Online citations, reference lists, and bibliographies.

Anatomy Of The Facebook Solution For Mobile Single Sign-on: Security Assessment And Improvements

Giada Sciarretta, R. Carbone, Silvio Ranise, A. Armando
Published 2017 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
Abstract While there exist many secure authentication and authorization solutions for web applications, their adaptation in the mobile context is a new and open challenge. In this paper, we argue that the lack of a proper reference model for Single Sign-On (SSO) for mobile native applications drives many social network vendors (acting as Identity Providers) to develop their own mobile solution. However, as the implementation details are not well documented, it is difficult to establish the proper security level of these solutions. We thus provide a rational reconstruction of the Facebook SSO flow, including a comparison with the OAuth 2.0 standard and a security analysis obtained testing the Facebook SSO reconstruction against a set of identified SSO attacks. Based on this analysis, we have modified and generalized the Facebook solution proposing a native SSO abstract model and a related implementation capable of solving the identified vulnerabilities and accommodating any Identity Provider. Finally, we have analyzed the new native SSO solution proposed by the OAuth Working Group, extracted the related abstract model and made a comparison with our proposal.
This paper references
10.1002/9781119183655
The Mobile Application Hacker's Handbook: Chell/Mobile
Dominic Chell (2014)
10.5220/0005969001470158
Security of Mobile Single Sign-On: A Rational Reconstruction of Facebook Login Solution
Giada Sciarretta (2016)
10.1145/2976749.2978385
A Comprehensive Formal Security Analysis of OAuth 2.0
Daniel Fett (2016)
10.1109/SP.2012.30
Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
R. Wang (2012)
10.1145/1456396.1456397
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
10.1145/2382196.2382238
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
San-Tsai Sun (2012)
10.1109/MobServ.2014.15
Towards Enhancing the Security of OAuth Implementations in Smart Phones
Mohamed Shehab (2014)
10.1145/2660267.2660323
OAuth Demystified for Mobile Application Developers
E. Y. Chen (2014)
10.1109/SP.2014.49
An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System
Daniel Fett (2014)
10.1007/978-3-642-04444-1_21
Secure Pseudonymous Channels
S. Mödersheim (2009)
10.1109/CSF.2012.27
Discovering Concrete Attacks on Website Authorization by Formal Analysis
Chetan Bansal (2012)
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
R. Wang (2013)
10.14722/NDSS.2016.23286
Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications
Avinash Sudhodanan (2016)
10.1109/CSFW.1997.596782
A hierarchy of authentication specifications
G. Lowe (1997)
10.3233/JCS-1996-4104
A Calculus for Security Bootstrapping in Distributed Systems
U. Maurer (1996)



This paper is referenced by
Semantic Scholar Logo Some data provided by SemanticScholar