Online citations, reference lists, and bibliographies.

Security Of Mobile Single Sign-On: A Rational Reconstruction Of Facebook Login Solution

Giada Sciarretta, A. Armando, R. Carbone, Silvio Ranise
Published 2016 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
While there exist many secure authentication and authorization solutions for web applications, their adaptation in the mobile context is a new and open challenge. In this paper, we argue that the lack of a proper reference model for Single Sign-On (SSO) for mobile native applications drives many social network vendors (acting as Identity Providers) to develop their own mobile solution. However, as the implementation details are not well documented, it is difficult to establish the proper security level of these solutions. We thus provide a rational reconstruction of the Facebook SSO flow, including a comparison with the OAuth 2.0 standard and a security analysis obtained testing the Facebook SSO reconstruction against a set of identified SSO attacks. Based on this analysis, we have modified and generalized the Facebook solution proposing a native SSO solution capable of solving the identified vulnerabilities and accommodating any Identity Provider.
This paper references
Getting Started with the Facebook SDK for Android
Facebook (2015)
How we hacked facebook with OAuth2 and Chrome bugs
E. Homakov (2013)
10.1109/MobServ.2014.15
Towards Enhancing the Security of OAuth Implementations in Smart Phones
Mohamed Shehab (2014)
10.1145/2382196.2382238
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
San-Tsai Sun (2012)
NAPPS has left the building (but is still on the front lawn)
P. Madsen (2015)
10.1145/2660267.2660323
OAuth Demystified for Mobile Application Developers
E. Y. Chen (2014)
Stealing Passwords is Easy in Native Mobile Apps Despite OAuth
A. Wulf (2011)
Explicating SDKs: Uncovering
Y. Gurevich (2013)
10.1109/SP.2012.30
Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
R. Wang (2012)
OAuth Demystified for Mobile Application
E. Chen (2014)
Getting Started with OAuth 2.0. http://itebooks.info/read/664
R. Boyd (2012)
Signed Requests
Facebook (2016)
10.1145/1456396.1456397
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
Mobile OS Developments & Native Application Authentication
P. Madsen (2015)
10.17487/RFC6749
The OAuth 2.0 Authorization Framework
D. Hardt (2012)
A serious OAuth security
(2010)
10.1109/CSF.2012.27
Discovering Concrete Attacks on Website Authorization by Formal Analysis
Chetan Bansal (2012)
OpenID Connect Native Application Token Agent Core 1 . 0
F. Mohsen
10.1145/1999995.2000018
Analyzing inter-application communication in Android
E. Chin (2011)
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities
Y. Zhou (2014)
How I hacked any Facebook Account...again! http://www.nirgoldshlager.com/2013/ 03/how-i-hacked-any-facebook-accountagain.html
N. Goldshlager (2013)
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
R. Wang (2013)
Getting Started with OAuth 2.0 - Programming Clients for Secure Web API Authorization and Authentication
Ryan Boyd (2012)
Getting Started with OAuth 2 . 0
R. Boyd (2012)
How I hacked any Facebook Account . . . again !
N. Goldshlager (2013)



This paper is referenced by
Semantic Scholar Logo Some data provided by SemanticScholar