Online citations, reference lists, and bibliographies.

OAuth Demystified For Mobile Application Developers

E. Y. Chen, Yutong Pei, Shuo Chen, Y. Tian, Robert Kotcher, P. Tague
Published 2014 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial objective of the protocol was specific: it serves the authorization needs for websites. What motivates our work is the realization that the protocol has been significantly re-purposed and re-targeted over the years: (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication; (2) developers have re-targeted OAuth to the mobile platforms, in addition to the traditional web platform. Therefore, we believe that it is necessary and timely to conduct an in-depth study to demystify OAuth for mobile application developers. Our work consists of two pillars: (1) an in-house study of the OAuth protocol documentation that aims to identify what might be ambiguous or unspecified for mobile developers; (2) a field-study of over 600 popular mobile applications that highlights how well developers fulfill the authentication and authorization goals in practice. The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable. In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications.
This paper references
The OAuth 2.0 Authorization Framework: Bearer Token Usage draft-ietf-oauth-v2-bearer-22
David Recordon (2012)
The problem with oauth for authentication.
J. Bradley (2012)
How we hacked facebook with oauth2 and chrome bugs. facebook-with-oauth2-and-chrome
E Homakov
Systematic Detection of Capability Leaks in Stock Android Smartphones
M. Grace (2012)
Unauthorized origin crossing on mobile platforms: threats and mitigation
Renmin Wang (2013)
Attacks and defenses
A. P. Felt (2011)
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
Oauth 2.0 and the road to hell. and-the-road-to-hell
E Hammer-Lahav
Analyzing inter-application communication in Android
E. Chin (2011)
Securing frame communication in browsers
A. Barth (2009)
How i hacked any facebook account
M. C. Grace
AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations
Guangdong Bai (2013)
Oauth1, oauth2, oauth...?
E. Homakov (2013)
Implementing custom url schemes. documentation/iPhone/Conceptual/ iPhoneOSProgrammingGuide/AdvancedAppTricks/ AdvancedAppTricks
Apple Inc
Tencent announces 2012 fourth quarter and annual results. releases/tencent-announces-2012-fourth- quarter-and-annual-results
Tencent Holdings (1991)
Tencent announces 2013 first quarter results. releases/tencent-announces-2013-first-quarter- results-207507531
Tencent Holdings
Unsafe exposure analysis of mobile in-app advertisements
M. Grace (2012)
Setuid Demystified
H. Chen (2002)
Oauth security advisory: 2009.1
E. Hammer-Lahav (2009)
Uiwebview class reference. documentation/uikit/reference/UIWebView_Class/ Reference/Reference
Apple Inc
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
San-Tsai Sun (2012)
Openid authentication 1.1. 1_1.html
B Fitzpatrick
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
R. Wang (2013)
Oauth 2.0 and the road to hell.
E. Hammer-Lahav (2012)
Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
R. Wang (2012)
Internet Engineering Task Force (IETF)
S. Bryant (2015)
On Breaking SAML: Be Whoever You Want to Be
Juraj Somorovsky (2012)
Oauth security advisory: 2009.1.
E Hammer-Lahav
Permission Re-Delegation: Attacks and Defenses
Adrienne Porter Felt (2011)
Internet Engineering Task Force (IETF) The oauth 1.0 protocol
The problem with oauth for authentication. with-oauth-for-authentication
J Bradley
Towards Enhancing the Security of OAuth Implementations in Smart Phones
Mohamed Shehab (2014)
QUIRE: Lightweight Provenance for Smart Phone Operating Systems
Michael Dietz (2011)
How i hacked facebook oauth to get full permission on any facebook account (without app " allow " interaction)
N Goldshlager
How i hacked any facebook account...again!
N Goldshlager
AdDroid: privilege separation for applications and advertisers in Android
P. Pearce (2012)
The OAuth 2.0 Authorization Framework
D. Hardt (2012)
The OAuth 2.0 Authorization Framework: Bearer Token Usage
M. Jones (2012)
AdSplit: Separating Smartphone Advertising from Applications
S. Shekhar (2012)
Investigating User Privacy in Android Ad Libraries
Ryan Stevens (2012)
CHEX: statically vetting Android apps for component hijacking vulnerabilities
Long Lu (2012)
Intents and intent filter. intents-filters.html
Google Inc
Internet Engineering Task Force (IETF) Oauth core 1.0 revision a
Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures
San-Tsai Sun (2012)
How we hacked facebook with oauth2 and chrome bugs.
E. Homakov (2013)
Attacks on WebView in the Android system
Tongbo Luo (2011)
Privilege Escalation Attacks on Android
L. Davi (2010)
Advanced app tracks. https://developer. Conceptual/iPhoneOSProgrammingGuide/ AdvancedAppTricks/AdvancedAppTricks
Apple Inc
The most dangerous code in the world: validating SSL certificates in non-browser software
M. Georgiev (2012)

This paper is referenced by
Security Analysis of Emerging Smart Home Applications
E. Fernandes (2016)
PDGuard: an architecture for the control and secure processing of personal data
Dimitris Mitropoulos (2019)
An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications
Xiaohan Zhang (2018)
A Comprehensive Formal Security Analysis of OAuth 2.0
Daniel Fett (2016)
An Extensive Formal Security Analysis of the OpenID Financial-Grade API
Daniel Fett (2019)
Understanding and mitigating OpenID Connect threats
J. Navas (2019)
RESTful Is Not Secure
Tetiana Yarygina (2017)
Edge Computing Security: State of the Art and Challenges
Yinhao Xiao (2019)
Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability Related With Web Functions
Jiawei Qin (2020)
Analyzing Security Property of Android Application Implementation Using Formal Method
Quanqi Ye (2015)
Vetting Single Sign-On SDK Implementations via Symbolic Reasoning
R. Yang (2018)
3 Android Tasks State Transition Model 3 . 1 Task and Back
C. Ren (2015)
Hardening the OAuth-WebView Implementations in Android Applications by Re-Factoring the Chromium Library
Fadi Mohsen (2016)
Towards the Usability Evaluation of Security APIs
P. Gorski (2016)
Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations
R. Yang (2016)
Towards Discovering and Understanding Task Hijacking in Android
C. Ren (2015)
You Get Where You're Looking for: The Impact of Information Sources on Code Security
Y. Acar (2016)
An OAuth2-based protocol with strong user privacy preservation for smart city mobile e-Health apps
V. Sucasas (2016)
Do Not Trust Me: Using Malicious IdPs for Analyzing and Attacking Single Sign-on
C. Mainka (2016)
HanGuard: SDN-driven protection of smart home WiFi devices from malicious mobile apps
S. Demetriou (2017)
Novel Extended Federated Authentication and Authorization Framework
Edward Rajah (2019)
Measuring the Insecurity of Mobile Deep Links of Android
F. Liu (2017)
Design Space Exploration for Security
E. Kang (2016)
Decoupled-IFTTT: Constraining Privilege in Trigger-Action Platforms for the Internet of Things
Earlence Fernandes (2017)
Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
Giada Sciarretta (2017)
Verifying OAuth Implementations Through Encrypted Network Analysis
Josh Talkington (2019)
The Achilles heel of OAuth: a multi-platform study of OAuth-based authentication
Huihui Wang (2016)
On Secret Management and Handling in Mobile Application Development Life Cycle: A Position Paper
Panuchart Bunyakiati (2019)
A Large-Scale Study of Mobile Web App Security
Patrick Mutchler (2015)
On the security of modern Single Sign-On Protocols: OpenID Connect 1.0
V. Mladenov (2015)
OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect
W. Li (2019)
An Empirical Usability Analysis of the Google Authentication API
Chamila Wijayarathna (2019)
See more
Semantic Scholar Logo Some data provided by SemanticScholar