Online citations, reference lists, and bibliographies.

Formal Analysis Of A Single Sign-On Protocol Implementation For Android

Quanqi Ye, Guangdong Bai, Kailong Wang, J. Dong
Published 2015 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
As the boom of social networking, Single Sign-On (SSO) services developed by major commercial service providers like Facebook, Google and Twitter, have been widely used by web-based service providers as an alternative authentication scheme. Despite rich research has focused on browser-based web applications, little has been conducted on the implementation of SSO on mobile platforms. However, we reveal that due to the fundamental difference of isolation mechanism in mobile OS and applications from the origin-based isolation in browsers, the SSO encounters a novel attack surface and adversarial models. We perform the first formal analysis on the implementation of the most widely used SSO service -- Facebook Login. Our study takes as input the available implementation and dynamic execution traces of Facebook SDK for Android, from which we abstract the implementation-level protocol. The protocol is then modeled in typed Pi-calculus, and automatically checked against the mobile platform specific attack models in a protocol verifier Proverif. Our study has successfully identified a major vulnerability, which allows an attacker to steal authentication credentials from victims and log into their Facebook accounts.
This paper references
Proverif: Cryptographic protocol verifier in the formal model
(2015)
Login with facebook update: Apps must now separately request permission to post on behalf of users
D Cohen (2013)
The web origin concept , ” RFC 6454 , Dec 2011 . [ Online ]
J. Sun G. Bai
10.1007/978-3-319-19249-9_6
Detection of Design Flaws in the Android Permission Protocol Through Bounded Verification
H. Bagheri (2015)
Intents and intent filters
(2015)
10.1145/2660267.2660323
OAuth Demystified for Mobile Application Developers
E. Y. Chen (2014)
Facebook platform supports more than 42 million pages and 9 million apps
B Darwell (2012)
User authentication with oauth 2
(2015)
Android and ios squeeze the competition, swelling to 96.3% of the smartphone operating system market for both 4q14 and cy14, according to idc
(2015)
10.1109/CSF.2012.27
Discovering Concrete Attacks on Website Authorization by Formal Analysis
Chetan Bansal (2012)
10.1109/SP.2012.30
Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
R. Wang (2012)
Browser Security Handbook, part 2 Available: https://goo
M Zelwski (2011)
ProVerif 1.85: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial
B. Blanchet (2011)
10.6838/YZU.2012.00271
Single Sign-on機制之探討與實現
蔡瑋哲 (2012)
10.3233/978-1-60750-714-7-112
Applied pi calculus
M. Ryan (2011)
10.1109/ICECCS.2015.17
All Your Sessions Are Belong to Us: Investigating Authenticator Leakage through Backup Channels on Android
Guangdong Bai (2015)
10.1145/1734583.1734595
When mobile is harder than fixed (and vice versa): demystifying security challenges in mobile environments
Jon Oberheide (2010)
Applied pi calculus, " in Formal Models and Techniques for Analyzing Security Protocols
M D Ryan (2011)
Available: https://goo
Model Android Sso (2015)
Security risk as people use same password on all websites
(2009)
AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations
Guangdong Bai (2013)
Facebook login overview Available: https: //goo
(2015)
10.17487/RFC6454
The Web Origin Concept
A. Barth (2011)
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
R. Wang (2013)



This paper is referenced by
10.1145/3321705.3329801
MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications
Shangcheng Shi (2019)
10.1109/TSE.2017.2697848
Towards Model Checking Android Applications
Guangdong Bai (2018)
10.1007/978-3-319-78813-5_41
A Framework for Formal Analysis of Privacy on SSO Protocols
Kailong Wang (2017)
10.1109/ICECCS2018.2018.00011
HOMESCAN: Scrutinizing Implementations of Smart Home Integrations
Kulani Mahadewa (2018)
10.1109/ASE.2019.00036
OAUTHLINT: An Empirical Study on OAuth Bugs in Android Applications
Tamjid Al Rahat (2019)
10.1109/ICECCS.2015.17
All Your Sessions Are Belong to Us: Investigating Authenticator Leakage through Backup Channels on Android
Guangdong Bai (2015)
10.1007/978-3-319-61204-1_16
Breaking and Fixing Mobile App Authentication with OAuth2.0-based Protocols
Ronghai Yang (2017)
10.1007/978-3-319-78813-5_24
Inferring Implicit Assumptions and Correct Usage of Mobile Payment Protocols
Quanqi Ye (2017)
10.1007/978-3-030-30215-3_15
LightSense: A Novel Side Channel for Zero-permission Mobile User Tracking
Quanqi Ye (2019)
10.1007/978-3-030-02450-5_31
Analyzing Security and Privacy in Design and Implementation of Web Authentication Protocols
Kailong Wang (2018)
10.1109/tse.2019.2960690
Scrutinizing Implementations of Smart Home Integrations
Kulani Mahadewa (2019)
10.1007/978-3-319-89722-6_8
Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
Giada Sciarretta (2018)
Signing into One Billion Mobile App Accounts Effortlessly with OAuth 2 . 0
R. Yang (2016)
10.1016/j.future.2018.06.049
Android single sign-on security: Issues, taxonomy and directions
X. Liu (2018)
10.1007/978-3-030-30215-3
Information Security: 22nd International Conference, ISC 2019, New York City, NY, USA, September 16–18, 2019, Proceedings
Zhiqiang Lin (2019)
Semantic Scholar Logo Some data provided by SemanticScholar