Online citations, reference lists, and bibliographies.

OAuth Demystified For Mobile Application Developers

E. Y. Chen, Yutong Pei, Shuo Chen, Y. Tian, Robert Kotcher, P. Tague
Published 2014 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial objective of the protocol was specific: it serves the authorization needs for websites. What motivates our work is the realization that the protocol has been significantly re-purposed and re-targeted over the years: (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication; (2) developers have re-targeted OAuth to the mobile platforms, in addition to the traditional web platform. Therefore, we believe that it is necessary and timely to conduct an in-depth study to demystify OAuth for mobile application developers. Our work consists of two pillars: (1) an in-house study of the OAuth protocol documentation that aims to identify what might be ambiguous or unspecified for mobile developers; (2) a field-study of over 600 popular mobile applications that highlights how well developers fulfill the authentication and authorization goals in practice. The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable. In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications.
This paper references
The OAuth 2.0 Authorization Framework: Bearer Token Usage draft-ietf-oauth-v2-bearer-22
David Recordon (2012)
The problem with oauth for authentication. http://www.thread-safe.com/2012/01/problemwith-oauth-for-authentication.html
J. Bradley (2012)
How we hacked facebook with oauth2 and chrome bugs. http://homakov.blogspot.ca/2013/02/hacking- facebook-with-oauth2-and-chrome
E Homakov
Systematic Detection of Capability Leaks in Stock Android Smartphones
M. Grace (2012)
10.1145/2508859.2516727
Unauthorized origin crossing on mobile platforms: threats and mitigation
Renmin Wang (2013)
Attacks and defenses
A. P. Felt (2011)
10.1145/1456396.1456397
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
Oauth 2.0 and the road to hell. http://hueniverse.com/2012/07/26/oauth-2-0- and-the-road-to-hell
E Hammer-Lahav
10.1145/1999995.2000018
Analyzing inter-application communication in Android
E. Chin (2011)
10.1145/1516046.1516066
Securing frame communication in browsers
A. Barth (2009)
How i hacked any facebook account
M. C. Grace
AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations
Guangdong Bai (2013)
Oauth1, oauth2, oauth...? http://homakov.blogspot.ca/2013/03/oauth1oauth2-oauth.html
E. Homakov (2013)
Implementing custom url schemes. https://developer.apple.com/library/ios/ documentation/iPhone/Conceptual/ iPhoneOSProgrammingGuide/AdvancedAppTricks/ AdvancedAppTricks
Apple Inc
Tencent announces 2012 fourth quarter and annual results. http://www.prnewswire.com/news- releases/tencent-announces-2012-fourth- quarter-and-annual-results
Tencent Holdings (1991)
Tencent announces 2013 first quarter results. http://www.prnewswire.com/news- releases/tencent-announces-2013-first-quarter- results-207507531
Tencent Holdings
10.1145/2185448.2185464
Unsafe exposure analysis of mobile in-app advertisements
M. Grace (2012)
Setuid Demystified
H. Chen (2002)
Oauth security advisory: 2009.1
E. Hammer-Lahav (2009)
Uiwebview class reference. https://developer.apple.com/library/ios/ documentation/uikit/reference/UIWebView_Class/ Reference/Reference
Apple Inc
10.1145/2382196.2382238
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
San-Tsai Sun (2012)
Openid authentication 1.1. http://openid.net/specs/openid-authentication- 1_1.html
B Fitzpatrick
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
R. Wang (2013)
Oauth 2.0 and the road to hell. http://hueniverse.com/2012/07/26/oauth-2-0and-the-road-to-hell
E. Hammer-Lahav (2012)
10.1109/SP.2012.30
Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
R. Wang (2012)
Internet Engineering Task Force (IETF)
S. Bryant (2015)
On Breaking SAML: Be Whoever You Want to Be
Juraj Somorovsky (2012)
Oauth security advisory: 2009.1. http://oauth.net/advisories
E Hammer-Lahav
Permission Re-Delegation: Attacks and Defenses
Adrienne Porter Felt (2011)
Internet Engineering Task Force (IETF) The oauth 1.0 protocol
The problem with oauth for authentication. http://www.thread-safe.com/2012/01/problem- with-oauth-for-authentication
J Bradley
10.1109/MobServ.2014.15
Towards Enhancing the Security of OAuth Implementations in Smart Phones
Mohamed Shehab (2014)
QUIRE: Lightweight Provenance for Smart Phone Operating Systems
Michael Dietz (2011)
How i hacked facebook oauth to get full permission on any facebook account (without app " allow " interaction)
N Goldshlager
How i hacked any facebook account...again! http://www.breaksec.com/?p=5753
N Goldshlager
10.1145/2414456.2414498
AdDroid: privilege separation for applications and advertisers in Android
P. Pearce (2012)
10.17487/RFC6749
The OAuth 2.0 Authorization Framework
D. Hardt (2012)
10.17487/RFC6750
The OAuth 2.0 Authorization Framework: Bearer Token Usage
M. Jones (2012)
AdSplit: Separating Smartphone Advertising from Applications
S. Shekhar (2012)
Investigating User Privacy in Android Ad Libraries
Ryan Stevens (2012)
10.1145/2382196.2382223
CHEX: statically vetting Android apps for component hijacking vulnerabilities
Long Lu (2012)
Intents and intent filter. http://developer.android.com/guide/components/ intents-filters.html
Google Inc
Internet Engineering Task Force (IETF) Oauth core 1.0 revision a
10.1016/j.cose.2012.02.005
Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures
San-Tsai Sun (2012)
How we hacked facebook with oauth2 and chrome bugs. http://homakov.blogspot.ca/2013/02/hackingfacebook-with-oauth2-and-chrome.html
E. Homakov (2013)
10.1145/2076732.2076781
Attacks on WebView in the Android system
Tongbo Luo (2011)
10.1007/978-3-642-18178-8_30
Privilege Escalation Attacks on Android
L. Davi (2010)
Advanced app tracks. https://developer. apple.com/library/ios/documentation/iPhone/ Conceptual/iPhoneOSProgrammingGuide/ AdvancedAppTricks/AdvancedAppTricks
Apple Inc
10.1145/2382196.2382204
The most dangerous code in the world: validating SSL certificates in non-browser software
M. Georgiev (2012)



This paper is referenced by
10.1109/SP.2016.44
Security Analysis of Emerging Smart Home Applications
E. Fernandes (2016)
10.1007/s10207-019-00468-5
PDGuard: an architecture for the control and secure processing of personal data
Dimitris Mitropoulos (2019)
An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications
Xiaohan Zhang (2018)
10.1145/2976749.2978385
A Comprehensive Formal Security Analysis of OAuth 2.0
Daniel Fett (2016)
10.1109/SP.2019.00067
An Extensive Formal Security Analysis of the OpenID Financial-Grade API
Daniel Fett (2019)
10.1016/J.COSE.2019.03.003
Understanding and mitigating OpenID Connect threats
J. Navas (2019)
10.1007/978-981-10-5421-1_12
RESTful Is Not Secure
Tetiana Yarygina (2017)
10.1109/JPROC.2019.2918437
Edge Computing Security: State of the Art and Challenges
Yinhao Xiao (2019)
10.1109/ACCESS.2020.2998043
Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability Related With Web Functions
Jiawei Qin (2020)
10.1109/ICECCS.2015.39
Analyzing Security Property of Android Application Implementation Using Formal Method
Quanqi Ye (2015)
Vetting Single Sign-On SDK Implementations via Symbolic Reasoning
R. Yang (2018)
3 Android Tasks State Transition Model 3 . 1 Task and Back
C. Ren (2015)
10.1109/CIC.2016.036
Hardening the OAuth-WebView Implementations in Android Applications by Re-Factoring the Chromium Library
Fadi Mohsen (2016)
Towards the Usability Evaluation of Security APIs
P. Gorski (2016)
10.1145/2897845.2897874
Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations
R. Yang (2016)
Towards Discovering and Understanding Task Hijacking in Android
C. Ren (2015)
10.1109/SP.2016.25
You Get Where You're Looking for: The Impact of Information Sources on Code Security
Y. Acar (2016)
10.1109/ICC.2016.7511598
An OAuth2-based protocol with strong user privacy preservation for smart city mobile e-Health apps
V. Sucasas (2016)
10.1109/EuroSP.2016.33
Do Not Trust Me: Using Malicious IdPs for Analyzing and Attacking Single Sign-on
C. Mainka (2016)
10.1145/3098243.3098251
HanGuard: SDN-driven protection of smart home WiFi devices from malicious mobile apps
S. Demetriou (2017)
Novel Extended Federated Authentication and Authorization Framework
Edward Rajah (2019)
Measuring the Insecurity of Mobile Deep Links of Android
F. Liu (2017)
10.1109/SecDev.2016.017
Design Space Exploration for Security
E. Kang (2016)
Decoupled-IFTTT: Constraining Privilege in Trigger-Action Platforms for the Internet of Things
Earlence Fernandes (2017)
10.1016/j.cose.2017.04.011
Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
Giada Sciarretta (2017)
10.1145/3322431.3326449
Verifying OAuth Implementations Through Encrypted Network Analysis
Josh Talkington (2019)
10.1145/2991079.2991105
The Achilles heel of OAuth: a multi-platform study of OAuth-based authentication
Huihui Wang (2016)
10.1109/ASEW.2019.00033
On Secret Management and Handling in Mobile Application Development Life Cycle: A Position Paper
Panuchart Bunyakiati (2019)
A Large-Scale Study of Mobile Web App Security
Patrick Mutchler (2015)
On the security of modern Single Sign-On Protocols: OpenID Connect 1.0
V. Mladenov (2015)
10.1145/3338500.3360331
OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect
W. Li (2019)
10.1145/3319008.3319350
An Empirical Usability Analysis of the Google Authentication API
Chamila Wijayarathna (2019)
See more
Semantic Scholar Logo Some data provided by SemanticScholar