Modeling Security and Privacy Requirements for Mobile Applications: a Use Case-driven Approach

Mai, Xuan Phu; Göknil, Arda; Shar, Lwin Khin; Briand, Lionel

Reference : Modeling Security and Privacy Requirements for Mobile Applications: a Use Case-driven...


	Document type :	Reports : Internal report
	Discipline(s) :	Engineering, computing & technology : Computer science
	Focus Areas :	Security, Reliability and Trust
	To cite this reference:	http://hdl.handle.net/10993/31653

Title :	Modeling Security and Privacy Requirements for Mobile Applications: a Use Case-driven Approach
Language :	English
Author, co-author :	Mai, Xuan Phu [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Göknil, Arda [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Shar, Lwin Khin [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Briand, Lionel [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Publication date :	7-Jul-2017
Publisher :	SnT, University of Luxembourg
ISBN :	978-2-87971-160-7
Report number :	TR-SNT-2017-3
Abstract :	[en] Defining and addressing security and privacy requirements in mobile apps is a significant challenge due to the high level of transparency regarding users' (private) information. In this paper, we propose, apply, and assess a modeling method that supports the specification of security and privacy requirements of mobile apps in a structured and analyzable form. Our motivation is that, in many contexts including mobile app development, use cases are common practice for the elicitation and analysis of functional requirements and should also be adapted for describing security requirements. We integrate and adapt an existing approach for modeling security and privacy requirements in terms of security threats, their mitigations, and their relations to use cases in a misuse case diagram. We introduce new security-related templates, i.e., a mitigation template and a misuse case template for specifying mitigation schemes and misuse case specifications in a structured and analyzable manner. Natural language processing can then be used to automatically detect and report inconsistencies among artifacts and between the templates and specifications. Since our approach supports stakeholders in precisely specifying and checking security threats, threat scenarios and their mitigations, it is expected to help with decision making and compliance with standards for improving security. We successfully applied our approach to industrial mobile apps and report lessons learned and results from structured interviews with engineers.
Funders :	Fonds National de la Recherche - FnR
Name of the research project :	EDLAH2
Target :	Researchers ; Professionals ; Students ; General public ; Others
Permalink :	http://hdl.handle.net/10993/31653

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Open access	TR_Modeling_Security.pdf		Publisher postprint	793.01 kB	View/Open

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices