Secure Token Management in Hybrid Applications
377.36 KB
avoin
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
Lataukset11
Pysyvä osoite
Verkkojulkaisu
DOI
Tiivistelmä
This thesis examines the security of token management in hybrid applications that operate on web and mobile platforms. These applications commonly rely on OAuth 2.0 for authorization and OpenID Connect for authentication, where tokens function as credentials to access protected resources. Due to security differences between platforms, the secure management of tokens presents significant challenges. This thesis addresses three research questions. It identifies the most critical threats to tokens, evaluates token storage mechanisms in terms of confidentiality and im plementation cost, and proposes a secure and maintainable architecture. The re sults show that token exposure is the primary risk and high risk threats include cross-site scripting (XSS) and insecure storage. The storage mechanism evaluation shows a trade-off between confidentiality and implementation cost in hybrid appli cations. More confidential solutions, such as HttpOnly cookies require additional infrastructure and native secure storage APIs require additional effort to achieve similar security guarantees in the web environment. In contrast, simpler token stor age mechanisms provide weaker confidentiality and protection. Finally, this thesis proposes an architecture that uses backend managed sessions for web environments and operating system backed secure storage for mobile platforms. This approach improves security, reduces token exposure and is practical to implement on both web and mobile platforms.