On Design and Implementation a Smart Contract-Based Investigation Report Management Framework for Smartphone Applications
To prevent users from downloading and installing malicious smartphone applications, several countries and organizations have developed security requirements for smartphone applications and associated vetting systems. Certified third parties can inspect whether an application satisfies applicable security requirements and issue inspection reports to notify users of potential risks. However, currently there is no standard method for users to obtain inspection results. Furthermore, as the advances of hacking techniques, a inspecter may discover that an application is vulnerable to a new type of attack and wish to notify application users immediately. To address the issue, this study proposes a Smart Contract-based Investigation Report Management framework for smartphone applications security (SCIRM) to enable smartphone application users to obtain security inspection reports of interested applications with smart contracts. Benefiting from blockchain technology, users can obtain historical inspection reports of an application and verify the integrity of the reports. In addition, this study utilizes smart contract technology to implement the interfaces so that smart contracts will enforce the related actions automatically. This study can hopefully contribute to enabling users to adopt appropriate countermeasures to potential application security risks as users can obtain up-to-dated security information about applications timely.
This work was supported in part by the Taiwan Ministry of Science and Technology under grants MOST 104-2923-E-011-005-MY3 and MOST 105-2218-E-001-001.
- 1.Cha, S.-C., Hung, S.-C., Chen, J.-F., Syu, S.-C., Tsai, T.-Y.: On the design of a blockchain-based reputation service for android applications. In: Preceedings of the 2016 International Conference on Cyber-Society and Smart Computing Communication (The CyberSoc 2016), Yogyakarta, Indonesia (2016)Google Scholar
- 2.European Union Agency For Network And Information Security (ENISA). Smartphone secure development guidelines (2016). https://www.enisa.europa.eu/publications/smartphonesecuredevelopmentguidelines2016
- 3.Mueller, B.: Mobile application security verification standard (MASVS) 0.9.2. OWASP Standard (2017)Google Scholar
- 4.Quirolgico, S., Voas, J., Karygiannis, T., Michael, C., Scarfone, K.: Vetting the security of mobile applications. US National Institute of Standards and Technology (NIST) SP 800-163 (2015)Google Scholar
- 5.Taiwan Industrial Development Bureau (IDB). Mobile app funtational security requirement v1.1 (2017). http://www.mas.org.tw/news_detail.php?id=38
- 6.Taiwan Industrial Development Bureau (IDB). Mobile app secure development guidelines v1.0 (2017). http://www.mas.org.tw/news_detail.php?id=38
- 7.Taiwan Industrial Development Bureau (IDB). Self regulatory mobile app funtational security certification v3.0 (2017). http://www.mas.org.tw/news_detail.php?id=38