Faysal Boukayoua

inShopnito: An Advanced yet Privacy-Friendly Mobile Shopping Application

Mobile Shopping Applications (MSAs) are rapidly gaining popularity. They enhance the shopping experience, by offering customized recommendations or incorporating customer loyalty programs. Although MSAs are quite effective at attracting new customers and binding existing ones to a retailers services, existing MSAs have several shortcomings. The data collection practices involved in MSAs and the lack of transparency thereof are important concerns for many customers. This paper presents inShopnito, a privacy-preserving mobile shopping application. All transactions made in inShopnito are unlinkable and anonymous. However, the system still offers the expected features from a modern MSA. Customers can take part in loyalty programs and earn or spend loyalty points and electronic vouchers. Furthermore, the MSA can suggest personalized recommendations even though the retailer cannot construct rich customer profiles. These profiles are managed on the smartphone and can be partially disclosed in order to get better, customized recommendations. Finally, we present an implementation called inShopnito, of which the security and performance is analyzed. In doing so, we show that it is possible to have a privacy-preserving MSA without having to sacrifice practicality.

Using a Smartphone to Access Personalized Web Services on a Workstation

This paper presents a privacy-friendly mobile authentication solution. It addresses several shortcomings of conventional methods, such as passwords and smartcard solutions. It also meets the needs of an increasingly mobile user. Trust in the client computer is minimal and the authentication is entirely delegated to the smartphone, which makes it portable across different workstations. Our approach involves authentication using securely stored credentials on the smartphone. The client workstation does not need to be modified, whereas only minor changes to the Web server are required.

Secure Storage on Android with Context-Aware Access Control

Android devices are increasingly used in corporate settings. Although openness and cost-effectiveness are key factors to opt for the platform, its level of data protection is often inadequate for corporate use. This paper presents a strategy for secure credential and data storage in Android. It is supplemented by a context-aware mechanism that restricts data availability according to predefined policies. Our approach protects stored data better than iOS in case of device theft. Contrary to other Android-based solutions, we do not depend on device brand, hardware specs, price range or platform version. No modifications to the operating system are required. The proposed concepts are validated by a contextaware file management prototype.

A keyboard that manages your passwords in Android

During the recent years, smartphones and tablets have become a fixture of daily life. They are used to run ever more tasks and services. Unfortunately, when it comes to password management, users are confronted with greater security and usability concerns than in the non-mobile world. This work presents a password manager for Android that can accommodate any app. Existing platform mechanisms are leveraged to better protect against malware and device theft, than current solutions. Our approach also provides significant usability improvements. No modifications are required to existing applications or to the mobile platform.

Claim-based versus network-based identity management: a hybrid approach

This paper proposes a hybrid approach that combines claim-based and network-based identity management. Partly by virtue of the principle of separation of concerns, better security and privacy properties are attained. Overall trust is diminished, while simultaneously reducing multiple actors’ exposure and value as a target of attack. The proposed architecture also facilitates interoperability and pluralism of credential technologies, authentication protocols and operators. In addition, the user has more control over his personal data than with current network-based identity management systems. A prototype demonstrates the feasibility of the proposed approach.

Making OpenID Mobile and Privacy-Friendly

OpenID is a widely used single sign-on standard that allows users to access different services using the same authentication. However, its usage poses a number of issues regarding privacy and security. This paper evaluates the OpenID standard and introduces three mobile strategies, two of which are validated using a prototype implementation. Significant privacy and trust improvements are attained through the use of an identity management architecture that leverages the properties of a tamperproof module. Furthermore, our approach makes OpenID more suitable for omnipresentmobile use.We remain interoperable with the OpenID standard and no modifications to the mobile platform are required.