Security Mechanism for Packaged Web Applications

Abstract

OAuth is an open security standard that enables users to provide specific and time bound rights to an application to access protected user resources, stored on some external resource server, without needing them to share their credentials, with the application. Using OAuth, a client application gets one access token for further use through an HTTP redirect response from the resource server once the user authenticates the resource access. Unlike websites, for locally installed packaged web applications the main security challenge is to handle the redirect response appropriately. This paper proposes a novel method to execute OAuth flow from such applications with the help of web runtime framework that manages the life cycle of these applications. We compare our approach with other two approaches for OAuth flow handling proposed in the literature. Experimenting with different categories of packaged web applications, we found our approach blocking all illegal OAuth flow executions. Our approach also gives better OAuth response handling time and power consumption performance.