{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T07:40:38Z","timestamp":1767339638445,"version":"3.43.0"},"publisher-location":"New York, NY, USA","reference-count":60,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,8,25]]},"DOI":"10.1145\/3708821.3736217","type":"proceedings-article","created":{"date-parts":[[2025,8,13]],"date-time":"2025-08-13T06:30:56Z","timestamp":1755066656000},"page":"1372-1393","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Protocols and Formal Models for Delegated Authorisation with Server-Side Secrecy"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4662-7760","authenticated-orcid":false,"given":"Jean","family":"Snyman","sequence":"first","affiliation":[{"name":"University of Surrey, Guildford, United Kingdom and Hewlett Packard Enterprise, Bristol, United Kingdom"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9543-1342","authenticated-orcid":false,"given":"Chris","family":"Culnane","sequence":"additional","affiliation":[{"name":"Castellate Consulting Ltd, London, United Kingdom and University of Melbourne, Melbourne, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5864-777X","authenticated-orcid":false,"given":"Ioana","family":"Boureanu","sequence":"additional","affiliation":[{"name":"University of Surrey, Guildford, United Kingdom"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8583-0668","authenticated-orcid":false,"given":"Gerault","family":"David","sequence":"additional","affiliation":[{"name":"Technology Innovation Institute (TII), Adu Dhabi, United Arab Emirates"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,8,24]]},"reference":[{"key":"e_1_3_3_2_2_2","unstructured":"Jean Snyman Chris Culnane Ioana Boureanu and David Gerault. 2025. APEX Project Landing Page. https:\/\/uos-sccs.github.io\/apex."},{"key":"e_1_3_3_2_3_2","volume-title":"Enabling AutoFill for domain-bound SMS codes","author":"Developer Apple","unstructured":"Apple Developer. [n. d.]. Enabling AutoFill for domain-bound SMS codes. https:\/\/developer.apple.com\/documentation\/security\/one-time_codes\/enabling_autofill_for_domain-bound_sms_codes (https:\/\/archive.today\/ZbcGZ)."},{"key":"e_1_3_3_2_4_2","doi-asserted-by":"publisher","unstructured":"Chetan Bansal Karthikeyan Bhargavan Antoine Delignat-Lavaud and Sergio Maffeis. 2014. Discovering Concrete Attacks on Website Authorization by Formal Analysis1. Journal of Computer Security 22 4 (April 2014) 601\u2013657. 10.3233\/JCS-140503https:\/\/www.medra.org\/servlet\/aliasResolver?alias=iospress&doi=10.3233\/JCS-140503.","DOI":"10.3233\/JCS-140503"},{"key":"e_1_3_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-98795-4_14"},{"key":"e_1_3_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-48329-2_21"},{"key":"e_1_3_3_2_7_2","unstructured":"Rich Brown. 2012. SkyDrive Content Restrictions among the Toughest in the Cloud. CNET (Aug. 2012). https:\/\/www.cnet.com\/tech\/services-and-software\/skydrive-content-restrictions-among-the-toughest-in-the-cloud\/."},{"key":"e_1_3_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/SFCS.2001.959888"},{"key":"e_1_3_3_2_9_2","volume-title":"Universally Composable Web Security Protocols for Delegation","author":"Chari Suresh","year":"2009","unstructured":"Suresh Chari and Charanjit Jutla. 2009. Universally Composable Web Security Protocols for Delegation. Research Report RC24856. IBM. https:\/\/dominoweb.draco.res.ibm.com\/b0d33665257dd3a0852576410043bcdd.html."},{"key":"e_1_3_3_2_10_2","unstructured":"Suresh Chari Charanjit Jutla and Arnab Roy. 2011. Universally Composable Security Analysis of OAuth v2.0. https:\/\/eprint.iacr.org\/2011\/526."},{"key":"e_1_3_3_2_11_2","unstructured":"Garrett Davidson. 2022. Meet Passkeys. https:\/\/developer.apple.com\/videos\/play\/wwdc2022\/10092\/."},{"key":"e_1_3_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.17487\/RFC8628"},{"key":"e_1_3_3_2_13_2","volume-title":"Android Keystore system","author":"Developers Android","year":"2025","unstructured":"Android Developers. 2025. Android Keystore system. Google. https:\/\/developer.android.com\/privacy-and-security\/keystore"},{"key":"e_1_3_3_2_14_2","volume-title":"Build web apps in WebView","author":"Developers Android","year":"2025","unstructured":"Android Developers. 2025. Build web apps in WebView. Google. https:\/\/developer.android.com\/develop\/ui\/views\/layout\/webapps\/webview"},{"key":"e_1_3_3_2_15_2","volume-title":"Window: localStorage property","author":"Docs MDN\u00a0Web","year":"2024","unstructured":"MDN\u00a0Web Docs. 2024. Window: localStorage property. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Window\/localStorage"},{"key":"e_1_3_3_2_16_2","volume-title":"Promise - JavaScript","author":"Docs MDN\u00a0Web","year":"2025","unstructured":"MDN\u00a0Web Docs. 2025. Promise - JavaScript. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/JavaScript\/Reference\/Global_Objects\/Promise"},{"key":"e_1_3_3_2_17_2","volume-title":"Same-Origin Policy","author":"Docs MDN\u00a0Web","year":"2025","unstructured":"MDN\u00a0Web Docs. 2025. Same-Origin Policy. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Same-origin_policy"},{"key":"e_1_3_3_2_18_2","volume-title":"Window: postMessage() method","author":"Docs MDN\u00a0Web","year":"2025","unstructured":"MDN\u00a0Web Docs. 2025. Window: postMessage() method. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Window\/postMessage"},{"key":"e_1_3_3_2_19_2","doi-asserted-by":"publisher","unstructured":"D. Dolev and A. Yao. 1983. On the Security of Public Key Protocols. IEEE Transactions on Information Theory 29 2 (March 1983) 198\u2013208. 10.1109\/TIT.1983.1056650http:\/\/ieeexplore.ieee.org\/document\/1056650\/.","DOI":"10.1109\/TIT.1983.1056650"},{"key":"e_1_3_3_2_20_2","unstructured":"Emily Dreyfuss. 2018. Was It Ethical for Dropbox to Share Customer Data with Scientists? Wired (July 2018). https:\/\/www.wired.com\/story\/dropbox-sharing-data-study-ethics\/."},{"key":"e_1_3_3_2_21_2","volume-title":"Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI \u201910)","author":"Feldman Ariel\u00a0J","year":"2010","unstructured":"Ariel\u00a0J Feldman, William\u00a0P Zeller, Michael\u00a0J Freedman, and Edward\u00a0W Felten. 2010. SPORC: Group Collaboration Using Untrusted Cloud Resources. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI \u201910). USENIX, Vancouver, BC, Canada. https:\/\/www.usenix.org\/conference\/osdi10\/sporc-group-collaboration-using-untrusted-cloud-resources."},{"key":"e_1_3_3_2_22_2","volume-title":"OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0","author":"Fernandez G.","year":"2021","unstructured":"G. Fernandez, F. Walter, A. Nennker, D. Tonge, and B. Campbell. 2021. OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0. Technical Report. OpenID Foundation. https:\/\/openid.net\/specs\/openid-client-initiated-backchannel-authentication-core-1_0.html."},{"key":"e_1_3_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978385"},{"key":"e_1_3_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.5555\/3600270.3601935"},{"key":"e_1_3_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-57048-8_5"},{"key":"e_1_3_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.17487\/rfc6749"},{"key":"e_1_3_3_2_27_2","volume-title":"The OAuth 2.1 Authorization Framework","author":"Hardt Dick","year":"2022","unstructured":"Dick Hardt, Aaron Parecki, and Torsten Lodderstedt. 2022. The OAuth 2.1 Authorization Framework. Internet-Draft draft-ietf-oauth-v2-1-06. IETF. https:\/\/datatracker.ietf.org\/doc\/html\/draft-ietf-oauth-v2-1-12."},{"key":"e_1_3_3_2_28_2","unstructured":"Florian Helmschmidt. 2022. Security Analysis of the Grant Negotiation and Authorization Protocol. Ph.\u00a0D. Dissertation. University of Stuttgart Stuttgart Germany. https:\/\/elib.uni-stuttgart.de\/bitstream\/11682\/12220\/1\/Security_Analysis_GNAP.pdf."},{"key":"e_1_3_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICNP.2010.5762765"},{"key":"e_1_3_3_2_30_2","volume-title":"Capacitor: Cross-platform apps with web technology","year":"2017","unstructured":"Ionic. 2017. Capacitor: Cross-platform apps with web technology. https:\/\/capacitorjs.com\/"},{"key":"e_1_3_3_2_31_2","doi-asserted-by":"publisher","unstructured":"Daniel Jackson. 2002. Alloy: A Lightweight Object Modelling Notation. ACM Transactions on Software Engineering and Methodology 11 2 (April 2002) 256\u2013290. 10.1145\/505145.505149https:\/\/dl.acm.org\/doi\/10.1145\/505145.505149.","DOI":"10.1145\/505145.505149"},{"key":"e_1_3_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/337180.337616"},{"key":"e_1_3_3_2_33_2","doi-asserted-by":"publisher","unstructured":"Tibor Jager Florian Kohlar Sven Sch\u00e4ge and J\u00f6rg Schwenk. 2017. Authenticated Confidential Channel Establishment and the Security of TLS-DHE. Journal of Cryptology 30 4 (Oct. 2017) 1276\u20131324. 10.1007\/s00145-016-9248-2http:\/\/link.springer.com\/10.1007\/s00145-016-9248-2.","DOI":"10.1007\/s00145-016-9248-2"},{"key":"e_1_3_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-13-1343-1_7"},{"key":"e_1_3_3_2_35_2","unstructured":"Joel Khalili. 2022. Google Drive Is Locking Some People\u2019s Files for No Reason. TechRadar (Jan. 2022). https:\/\/www.techradar.com\/news\/google-drive-is-locking-some-peoples-files-for-no-reason."},{"key":"e_1_3_3_2_36_2","volume-title":"Verify phone numbers on the web with the WebOTP API","author":"Kitamura Eiji","year":"2019","unstructured":"Eiji Kitamura. 2019. Verify phone numbers on the web with the WebOTP API. Chrome for Developers. https:\/\/developer.chrome.com\/docs\/identity\/web-apis\/web-otp (https:\/\/archive.today\/mN9Wo)."},{"key":"e_1_3_3_2_37_2","unstructured":"Eiji Kitamura. 2022. A Path to a World without Passwords. https:\/\/io.google\/2022\/program\/e3bb37a4-2723-4d72-a5b3-1a23abb94ac0\/."},{"key":"e_1_3_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-25535-9_21"},{"key":"e_1_3_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420993"},{"key":"e_1_3_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.21236\/ADA445862"},{"key":"e_1_3_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP48549.2020.00025"},{"key":"e_1_3_3_2_42_2","volume-title":"OAuth 2.0 Security Best Current Practice","author":"Lodderstedt Torsten","year":"2022","unstructured":"Torsten Lodderstedt, John Bradley, Aney Labunets, and Daniel Fett. 2022. OAuth 2.0 Security Best Current Practice. Internet Draft draft-ietf-oauth-security-topics-21. Internet Engineering Task Force. https:\/\/datatracker.ietf.org\/doc\/draft-ietf-oauth-security-topics-21."},{"key":"e_1_3_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.17487\/RFC9126"},{"key":"e_1_3_3_2_44_2","volume-title":"Foundations of Cryptography: Volume 2, Basic Applications (1st ed.)","author":"Oded Goldreich","year":"2009","unstructured":"Goldreich Oded. 2009. Foundations of Cryptography: Volume 2, Basic Applications (1st ed.). Cambridge University Press, USA."},{"key":"e_1_3_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.FIPS.140-3"},{"key":"e_1_3_3_2_46_2","unstructured":"OpenAI. 2023. GPT-4 Technical Report. ArXiv abs\/2303.08774 (2023). https:\/\/api.semanticscholar.org\/CorpusID:257532815"},{"key":"e_1_3_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/CSNT.2011.141"},{"key":"e_1_3_3_2_48_2","volume-title":"Flask","year":"2010","unstructured":"Pallets. 2010. Flask. https:\/\/github.com\/pallets\/flask"},{"key":"e_1_3_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.5555\/2002181.2002212"},{"key":"e_1_3_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1145\/2043556.2043566"},{"key":"e_1_3_3_2_51_2","volume-title":"Proton Drive: Free Encrypted Cloud File Storage & Sharing","unstructured":"Proton. [n. d.]. Proton Drive: Free Encrypted Cloud File Storage & Sharing. https:\/\/proton.me\/drive"},{"key":"e_1_3_3_2_52_2","volume-title":"Requests-OAuthlib","author":"Reitz Kenneth","year":"2014","unstructured":"Kenneth Reitz. 2014. Requests-OAuthlib. https:\/\/github.com\/requests\/requests-oauthlib"},{"key":"e_1_3_3_2_53_2","volume-title":"Grant Negotiation and Authorization Protocol","author":"Richer Justin","year":"2022","unstructured":"Justin Richer and Fabien Imbault. 2022. Grant Negotiation and Authorization Protocol. RFC 9635. IETF. https:\/\/datatracker.ietf.org\/doc\/html\/rfc9635."},{"key":"e_1_3_3_2_54_2","volume-title":"OAuth 2.0 Dynamic Client Registration Protocol","author":"Richer Justin","year":"2015","unstructured":"Justin Richer, Michael Jones, John Bradley, Maciej Machulak, and Phil Hunt. 2015. OAuth 2.0 Dynamic Client Registration Protocol. RFC 7591. IETF. https:\/\/datatracker.ietf.org\/doc\/html\/rfc7591\/."},{"key":"e_1_3_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.17487\/RFC7636"},{"key":"e_1_3_3_2_56_2","first-page":"2469","volume-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security \u201920)","author":"Shafagh Hossein","year":"2020","unstructured":"Hossein Shafagh, Lukas Burkhalter, Sylvia Ratnasamy, and Anwar Hithnawi. 2020. Droplet: Decentralized Authorization and Access Control for Encrypted Data Streams. In Proceedings of the 29th USENIX Security Symposium (USENIX Security \u201920). USENIX, 2469\u20132486. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/shafagh."},{"key":"e_1_3_3_2_57_2","doi-asserted-by":"publisher","DOI":"10.1145\/2087522.2087531"},{"key":"e_1_3_3_2_58_2","unstructured":"Jeremy Thomas. 2023. Bulma. https:\/\/bulma.io\/."},{"key":"e_1_3_3_2_59_2","volume-title":"Secure Cloud Storage","unstructured":"Tresorit. [n. d.]. Secure Cloud Storage. https:\/\/tresorit.com\/individuals"},{"key":"e_1_3_3_2_60_2","volume-title":"Materialize","author":"Wang Alvin","year":"2014","unstructured":"Alvin Wang. 2014. Materialize. https:\/\/github.com\/Dogfalo\/materialize"},{"key":"e_1_3_3_2_61_2","volume-title":"Authlib","author":"Yang Hsiaoming","year":"2017","unstructured":"Hsiaoming Yang. 2017. Authlib. https:\/\/github.com\/lepture\/authlib"}],"event":{"name":"ASIA CCS '25: 20th ACM Asia Conference on Computer and Communications Security","location":"Hanoi Vietnam","acronym":"ASIA CCS '25","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 20th ACM Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3708821.3736217","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,13]],"date-time":"2025-08-13T07:33:44Z","timestamp":1755070424000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3708821.3736217"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,24]]},"references-count":60,"alternative-id":["10.1145\/3708821.3736217","10.1145\/3708821"],"URL":"https:\/\/doi.org\/10.1145\/3708821.3736217","relation":{},"subject":[],"published":{"date-parts":[[2025,8,24]]},"assertion":[{"value":"2025-08-25","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}