Online citations, reference lists, and bibliographies.

Formal Analysis Of A Single Sign-On Protocol Implementation For Android

Quanqi Ye, Guangdong Bai, Kailong Wang, J. Dong
Published 2015 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
As the boom of social networking, Single Sign-On (SSO) services developed by major commercial service providers like Facebook, Google and Twitter, have been widely used by web-based service providers as an alternative authentication scheme. Despite rich research has focused on browser-based web applications, little has been conducted on the implementation of SSO on mobile platforms. However, we reveal that due to the fundamental difference of isolation mechanism in mobile OS and applications from the origin-based isolation in browsers, the SSO encounters a novel attack surface and adversarial models. We perform the first formal analysis on the implementation of the most widely used SSO service -- Facebook Login. Our study takes as input the available implementation and dynamic execution traces of Facebook SDK for Android, from which we abstract the implementation-level protocol. The protocol is then modeled in typed Pi-calculus, and automatically checked against the mobile platform specific attack models in a protocol verifier Proverif. Our study has successfully identified a major vulnerability, which allows an attacker to steal authentication credentials from victims and log into their Facebook accounts.
This paper references
Proverif: Cryptographic protocol verifier in the formal model
Login with facebook update: Apps must now separately request permission to post on behalf of users
D Cohen (2013)
The web origin concept , ” RFC 6454 , Dec 2011 . [ Online ]
J. Sun G. Bai
Detection of Design Flaws in the Android Permission Protocol Through Bounded Verification
H. Bagheri (2015)
Intents and intent filters
OAuth Demystified for Mobile Application Developers
E. Y. Chen (2014)
Facebook platform supports more than 42 million pages and 9 million apps
B Darwell (2012)
User authentication with oauth 2
Android and ios squeeze the competition, swelling to 96.3% of the smartphone operating system market for both 4q14 and cy14, according to idc
Discovering Concrete Attacks on Website Authorization by Formal Analysis
Chetan Bansal (2012)
Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
R. Wang (2012)
Browser Security Handbook, part 2 Available: https://goo
M Zelwski (2011)
ProVerif 1.85: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial
B. Blanchet (2011)
Single Sign-on機制之探討與實現
蔡瑋哲 (2012)
Applied pi calculus
M. Ryan (2011)
All Your Sessions Are Belong to Us: Investigating Authenticator Leakage through Backup Channels on Android
Guangdong Bai (2015)
When mobile is harder than fixed (and vice versa): demystifying security challenges in mobile environments
Jon Oberheide (2010)
Applied pi calculus, " in Formal Models and Techniques for Analyzing Security Protocols
M D Ryan (2011)
Available: https://goo
Model Android Sso (2015)
Security risk as people use same password on all websites
AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations
Guangdong Bai (2013)
Facebook login overview Available: https: //goo
The Web Origin Concept
A. Barth (2011)
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
R. Wang (2013)

This paper is referenced by
MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications
Shangcheng Shi (2019)
Towards Model Checking Android Applications
Guangdong Bai (2018)
A Framework for Formal Analysis of Privacy on SSO Protocols
Kailong Wang (2017)
HOMESCAN: Scrutinizing Implementations of Smart Home Integrations
Kulani Mahadewa (2018)
OAUTHLINT: An Empirical Study on OAuth Bugs in Android Applications
Tamjid Al Rahat (2019)
All Your Sessions Are Belong to Us: Investigating Authenticator Leakage through Backup Channels on Android
Guangdong Bai (2015)
Breaking and Fixing Mobile App Authentication with OAuth2.0-based Protocols
Ronghai Yang (2017)
Inferring Implicit Assumptions and Correct Usage of Mobile Payment Protocols
Quanqi Ye (2017)
LightSense: A Novel Side Channel for Zero-permission Mobile User Tracking
Quanqi Ye (2019)
Analyzing Security and Privacy in Design and Implementation of Web Authentication Protocols
Kailong Wang (2018)
Scrutinizing Implementations of Smart Home Integrations
Kulani Mahadewa (2019)
Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
Giada Sciarretta (2018)
Signing into One Billion Mobile App Accounts Effortlessly with OAuth 2 . 0
R. Yang (2016)
Android single sign-on security: Issues, taxonomy and directions
X. Liu (2018)
Information Security: 22nd International Conference, ISC 2019, New York City, NY, USA, September 16–18, 2019, Proceedings
Zhiqiang Lin (2019)
Semantic Scholar Logo Some data provided by SemanticScholar