Attaining Role-Based, Mandatory, and Discretionary Access Control for Services by Intercepting API Calls in Mobile Systems

  • Yaira K. Rivera SánchezEmail author
  • Steven A. Demurjian
  • Lukas Gnirke
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 322)


Mobile applications are quickly replacing traditional desktop computing for gaming, social media, email, web browsing, health and fitness, business usage, etc. Many of these mobile apps require that sensitive information (protected health information (PHI) and personally identifiable information (PII)) be displayed, accessed, modified, and stored. In the healthcare domain, there is a need for health information exchange (HIE) among patients and medical providers across a wide range of health information technology (HIT) systems such as electronic health records, e-prescribing, etc., all of which involve highly-sensitive data (PII and PHI) that is exchanged back and forth between the mobile application and its server-side repository/database. In the U.S. in 2015, the Office of the National Coordinator issued a report on certification rules for EHRs that has required that HIT vendors develop RESTful APIs for EHRs and other systems so that patients and medical providers using mobile health (mHealth) applications via the cloud can easily access their healthcare data from multiple sources. This necessitates the consideration that access control mechanisms are candidates to protect highly-sensitive data of such applications via the control of who can call which service. The paper presents the attainment of role-based (RBAC), mandatory (MAC), and discretionary (DAC) access control for RESTful API and cloud services via an Intercepting API Calls approach that is able to define and enforce users of mobile apps to limit the API/cloud services that can be invoked depending on a user’s permissions. The presented Intercepting API Calls approach is demonstrated via an existing mHealth application.


Access control Application Programming Interface (API) Authorization Mobile application Representational state transfer (REST) services Role-based access control (RBAC) Mandatory access control (MAC) Discretionary access control (DAC) 


  1. 1.
    Heisey-Grove, D., Patel, V.: Any, certified, and basic: quantifying Physician EHR adoption through 2014, September 2015.
  2. 2.
    Walker, J., Pan, E., Johnston, D., Adler-Milstein, J., Bates, D.W., Middleton, B.: The value of health care information exchange and interoperability. Health Aff. 24(2), 10–18 (2005)Google Scholar
  3. 3.
    Himss: Meaningful use stage 3 final rule. Accessed 2016
  4. 4.
    Rindfleisch, T.C.: Privacy, information technology, and health care. Commun. ACM 40(8), 93–100 (1997)CrossRefGoogle Scholar
  5. 5.
    Sandhu, R.S., Samarati, P.: Access control: principles and practice. IEEE Commun. Mag. 32(9), 40–48 (1994)CrossRefGoogle Scholar
  6. 6.
    Ferraiolo, D., Kuhn, R: Role-based access control. In: Proceedings of the NIST-NSA National (USA) Computer Security Conference, pp. 554–563 (1992)Google Scholar
  7. 7.
    Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4, 224–274 (2001)CrossRefGoogle Scholar
  8. 8.
    Bell, D.E., La Padula, L.J.: Secure computer system: unified exposition and multics interpretation. MITRE Corp. (1976)Google Scholar
  9. 9.
    Department of Defense: Department of Defense Trusted Computer System Evaluation Criteria, 26 December 1985Google Scholar
  10. 10.
  11. 11.
    Fernández-Alemán, J., Señor, I., Lozoya, P., Toval, A.: Security and privacy in electronic health records: a systematic literature review. J. Biomed. Inform. 46(3), 541–562 (2013)CrossRefGoogle Scholar
  12. 12.
    FHIR: Welcome to FHIR (2016).
  13. 13.
    Cobb, M.: API security: how to ensure secure API use in the enterprise. Accessed 11 Mar 2014
  14. 14.
    Rivera Sánchez, Y.K., Demurjian, S.A.: Towards user authentication requirements for mobile computing. In: Malik, A., Anjum, A., Raza, B. (eds.) Innovative Solutions for Access Control Management, pp. 160–196. IGI Global (2016).
  15. 15.
    Rivera Sánchez, Y.K., Demurjian, S.A., Conover, J., Agresta, T., Shao, X., Diamond, M.: An approach for role-based access control in mobile applications. In: Mukherja, S. (ed.) Mobile Application Development, Usability, and Security, pp. 117–141. IGI Global (2016).
  16. 16.
    Rivera Sánchez, Y.K., Demurjian, S.A., Gnirke, L.: An intercepting API-based access control approach for mobile applications. In: Proceedings of the 13th International Conference on Web Information Systems and Technologies (WEBIST), pp. 137–148. April 2017.
  17. 17.
    Rivera Sánchez, Y.K., Demurjian, S.A., Baihan, M.: Achieving RBAC on RESTful APIs for mobile apps using FHIR. In: Proceedings of the 5th IEEE International Conference on Mobile Cloud Computing, Services, and Engineering, pp. 177–184. IEEE Mobile Cloud, April 2017.
  18. 18.
    Beal, V.: API - application program interface (2004).
  19. 19.
  20. 20.
    Flanders, D., Ramsey, M., McGregor, A.: The advantage of APIs (2012).
  21. 21.
    REST API Tutorial, Learn REST: A RESTful Tutorial (2012).
  22. 22.
    Rouse, M.: HTTP (Hypertext Transfer Protocol), 15 July 2006.
  23. 23.
    Collet, S.: API security leaves apps vulnerable: 5 ways to plug the leaks (2015).
  24. 24.
    Snapchat (2011).
  25. 25.
    Snapchat: Finding Friends with Phone Numbers (2013).
  26. 26.
    Zeman, E.: Snapchat lays down the law on third-party apps (2015).
  27. 27.
    Instagram (2010).
  28. 28.
    Dellinger, A.J.: This Instagram app may have stolen over 500,000 usernames and passwords (2015).
  29. 29.
    Larson, S.: Instagram restricts API following password breach, will review all apps going forward (2015).
  30. 30.
    Connecticut General Assembly: Substitute for Raised H.B. No. 6722 (2015).
  31. 31.
    Microsoft Corporation: Mobile Application Architecture Guide (2008).
  32. 32.
    Cappos, J., Wang, R., Yang, Y., Zhuang, Y.: Blursense: dynamic fine-grained access control for smartphone privacy. In: Sensors Applications Symposium (SAS) 2014. IEEE (2014).
  33. 33.
    Xu, Z., Zhu, S.: Semadroid: a privacy-aware sensor management framework for smartphones. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pp. 61–72. ACM (2015)Google Scholar
  34. 34.
    Beresford, A., Rice, A., Skehin, N., Sohan, R.: MockDroid: trading privacy for application functionality on smartphones. In: 12th Workshop on Mobile Computing Systems and Applications, Phoenix, Arizona (2011)Google Scholar
  35. 35.
    Benats, G., Bandara, A., Yu, Y., Colin, J., Nuseibeh, B.: PrimAndroid: privacy policy modelling and analysis for android applications. In: Symposium on Policies for Distributed Systems and Networks (POLICY 2011) (2011)Google Scholar
  36. 36.
    Wang, Y., Hariharan, S., Zhao, C., Liu, J., Du, W.: Compac: enforce component-level access control in android. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, San Antonio, Texas, USA (2014)Google Scholar
  37. 37.
    Jin, X., Wang, L., Luo, T., Du, W.: Fine-grained access control for HTML5-based mobile applications in android. In: 16th Information Security Conference (ISC) (2015)Google Scholar
  38. 38.
    Hao, H., Singh, V., Du, W.: On the effectiveness of API-level access control using bytecode rewriting in android. In: 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, Hangzhou, China (2013)Google Scholar
  39. 39.
    Backes, M., Bugiel, S., Gerling, S., von Styp-Rekowsky, P.: Android security framework: extensible multi-layered access control on android. In: 30th Annual Computer Security Applications Conference (2014)Google Scholar
  40. 40.
    Bugiel, S., Heuser, S., Sadeghi, A.: Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In: 22nd USENIX Security Symposium, pp. 131–146 (2013)Google Scholar
  41. 41.
    Shebaro, B., Oluwatimi, O., Bertino, E.: Context-based access control systems for mobile devices. Fellow, IEEE (2015)Google Scholar
  42. 42.
    Aich, S. Mondal, S., Sural, S., Majumdar, A.K.: Role based access control with spatiotemporal context for mobile applications. Trans. Comput. Sci. IV (2009). Special Issue on Security in ComputingGoogle Scholar
  43. 43.
    Abdunabi, R., Sun, W., Ray, I.: Enforcing spatio-temporal access control in mobile applications. Computing 96(4), 313–353 (2014)CrossRefGoogle Scholar
  44. 44.
    Rohrer, F., Zhang, Y., Chitkushev, L., Zlateva, T.: DR BACA: dynamic role based access control for android. In: 29th Annual Computer Security Applications Conference, New Orleans, Louisiana, USA (2013)Google Scholar
  45. 45.
    Fadhel, A., Bianculli, D., Briand, L., Hourte, B.: A model-driven approach to representing and checking RBAC contextual policies. In: CODASPY 2016, pp. 243–253. ACM (2016)Google Scholar
  46. 46.
    Schefer-Wenzl, S., Strembeck, M.: Modelling context-aware RBAC models for mobile business processes. Int. J. Wireless Mob. Comput. (IJWMC) 6(5), 448 (2013)CrossRefGoogle Scholar
  47. 47.
    Coyne, E., Weil, T.: ABAC and RBAC: scalable, flexible, and auditable access management. IT Prof. 15(3), 14–16 (2013)CrossRefGoogle Scholar
  48. 48.

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Yaira K. Rivera Sánchez
    • 1
    Email author
  • Steven A. Demurjian
    • 1
  • Lukas Gnirke
    • 2
  1. 1.University of ConnecticutStorrsUSA
  2. 2.Oberlin CollegeOberlinUSA

Personalised recommendations