize the flow for native applications. Furthermore, we provide a wizard-based approach to automatically integrate the secure code for the iGov profile in Android native applications.
Automated and Secure Integration of the OpenID Connect iGov Profile in Mobile Native Applications
Sharif, Amir
;Carbone, Roberto;Sciarretta, Giada;Ranise, Silvio
2020-01-01
Abstract
Electronic identification schemes have been built to simplify citizens access to online public administration services and reduce password fatigue via a single sign-on experience. To provide a precise specification for government and public service domains on how to protect the user’s identity information and activity from unintentional exposure, the OAuth working group together with the OpenID Connect foundation have published the International Government Assurance Profile (iGov) document. As the specification contains high-level concepts and brings together a lot of insights from already published documents to increase the baseline security and structure deployments, it may be unclear or misleading for mobile application developers. This is mainly due to the fact that firstly, they are not usually security experts and secondly, the aforementioned documents are not mostly designed for the native applications that can affect the implementation security based on the differences between the native and web environment. The aforementioned source of uncertainty for inexperienced developers can lead to various threats that can expose user’s resources. To avoid these problems, we demystify the iGov profile for non-security experts by extracting the wealth information from the iGov specifications, and we apply the best current practices for native applications within the iGov profile to conceptualize the flow for native applications. Furthermore, we provide a wizard-based approach to automatically integrate the secure code for the iGov profile in Android native applications.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.