Formalizing and Evaluating mAuth: SecureAuthorization and Authentication Protocol for Native Apps

dc.contributor.authorHermenius, Jesper
dc.contributor.authorStrömbäck Olofsson, Simon
dc.contributor.departmentChalmers tekniska högskola / Institutionen för data och informationstekniksv
dc.contributor.departmentChalmers University of Technology / Department of Computer Science and Engineeringen
dc.contributor.examinerDuvignau, Romaric
dc.contributor.supervisorSchneider, Gerardo
dc.date.accessioned2026-06-25T07:49:00Z
dc.date.issued
dc.date.submitted
dc.description.abstractOAuth was designed for the browser: its canonical authorisation-code flow assumes a redirect through a system user-agent, an assumption that fits poorly with native mobile applications, where every redirect crosses an OS boundary and breaks the in app experience. In 2024, Hamrefors and Törnkvist proposed mAuth, a redirect-less, mobile-native protocol that preserves OAuth’s authorisation guarantees while relo cating user authentication into the device’s own secure hardware. mAuth supports three authentication ceremonies: a CIBA-style backchannel, a FIDO2 challenge response and ROPC fallback. Every issued token is bound to a hardware-backed instance key, by means of platform attestation and DPoP. Its original presentation, however, argued for security informally and left several mechanisms underspecified. This thesis formalizes mAuth against a set of normative standards based around the OAuth architecture, and tightens the underspecified parts. A symbolic model of mAuth using the protocol verification tool Tamarin is also constructed. The three theories with authentication variants CIBA, FIDO2 and ROPC are built, with a set of lemmas establishing relevant normative security properties within the sym bolic model. The results therefore provide assurance relative to the abstractions and adversary model encoded in Tamarin, rather than a guarantee of security in deployment.
dc.identifier.coursecodeDATX05
dc.identifier.urihttps://hdl.handle.net/20.500.12380/311504
dc.language.isoeng
dc.setspec.uppsokTechnology
dc.subjectComputer Science, Engineering, Thesis, Native App, mAuth, Authenti cation, Authorization, Security, Tamarin, Formalization
dc.titleFormalizing and Evaluating mAuth: SecureAuthorization and Authentication Protocol for Native Apps
dc.type.degreeExamensarbete för masterexamensv
dc.type.degreeMaster's Thesisen
dc.type.uppsokH
local.programmeComputer systems and networks (MPCSN), MSc

Ladda ner

Original bundle

Visar 1 - 1 av 1
Hämtar...
Bild (thumbnail)
Namn:
CSE 26-103 JH SSO.pdf
Size:
1.93 MB
Format:
Adobe Portable Document Format

License bundle

Visar 1 - 1 av 1
Hämtar...
Bild (thumbnail)
Namn:
license.txt
Size:
2.35 KB
Format:
Item-specific license agreed upon to submission
Description: