Attaining Role-Based, Mandatory, and Discretionary Access Control for Services by Intercepting API Calls in Mobile Systems

Abstract

Mobile applications are quickly replacing traditional desktop computing for gaming, social media, email, web browsing, health and fitness, business usage, etc. Many of these mobile apps require that sensitive information (protected health information (PHI) and personally identifiable information (PII)) be displayed, accessed, modified, and stored. In the healthcare domain, there is a need for health information exchange (HIE) among patients and medical providers across a wide range of health information technology (HIT) systems such as electronic health records, e-prescribing, etc., all of which involve highly-sensitive data (PII and PHI) that is exchanged back and forth between the mobile application and its server-side repository/database. In the U.S. in 2015, the Office of the National Coordinator issued a report on certification rules for EHRs that has required that HIT vendors develop RESTful APIs for EHRs and other systems so that patients and medical providers using mobile health (mHealth) applications via the cloud can easily access their healthcare data from multiple sources. This necessitates the consideration that access control mechanisms are candidates to protect highly-sensitive data of such applications via the control of who can call which service. The paper presents the attainment of role-based (RBAC), mandatory (MAC), and discretionary (DAC) access control for RESTful API and cloud services via an Intercepting API Calls approach that is able to define and enforce users of mobile apps to limit the API/cloud services that can be invoked depending on a user’s permissions. The presented Intercepting API Calls approach is demonstrated via an existing mHealth application.