Abstract
Electronic identification schemes have been built to simplify citizens access to online public administration services and reduce password fatigue via a single sign-on experience. To provide a precise specification for government and public service domains on how to protect the user’s identity information and activity from unintentional exposure, the OAuth working group together with the OpenID Connect foundation have published the International Government Assurance Profile (iGov) document. As the specification contains high-level concepts and brings together a lot of insights from already published documents to increase the baseline security and structure deployments, it may be unclear or misleading for mobile application developers. This is mainly due to the fact that firstly, they are not usually security experts and secondly, the aforementioned documents are not mostly designed for the native applications that can affect the implementation security based on the differences between the native and web environment. The aforementioned source of uncertainty for inexperienced developers can lead to various threats that can expose user’s resources. To avoid these problems, we demystify the iGov profile for non-security experts by extracting the wealth information from the iGov specifications, and we apply the best current practices for native applications within the iGov profile to conceptualize the flow for native applications. Furthermore, we provide a wizard-based approach to automatically integrate the secure code for the iGov profile in Android native applications.
Partially supported by the innovation activity 19184 “API Assistant” of the Digital Infrastructure action line of the EIT Digital, and by the joint laboratory “DigiMat Lab” between FBK and the Italian National Mint and Printing House (IPZS).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In the case of publicly accessible DCR endpoint, requests may be constrained through various techniques (e.g., rate limited) to prevent DoS attacks.
- 2.
- 3.
- 4.
The client authentication method following dynamic client registration is a work in progress.
- 5.
- 6.
The internal review was not published by Google, this information was obtained from a conversation with the main developer of AppAuth SDK.
- 7.
- 8.
- 9.
References
AGID: Linee Guida OpenID connect in SPID (2019). https://docs.italia.it/AgID/documenti-in-consultazione/lg-openidconnect-spid-docs/it/bozza/
AGID: Sistema Pubblico di Identità Digitale (2019). https://www.spid.gov.it/
Cantor, S.: SAML version 2.0 Errata 05, March 18, 2015 (2012)
Denniss, W., Bradley, J.: OAuth 2.0 for Native Apps (RFC8252). Internet Engineering Task Force (IETF) (2017)
Geonovum: Dutch government assurance profile for OAuth 2.0 (2020). https://geonovum.github.io/KP-APIs-OAuthNL/
Google: Android Lint (2016). https://developer.android.com/studio/write/lint
Google: App Link Assistant tool (2017). https://developer.android.com/studio/write/app-link-indexing
Hardt, D.: The OAuth 2.0 Authorization Framework (RFC6749). Internet Engineering Task Force (IETF) (2012)
Internet-Draft: International Government Assurance Profile (iGov) for OAuth 2.0 (2018)
Internet-Draft: International Government Assurance Profile (iGov) for OpenID Connect 1.0 (2018)
Jones, M., Bradley, J., Machulak, M., Hunt, P.: OAuth 2.0 Dynamic Client Registration Protocol (RFC7591). Internet Engineering Task Force (IETF) (2015)
Jones, M.: JSON Web Key (RFC7517). Internet Engineering Task Force (IETF) (2015)
Jones, M., Bradley, J., Sakimura, N.: Json Web Token (RFC7519). Internet Engineering Task Force (IETF) (2015)
Lewis, K.D., Lewis, J.E.: Web single sign-on authentication using SAML. Int. J. Comput. Sci. Issues 2, 41–48 (2009)
Liu, F., Wang, C., Pico, A., Yao, D., Wang, G.: Measuring the insecurity of mobile deep links of Android. In: 26th USENIX Security Symposium (USENIX Security 2017), Vancouver, BC, Canada, August 16–18, 2017, pp. 953–969 (2017)
Liu, X., Liu, J., Wang, W., Zhu, S.: Android single sign-on security: issues, taxonomy and directions. Future Gener. Comput. Syst. 89, 402–420 (2018). https://doi.org/10.1016/j.future.2018.06.049
Lodderstedt, T., Bradley, J., Labunets, A., Fett, D.: OAuth 2.0 security best current practice (draft-ietf-OAuth-security-topics-16). Internet Engineering Task Force (IETF) (2020)
Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations (RFC6819). Internet Engineering Task Force (IETF) (2013)
Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the ACM SIGSAG Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, USA, October 16–18, 2012, pp. 229–240 (2012). https://doi.org/10.1145/2382196.2382223
Nguyen, D.C., Wermke, D., Acar, Y., Backes, M., Weir, C., Fahl, S.: A stitch in time: supporting Android developers in writing secure code. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30–November 3, 2017, pp. 1065–1077 (2017). https://doi.org/10.1145/3133956.3133977
NHS: United Kingdom national health service login (2020). https://www.nhs.uk/using-the-nhs/nhs-services/nhs-login/
OIDF: AppAuth Mobile Client SDK (2016). https://github.com/openid/AppAuth-Android
Sakimura, N., Bradley, J., Agarwal, N.: Proof key for code exchange by OAuth public clients (RFC7636). Internet Engineering Task Force (IETF) (2015)
Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0 incorporating errata set 1. The OpenID Foundation, Specification 335 (2014)
Sharif, A., Carbone, R., Ranise, S., Sciarretta, G.: A wizard-based approach for secure code generation of single sign-on and access delegation solutions for mobile native apps. In: Proceedings of the 16th International Joint Conference on e-Business and Telecommunications, ICETE 2019 - Volume 2: SECRYPT, Prague, Czech Republic, July 26–28, 2019, pp. 268–275 (2019). https://doi.org/10.5220/0007930502680275
Son, S., McKinley, K.S., Shmatikov, V.: RoleCast: finding missing security checks when you do not know what checks are. In: Proceedings of the 26th ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA 2011, Portland, OR, USA, October 2011, vol. 46, pp. 1069–1084 (2011). https://doi.org/10.1145/2048066.2048146
US General Service Administration: Login.gov (2020). https://login.gov
Wang, H., et al.: Vulnerability assessment of OAuth implementations in Android applications. In: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, Los Angles, CA, USA, December 7–11, 2015, pp. 61–70 (2015). https://doi.org/10.1145/2818000.2818024
Westman, R., et al.: Enterprise mission tailored OpenID connect (OIDC) profile. Tech. rep., MITRE (2020)
Xamarin: Xamarin tools for cross platform app development (2015). https://releases.xamarin.com
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Sharif, A., Carbone, R., Sciarretta, G., Ranise, S. (2020). Automated and Secure Integration of the OpenID Connect iGov Profile in Mobile Native Applications. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2020. Lecture Notes in Computer Science(), vol 12515. Springer, Cham. https://doi.org/10.1007/978-3-030-64455-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-64455-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64454-3
Online ISBN: 978-3-030-64455-0
eBook Packages: Computer ScienceComputer Science (R0)