Online citations, reference lists, and bibliographies.

Towards Enhancing The Security Of OAuth Implementations In Smart Phones

M. Shehab, Fadi Mohsen
Published 2014 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
With the roaring growth and wide adoption of smart mobile devices, users are continuously integrating with culture of the mobile applications (apps). These apps are not only gaining access to information on the smartphone but they are also able gain users' authorization to access remote servers on their behalf. The Open standard for Authorization (OAuth) is widely used in mobile apps for gaining access to user's resources on remote service providers. In this paper, we analyze the different OAuth implementations adopted by the SDKs of the popular resource providers on smartphones and demonstrate possible attacks on most OAuth implementations. By analyzing source code of more than 430 popular Android apps we summarized the trends followed by the service providers and by the OAuth development choices made by application developers. In addition, we propose an application-based OAuth Manager framework, that provides a secure OAuth flow in smartphones that is based on the concept of privilege separation and does not require high overhead.
This paper references
A java wrapper for linkedin API (version
A java flickr API library (version 2.0), " https://github. com/lukhnos/objectiveflickr
Yahoo Browser-based Authentication
Yahoo Inc (2008)
Box SDK for iOS (version 1.0), " box/box-ios-sdk
Box (2013)
Open Source Unofficial Java library for the Twitter API (version 3.0.4-SNAPSHOT), " twitter4j
PiOS: Detecting Privacy Leaks in iOS Applications
Manuel Egele (2011)
Google's AuthSub authentication
Google (2008)
Attacks on WebView in the Android system
Tongbo Luo (2011)
Microsoft Live Connect
Microsoft (2010)
Delegate the smartphone user? Security awareness in smartphone platforms
A. Mylonas (2013)
The Facebook SDK for iOS (version 3.5.1), "
Facebook (2013)
Twitter iOS Integration (version 1.1)
Twitter-Ios (2013)
Box SDK for Android (version 2.0), " https://github. com/box/box-android-sdk
Box (2013)
OAuth 2.0 Threat Model and Security Considerations
T. Lodderstedt (2013)
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones
William Enck (2014)
Facebood SDK for android facebook/facebook-android-sdk
Facebook (2012)
Compromising Twitter’s OAuth security system,” twitter-a-case-study-on-how-to-do-oauth-wrong
R. Paul (2010)
Instagram client for Android (version 1.86), " https: //
Instgram (2013)
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
San-Tsai Sun (2012)
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
R. Wang (2013)
AdDroid: privilege separation for applications and advertisers in Android
P. Pearce (2012)
Open Source A java flickr API library (version 2.0.0)
Google+ Platform for iOS (version 1.3.0), " https: //
Google (2013)
Preventing Privilege Escalation
Niels Provos (2003)
Don't kill my ads!: balancing privacy in an ad-supported mobile application market
I. Leontiadis (2012)
The Live SDK for iOS library (version 5.0), "
Microsoft (2013)
Open Source API Kits (version 1.1)
Google+ Platform for Android (version 1.3.0), " getting-started
Google (2013)
Core API Development kits and documentation (version 1.5.4), " sdk
Dropbox (2013)
Stealing Passwords is Easy in Native Mobile Apps Despite OAuth,
A. Wulf (2013)
Instagram iOS Authentication (version 1), " http: //
Instagram (2013)
The Live SDK for Android library (version 5.0), "
Microsoft (2013)
AdSplit: Separating Smartphone Advertising from Applications
S. Shekhar (2012)

This paper is referenced by
Understanding Mobile Users’ Privacy Expectations: A Recommendation-Based Method Through Crowdsourcing
Rui Liu (2019)
Hardening the OAuth-WebView Implementations in Android Applications by Re-Factoring the Chromium Library
Fadi Mohsen (2016)
A Lightweight Privacy-Preserving OAuth2-Based Protocol for Smart City Mobile Apps
Victor Sucasas (2016)
OAuth Demystified for Mobile Application Developers
E. Y. Chen (2014)
Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
Giada Sciarretta (2017)
MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications
Shangcheng Shi (2019)
Proposing and Testing New Security Cue Designs for OAuth-WebView-Embedded Mobile Applications
Fadi Mohsen (2017)
An Extensive Formal Security Analysis of the OpenID Financial-Grade API
Daniel Fett (2019)
Decoupled-IFTTT: Constraining Privilege in Trigger-Action Platforms for the Internet of Things
Earlence Fernandes (2017)
Security of Mobile Single Sign-On: A Rational Reconstruction of Facebook Login Solution
Giada Sciarretta (2016)
A delegated authorization solution for smart-city mobile applications
Giada Sciarretta (2016)
A privacy-enhanced OAuth 2.0 based protocol for Smart City mobile applications
V. Sucasas (2018)
An Authorization Framework with OAuth for FinTech Servers
Bayram Doğan Göçer (2019)
Design and Security Assessment of Usable Multi-factor Authentication and Single Sign-On Solutions for Mobile Applications - A Workshop Experience Report
Roberto Carbone (2018)
Principles of Security and Trust
Lujo Bauer (2018)
OAuth-SSO: A Framework to Secure the OAuth-Based SSO Service for Packaged Web Applications
Nazmul Hossain (2018)
Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems
D. Davidson (2017)
Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
Giada Sciarretta (2018)
Decentralized Action Integrity for Trigger-Action IoT Platforms
E. Fernandes (2018)
Securing Personal IoT Platforms through Systematic Analysis and Design
E. Fernandes (2017)
Android single sign-on security: Issues, taxonomy and directions
X. Liu (2018)
Raising the Bar Really High: An MTD Approach to Protect Data in Embedded Browsers
Fadi Mohsen (2019)
OAUTHLINT: An Empirical Study on OAuth Bugs in Android Applications
Tamjid Al Rahat (2019)
A Comprehensive Formal Security Analysis of OAuth 2.0
Daniel Fett (2016)
An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications
Xiaohan Zhang (2018)
An OAuth2-based protocol with strong user privacy preservation for smart city mobile e-Health apps
V. Sucasas (2016)
Social login with OAuth for mobile applications: User's view
Lee Ho (2016)
Security to Outsource Data in Community Cloud with the Trusted Tenant System
K. Kunal (2015)
Semantic Scholar Logo Some data provided by SemanticScholar