Online citations, reference lists, and bibliographies.

Towards Enhancing The Security Of OAuth Implementations In Smart Phones

M. Shehab, Fadi Mohsen
Published 2014 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
With the roaring growth and wide adoption of smart mobile devices, users are continuously integrating with culture of the mobile applications (apps). These apps are not only gaining access to information on the smartphone but they are also able gain users' authorization to access remote servers on their behalf. The Open standard for Authorization (OAuth) is widely used in mobile apps for gaining access to user's resources on remote service providers. In this paper, we analyze the different OAuth implementations adopted by the SDKs of the popular resource providers on smartphones and demonstrate possible attacks on most OAuth implementations. By analyzing source code of more than 430 popular Android apps we summarized the trends followed by the service providers and by the OAuth development choices made by application developers. In addition, we propose an application-based OAuth Manager framework, that provides a secure OAuth flow in smartphones that is based on the concept of privilege separation and does not require high overhead.
This paper references
A java wrapper for linkedin API (version
Linkedin
A java flickr API library (version 2.0), " https://github. com/lukhnos/objectiveflickr
(2013)
Yahoo Browser-based Authentication
Yahoo Inc (2008)
Box SDK for iOS (version 1.0), " https://github.com/ box/box-ios-sdk
Box (2013)
Open Source Unofficial Java library for the Twitter API (version 3.0.4-SNAPSHOT), " https://github.com/yusuke/ twitter4j
(2013)
PiOS: Detecting Privacy Leaks in iOS Applications
Manuel Egele (2011)
Google's AuthSub authentication
Google (2008)
10.1145/2076732.2076781
Attacks on WebView in the Android system
Tongbo Luo (2011)
Microsoft Live Connect
Microsoft (2010)
10.1016/j.cose.2012.11.004
Delegate the smartphone user? Security awareness in smartphone platforms
A. Mylonas (2013)
The Facebook SDK for iOS (version 3.5.1), " https://developers.facebook.com/ios
Facebook (2013)
Twitter iOS Integration (version 1.1)
Twitter-Ios (2013)
Box SDK for Android (version 2.0), " https://github. com/box/box-android-sdk
Box (2013)
10.17487/RFC6819
OAuth 2.0 Threat Model and Security Considerations
T. Lodderstedt (2013)
10.1145/2619091
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones
William Enck (2014)
Facebood SDK for android https://github.com/ facebook/facebook-android-sdk
Facebook (2012)
Compromising Twitter’s OAuth security system,” http://arstechnica.com/security/2010/09/ twitter-a-case-study-on-how-to-do-oauth-wrong
R. Paul (2010)
Instagram client for Android (version 1.86), " https: //github.com/markchang/android-instagram
Instgram (2013)
10.1145/2382196.2382238
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
San-Tsai Sun (2012)
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
R. Wang (2013)
10.1145/2414456.2414498
AdDroid: privilege separation for applications and advertisers in Android
P. Pearce (2012)
Open Source A java flickr API library (version 2.0.0)
(2013)
Google+ Platform for iOS (version 1.3.0), " https: //developers.google.com/+/mobile/ios
Google (2013)
Preventing Privilege Escalation
Niels Provos (2003)
10.1145/2162081.2162084
Don't kill my ads!: balancing privacy in an ad-supported mobile application market
I. Leontiadis (2012)
The Live SDK for iOS library (version 5.0), " https://github.com/liveservices/LiveSDK-for-ios
Microsoft (2013)
Open Source API Kits (version 1.1)
(2013)
Google+ Platform for Android (version 1.3.0), " https://developers.google.com/+/mobile/android/ getting-started
Google (2013)
Core API Development kits and documentation (version 1.5.4), " https://www.dropbox.com/developers/core/ sdk
Dropbox (2013)
Stealing Passwords is Easy in Native Mobile Apps Despite OAuth,
A. Wulf (2013)
Instagram iOS Authentication (version 1), " http: //instagram.com/developer/authentication
Instagram (2013)
The Live SDK for Android library (version 5.0), " https://github.com/liveservices/LiveSDK-for-Android
Microsoft (2013)
AdSplit: Separating Smartphone Advertising from Applications
S. Shekhar (2012)



This paper is referenced by
10.1109/TSC.2016.2636285
Understanding Mobile Users’ Privacy Expectations: A Recommendation-Based Method Through Crowdsourcing
Rui Liu (2019)
10.1109/CIC.2016.036
Hardening the OAuth-WebView Implementations in Android Applications by Re-Factoring the Chromium Library
Fadi Mohsen (2016)
10.1109/GLOCOMW.2016.7848816
A Lightweight Privacy-Preserving OAuth2-Based Protocol for Smart City Mobile Apps
Victor Sucasas (2016)
10.1145/2660267.2660323
OAuth Demystified for Mobile Application Developers
E. Y. Chen (2014)
10.1016/j.cose.2017.04.011
Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
Giada Sciarretta (2017)
10.1145/3321705.3329801
MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications
Shangcheng Shi (2019)
10.1109/CIC.2017.00063
Proposing and Testing New Security Cue Designs for OAuth-WebView-Embedded Mobile Applications
Fadi Mohsen (2017)
10.1109/SP.2019.00067
An Extensive Formal Security Analysis of the OpenID Financial-Grade API
Daniel Fett (2019)
Decoupled-IFTTT: Constraining Privilege in Trigger-Action Platforms for the Internet of Things
Earlence Fernandes (2017)
10.5220/0005969001470158
Security of Mobile Single Sign-On: A Rational Reconstruction of Facebook Login Solution
Giada Sciarretta (2016)
10.1109/RTSI.2016.7740623
A delegated authorization solution for smart-city mobile applications
Giada Sciarretta (2016)
10.1016/j.cose.2018.01.014
A privacy-enhanced OAuth 2.0 based protocol for Smart City mobile applications
V. Sucasas (2018)
10.1109/UBMK.2019.8907182
An Authorization Framework with OAuth for FinTech Servers
Bayram Doğan Göçer (2019)
10.1007/978-3-030-16744-8_4
Design and Security Assessment of Usable Multi-factor Authentication and Single Sign-On Solutions for Mobile Applications - A Workshop Experience Report
Roberto Carbone (2018)
10.1007/978-3-319-89722-6
Principles of Security and Trust
Lujo Bauer (2018)
10.1109/TrustCom/BigDataSE.2018.00227
OAuth-SSO: A Framework to Secure the OAuth-Based SSO Service for Packaged Web Applications
Nazmul Hossain (2018)
10.1145/3052973.3052998
Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems
D. Davidson (2017)
10.1007/978-3-319-89722-6_8
Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
Giada Sciarretta (2018)
10.14722/NDSS.2018.23119
Decentralized Action Integrity for Trigger-Action IoT Platforms
E. Fernandes (2018)
Securing Personal IoT Platforms through Systematic Analysis and Design
E. Fernandes (2017)
10.1016/j.future.2018.06.049
Android single sign-on security: Issues, taxonomy and directions
X. Liu (2018)
10.1109/COMPSAC.2019.00116
Raising the Bar Really High: An MTD Approach to Protect Data in Embedded Browsers
Fadi Mohsen (2019)
10.1109/ASE.2019.00036
OAUTHLINT: An Empirical Study on OAuth Bugs in Android Applications
Tamjid Al Rahat (2019)
10.1145/2976749.2978385
A Comprehensive Formal Security Analysis of OAuth 2.0
Daniel Fett (2016)
An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications
Xiaohan Zhang (2018)
10.1109/ICC.2016.7511598
An OAuth2-based protocol with strong user privacy preservation for smart city mobile e-Health apps
V. Sucasas (2016)
10.1109/ISCAIE.2016.7575043
Social login with OAuth for mobile applications: User's view
Lee Ho (2016)
Security to Outsource Data in Community Cloud with the Trusted Tenant System
K. Kunal (2015)
Semantic Scholar Logo Some data provided by SemanticScholar