Formalizing and Evaluating mAuth: SecureAuthorization and Authentication Protocol for Native Apps
| dc.contributor.author | Hermenius, Jesper | |
| dc.contributor.author | Strömbäck Olofsson, Simon | |
| dc.contributor.department | Chalmers tekniska högskola / Institutionen för data och informationsteknik | sv |
| dc.contributor.department | Chalmers University of Technology / Department of Computer Science and Engineering | en |
| dc.contributor.examiner | Duvignau, Romaric | |
| dc.contributor.supervisor | Schneider, Gerardo | |
| dc.date.accessioned | 2026-06-25T07:49:00Z | |
| dc.date.issued | ||
| dc.date.submitted | ||
| dc.description.abstract | OAuth was designed for the browser: its canonical authorisation-code flow assumes a redirect through a system user-agent, an assumption that fits poorly with native mobile applications, where every redirect crosses an OS boundary and breaks the in app experience. In 2024, Hamrefors and Törnkvist proposed mAuth, a redirect-less, mobile-native protocol that preserves OAuth’s authorisation guarantees while relo cating user authentication into the device’s own secure hardware. mAuth supports three authentication ceremonies: a CIBA-style backchannel, a FIDO2 challenge response and ROPC fallback. Every issued token is bound to a hardware-backed instance key, by means of platform attestation and DPoP. Its original presentation, however, argued for security informally and left several mechanisms underspecified. This thesis formalizes mAuth against a set of normative standards based around the OAuth architecture, and tightens the underspecified parts. A symbolic model of mAuth using the protocol verification tool Tamarin is also constructed. The three theories with authentication variants CIBA, FIDO2 and ROPC are built, with a set of lemmas establishing relevant normative security properties within the sym bolic model. The results therefore provide assurance relative to the abstractions and adversary model encoded in Tamarin, rather than a guarantee of security in deployment. | |
| dc.identifier.coursecode | DATX05 | |
| dc.identifier.uri | https://hdl.handle.net/20.500.12380/311504 | |
| dc.language.iso | eng | |
| dc.setspec.uppsok | Technology | |
| dc.subject | Computer Science, Engineering, Thesis, Native App, mAuth, Authenti cation, Authorization, Security, Tamarin, Formalization | |
| dc.title | Formalizing and Evaluating mAuth: SecureAuthorization and Authentication Protocol for Native Apps | |
| dc.type.degree | Examensarbete för masterexamen | sv |
| dc.type.degree | Master's Thesis | en |
| dc.type.uppsok | H | |
| local.programme | Computer systems and networks (MPCSN), MSc |
