Part 3. Cloud Security
Application
Linking Apps to User Accounts
-
Via 3rd Party App Stores
The 3rd party apps that purport to access user data or Example device that requires legitimate user credential shall do so only when the authorized Service Provider App has established necessary user credentials through successful login to the service. This shall be facilitated through the OAuth 2.0.
The following data is provided by the Example Account Service to the App Developer when they register to develop apps that may access the Example User Account, DeviceData, DeviceMarks and Devices.
These credentials shall be used by back-end processes associated with the App and shall not be inserted into Apps which are downloaded into consumer devices.
{ "$schema":"http://json-schema.org/draft-04/schema#", "type":"object", "title":"Application Developer Security Package", "description":"Application ID for the App developer", "additionalProperties":false, "properties":{ "App Developer ID":{ "type":"string" }, "API Key":{ "type":"string", "description":"API Key used to access Example APIs" }, "App Developer Private Key":{ "type":"string", "description":"This private key is to enable the App back-end systems access DeviceData under the privacy management system rules. This key shall be managed in a secure environment within the App developer's premises and not be inserted into applications." }, "App Developer X.509 Certificate":{ "type":"string" } } }Where the App Developer wishes for a downloaded App to access either the Users Account, Cameras, or DeviceData, the following data shall be provided to the App developer per instance of App.
The App developer shall ensure that the security assets are protected when downloaded into a consumer device.
{ "$schema": "http://json-schema.org/draft-04/schema#", "type": "object", "title": "Application Instance Security Object", "description": "Keys and Credentials for each instance of an application", "additionalProperties": false, "properties": { "App Developer ID": { "type": "string" }, "App Instance ID": { "type": "string", "description": "Unique ID for specific instance of App" }, "API Key": { "type": "string", "description": "API Key used to access Example APIs" }, "App Private Key": { "type": "string", "description": "This private key is used by the App to process DeviceData and DeviceMarks protected using the Privacy Rights Management System. This key is unique to an instance of the App" }, "App X.509 Certificate": { "type": "string", "description": "Certificate for this instance of the App. " } } }App Access to Cameras
The Example Account Service controls how apps access both DeviceData and the user’s devices.
- An application requests access to a user's account using the OAuth 2.0 protocol.
- The Example Account Service acts as the OAuth defined authorization server.
- If the User provides permission for the App to access its devices, the Example Account Service will provide the App an Access token which the App will present to the device or server that holds DeviceData.
- The App does not understand the contents of the token. These are processed by the device or the server holding the Device Data. The processing of this token is described in the following section.
- If the device or the server verifies the access token the App can access data or settings in the device.
In the case of DeviceData, there may be a second layer of protection provided by the Privacy Management System. In this case the App must be provided with a Privacy Rights Object which provides keys to decrypt the data that has been accessed from the server or device and adhere to the processing rules that are defined by the Privacy Rights Object.
Sharing of Devices
In applications where the user is willing to share their device with another user:
- Support is provided by the device owner to allow access to the user by enabling access on the device owner's account.
- The Example Account Service provides a credential to the users' app, which enables the user to login to the device.