Security for Distributed Community Applications
Applications for mobile devices are distributed over concentrated application stores such as "Google Play" and the "App Store". Most applications for smartphone users must be present on the application store and either need to be pre-configured or need to be configured by the user after installation.
Open source applications for groups suffer from this approach as each group is motivated to submit their own pre-configured version of the open source application to the application store. Development of the original application is thereby fragmented and the overall development effort likely reduced while the overall maintenance effort increases.
As an illustration, an inventory and messaging application can be used easily by several independent groups if a central back-end is used. But if each group wants to rely on their own servers the application would need to be submitted multiple times to the application stores, each holding the relevant connection details and credentials. Telling the credentials for server access to users is not preferable in many situations.
Your task is to develop a secure concept for community applications with single submissions to application stores but independent usage by separate groups and an aggregated development effort. A common approach consists of an automated build system and an application structure which allows secure customization (configuration) for the correct infrastructure after the installation to the user's device. Focus of this work is the secure customization process, but as well the integration into the required resource infrastructure and development chain. Special attention is required as several security implications arise, such as the distribution of credentials for database access and the trust into the integrity of the application from the infrastructure operator's view. As part of your thesis you will evaluate whether this approach is feasible in a secure manner and develop the mentioned example application.
The cloud IDE Eclipse Che and Linux/Docker containers are supposed to be used for automated builds and the application development. Ionic and Electron frameworks are good candidates for programming and to perform tests on mobile, desktop and browser platforms.
Additional topics of concern might be:
- Reproducible and collectively signed builds
- Simultaneous distribution of a release and development branch
- Update mechanisms in case of security flaws in 3rd party code
Please get in touch with me if you are interested, would like to suggest improvements, or have further questions.