Balancing Isolation and Sharing of Data for Third-Party Extensible App Ecosystems
In the landscape of application ecosystems, today's cloud users wish to personalize not only their browsers with various extensions or their smartphones with various applications, but also the various extensions and applications themselves. The resulting personalization significantly raises the attractiveness for typical Web 2.0 users, but gives rise to various security risks and privacy concerns, such as unforeseen access to certain critical components, undesired information flow of personal information to untrusted applications, or emerging attack surfaces that were not possible before a personalization has taken place. In this paper, we propose a novel extensibility mechanism which is used for implementing personalization of existing cloud applications towards (possibly untrusted) components in a secure and privacy-friendly manner. Our model provides a clean component abstraction, thereby in particular ruling out undesired component accesses and ensuring that no undesired information flow takes place between application components -- either trusted from the base application or untrusted from various extensions. We then instantiate our model in the SAFE web application framework (WWW 2012), resulting in a novel methodology that is inspired by traditional access control and specifically designed for the newly emerging needs of extensibility in application ecosystems. We illustrate the convenient usage of our techniques by showing how to securely extend an existing social network application.