Enabling Secure Integration of Web and Mobile: A Principled Multi-level Approach

Abstract

TodayÕs digital content and services are increasingly published using web technologies and consumed through mobile appsÑan ongoing technological trend, referred to as web-mobile integration, that is revolutionizing the way defense organizations, businesses, and individuals access information. With 86% of apps embedding various types of web content, we expect this trend to further extend in both scale and diversity as web-mobile integration naturally brings the WebÕs rich content and elastic services to the most widely used personal-computing devices. Although a vast number of web services and mobile apps, including those for defense organizations, government and enterprise users, have quickly followed this trend, the security implications of web-mobile integration remain largely unknown. Despite the recent studies revealing ad-hoc attack vectors, a comprehensive threat model and effective security enforcement for web-mobile integration are yet to be established. The proposed research aims at understanding and thwarting emerging security threats that plague web-mobile integration. Our preliminary work found that integrating web and mobile not only inherits and amplifies security risks inherent to each platform, but also give rise to a series of new attacks that neither the Web nor mobile platform has encountered before. Guided by such findings, we have identified four critical research problems that once tackled will result in a fundamentally secure web-mobile integration. We will tackle the four problems in separate research stages, following a principled multi-level approach: (1) We will develop a comprehensive understanding of web-mobile integrationÕs lesser-known security implications in reality. (2) We will address the lack of practical mitigation to the emerging threats by designing program-analysis techniques and app hardening methods. (3) We will retrofit mobile OS designs with fundamental capabilities that are currently nonexistent but essential to secure web-mobile integrations and other synergistic designs of apps. (4) We will create hardware-based security technologies to extend the benefits of secure web-mobile integration to usage scenarios where high-security assurance is required in the presence of powerful attackers.

Document Details

Document Type

DoD Grant Award

Publication Date

Oct 15, 2018

Source ID

W911NF1710039

Entities

Tags