研究生: |
賴世峰 Shih-Feng Lai |
---|---|
論文名稱: |
一個供智慧型手機使用的微型應用程式代理認證架構與實作-以Android手機為例 On Design and Implementation of a Proxy Authentication System for Smart Phone based on Android Operating Systems |
指導教授: |
查士朝
Shi-Cho Cha |
口試委員: |
羅乃維
Nai-Wei Lo 楊立偉 Li-wei Yang |
學位類別: |
碩士 Master |
系所名稱: |
管理學院 - 資訊管理系 Department of Information Management |
論文出版年: | 2012 |
畢業學年度: | 100 |
語文別: | 中文 |
論文頁數: | 46 |
中文關鍵詞: | Android 、行動裝置安全 、代理認證服務 、微型應用程式 |
外文關鍵詞: | Mobile Security, Proxy Authentication |
相關次數: | 點閱:215 下載:0 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
隨著行動裝置的蓬勃發展,越來越多企業試圖提供可供行動裝置存取的服務。而企業為了增加本身所提供服務的使用者,會採用開放 API 的方式,提供 API 來讓外界的手機微型應用程式 (APP) 開發者去存取其服務。在這個過程中,服務提供者常會需要去認證手機的使用者是否有使用該服務的權限,然而,因為使用者會透過非服務提供者所開發的微型應用程式存取服務,若使用者將認證資訊提供給微型應用程式,之後再由微型應用程式將此認證資訊傳送給服務提供者,則微型應用程式可能擷取到該認證資訊而傳送給開發者,因而造成使用者機密資料被外洩的問題。
有鑑於此,本研究探討如何在行動裝置上,在使用者要透過非服務提供者開發的微型應用程式去存取服務時,能夠透過一個在手機上的可信賴代理認證工具,而僅將機密資訊提供給該輔助工具進行認證,如此可在非服務提供者開發的微型應用程式無法得知使用者認證資訊的情況下,而確保使用者擁有存取服務的權限,從而避免服務被未經授權存取。
As the advances of mobile technologies, more and more organizations are able to and willing to provide mobile services. In addition, organizations may provide application interface (API) to encourage APP developers to develop APPs to increase user number of their services. In this case, mobile service providers usually request users to provide ID/passwords to authenticate the users. However, if the mobile service providers let APPs to forward user ID/passwords to them, malicious APPs may transmit user credential information to malicious APP developers. Therefore, the APP developers may access the mobile services on behalf of users without obtaining user consents.
To address the issue, this study proposes a scheme for mobile service providers to request users to install authentication agents in their mobile phones. The agents obtain credential information from users directly to prevent the APPs obtaining the information. Moreover, this study proposes to enable users distinguish agents from agent through images set by users. The mobile services then authentication users and provide access tokens to the APPs through agents to access the services. While this study implements prototype of the proposed scheme in Android Operating System, the proposed scheme can hopefully enhance the security of mobile services in the real world.
[1] Francis, Sideco. “Smartphones to Account for Majority of Cellphone Shipments by 2015” In iSuppli.
http://www.isuppli.com/Mobile-and-Wireless-Communications/News/Pages/Smartphones-to-Account-for-Majority-of-Cellphone-Shipments-by-2015.aspx
[2] OAuth Core Workgroup, “OAuth Core 1.0”, http://OAuth.net/core/1.0
[3] OAuth Core Workgroup, “OAuth 2.0”,
http://tools.ietf.org/html/draft-ietf-oauth-v2-28
[4] Jack, Mannino., Mike, Zusman., Tony, DeLaGrange., Sarath, Geethakumar., Tom, Eston “OWASP Top 10 Mobile Risks” In OWASP
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
[5] Paul, Oliveria. “A Snapshot of Android Threats” In TrendLebs
http://blog.trendmicro.com/snapshot-of-android-threats
[6] Pedro, Bustamante. “Vodafone distributes Mariposa botnet”, In Panda Resurch
http://research.pandasecurity.com/vodafone-distributes-mariposa/
[7] Paller, G. “Dedexer”, http://dedexer.sourceforge.net
[8] “Dex2jar”, http://code.google.com/p/dex2jar/
[9] “Google OAuth2 For Devices” In Google
https://developers.google.com/accounts/docs/OAuth2ForDevices
[10] Yitao, Yao. “A serious OAuth security hole in Facebook SDK”,
http://security-n-tech.blogspot.tw/2010/11/serious-OAuth-security-hole-in-facebook.html
[11] “Facebook API for Mobile Devices” In Facebook
http://developers.facebook.com/docs/guides/mobile/
[12] “Android Developers Reference”, http://developer.android.com/reference/
[13] Erika, Chin., Adrienne, Porter, Felt., Kate, Greenwood., David, Wagner. “Analyzing Inter-Application Communication in Android” In Proceeding MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications, and services, pp.239-252.
[14] Adrienne, Porter, Felt., Erika, Chin., Steve, Hanna., Dawn, Song., David, Wagner. “Android Permissions Demystified” In CCS '11 Proceedings of the 18th ACM conference on Computer and communications, pp.627-638
[15] Himanshu, Dwivedi., Chris, Clark., David, Thiel.,
” Mobile Application Security”
[16] William, E, Burr., Donna, F, Dodson,. W, Timothy, Polk. “NIST SP 800-63”,
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
[17] Troy, Vennon., Mayank, Aggarwal. “Android malware: Spyware in theAndroid Market” In SMobile Systems, March 2010
[18] W, Enck., M, Ongtang., and P, McDaniel. “Understanding Android Security” In IEEE Security and Privacy, 2009, pp.50-57
[19] Khash, Kiani. “Four Attacks on OAuth - How to Secure Your OAuth Imple-mentation”