research-article

OAuth Demystified for Mobile Application Developers

Authors:
Eric Y. Chen

Carnegie Mellon University, Mountain View, CA, USA

Carnegie Mellon University, Mountain View, CA, USA
View Profile

,
Yutong Pei

Carnegie Mellon University, Pittsburgh, PA, USA

Carnegie Mellon University, Pittsburgh, PA, USA
View Profile

,
Shuo Chen

Microsoft Research, Redmond, WA, USA

Microsoft Research, Redmond, WA, USA
View Profile

,
Yuan Tian

Carnegie Mellon University, Mountain View, CA, USA

Carnegie Mellon University, Mountain View, CA, USA
View Profile

,
Robert Kotcher

Carnegie Mellon University, Pittsburgh, PA, USA

Carnegie Mellon University, Pittsburgh, PA, USA
View Profile

,
Patrick Tague

Carnegie Mellon University, Mountain View, CA, USA

Carnegie Mellon University, Mountain View, CA, USA
View Profile

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2014Pages 892–903https://doi.org/10.1145/2660267.2660323

Published:03 November 2014Publication History

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 892–903

ABSTRACT

OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial objective of the protocol was specific: it serves the authorization needs for websites. What motivates our work is the realization that the protocol has been significantly re-purposed and re-targeted over the years: (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication; (2) developers have re-targeted OAuth to the mobile platforms, in addition to the traditional web platform. Therefore, we believe that it is necessary and timely to conduct an in-depth study to demystify OAuth for mobile application developers. Our work consists of two pillars: (1) an in-house study of the OAuth protocol documentation that aims to identify what might be ambiguous or unspecified for mobile developers; (2) a field-study of over 600 popular mobile applications that highlights how well developers fulfill the authentication and authorization goals in practice. The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable. In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications.

References

Apple Inc. Advanced app tracks. https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/AdvancedAppTricks/AdvancedAppTricks.html.Google Scholar
Apple Inc. Implementing custom url schemes. https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/AdvancedAppTricks/AdvancedAppTricks.html#//apple_ref/doc/uid/TP40007072-CH7-SW50.Google Scholar
Apple Inc. Uiwebview class reference. https://developer.apple.com/library/ios/documentation/uikit/reference/UIWebView_Class/Reference/Reference.html.Google Scholar
A. Armando, R. Carbone, L. Compagna, J. Cuellar, and L. Tobarra. Formal analysis of saml 2.0 web browser single sign-on: Breaking the saml-based single sign-on for google apps. In Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, FMSE '08, pages 1--10, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
G. Bai, J. Lei, G. Meng, S. S. Venkatraman, P. Saxena, J. Sun, Y. Liu, and J. S. Dong. Authscan: Automatic extraction of web authentication protocols from implementations. In NDSS. The Internet Society, 2013.Google Scholar
A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. Commun. ACM, 52(6):83--91, June 2009. Google ScholarDigital Library
J. Bradley. The problem with oauth for authentication. http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html.Google Scholar
H. Chen, D. Wagner, and D. Dean. Setuid demystified. In Proceedings of the 11th USENIX Security Symposium, pages 171--190, Berkeley, CA, USA, 2002. USENIX Association. Google ScholarDigital Library
E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys '11, pages 239--252, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege escalation attacks on android. In Proceedings of the 13th International Conference on Information Security, ISC'10, pages 346--360, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire: Lightweight provenance for smart phone operating systems. In Proceedings of the 20th USENIX Conference on Security, SEC'11, pages 23--23, Berkeley, CA, USA, 2011. USENIX Association. Google ScholarDigital Library
A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In USENIX Security Symposium. USENIX Association, 2011. Google ScholarDigital Library
B. Fitzpatrick and D. Recordon. Openid authentication 1.1. http://openid.net/specs/openid-authentication-1_1.html.Google Scholar
M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: Validating ssl certificates in non-browser software. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 38--49, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
N. Goldshlager. How i hacked any facebook account...again! http://www.breaksec.com/?p=5753.Google Scholar
N. Goldshlager. How i hacked facebook oauth to get full permission on any facebook account (without app "allow" interaction). http://www.breaksec.com/?p=5734.Google Scholar
Google Inc. Intent. http://developer.android.com/reference/android/content/Intent.html.Google Scholar
Google Inc. Intents and intent filter. http://developer.android.com/guide/components/intents-filters.html.Google Scholar
Google Inc. Webview. http://developer.android.com/reference/android/webkit/WebView.html.Google Scholar
M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC '12, pages 101--112, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
M. C. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock android smartphones. In NDSS. The Internet Society, 2012.Google Scholar
E. Hammer-Lahav. Oauth 2.0 and the road to hell. http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/.Google Scholar
E. Hammer-Lahav. Oauth security advisory: 2009.1. http://oauth.net/advisories/2009--1/.Google Scholar
E. Homakov. How we hacked facebook with oauth2 and chrome bugs. http://homakov.blogspot.ca/2013/02/hacking-facebook-with-oauth2-and-chrome.html.Google Scholar
E. Homakov. Oauth1, oauth2, oauth...? http://homakov.blogspot.ca/2013/03/oauth1-oauth2-oauth.html.Google Scholar
Internet Engineering Task Force (IETF). The oauth 1.0 protocol. http://tools.ietf.org/html/rfc5849.Google Scholar
Internet Engineering Task Force (IETF). The oauth 2.0 authorization framework. http://tools.ietf.org/html/rfc6749.Google Scholar
Internet Engineering Task Force (IETF). The oauth 2.0 authorization framework: Bearer token usage. http://tools.ietf.org/html/rfc6750.Google Scholar
Internet Engineering Task Force (IETF). Oauth core 1.0 revision a. http://oauth.net/core/1.0a/.Google Scholar
L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 229--240, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
T. Luo, H. Hao, W. Du, Y. Wang, and H. Yin. Attacks on webview in the android system. In Annual Computer Security Applications Conference, pages 343--352, 2011. Google ScholarDigital Library
P. Pearce, A. P. Felt, G. Nunez, and D. Wagner. Addroid: Privilege separation for applications and advertisers in android. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, ASIACCS '12, pages 71--72, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
M. Shehab and F. Mohsen. Towards enhancing the security of oauth implementations in smart phones. In Proceedings of the IEEE 3rd International Conference on Mobile Services, 2014. Google ScholarDigital Library
S. Shekhar, M. Dietz, and D. S. Wallach. Adsplit: Separating smartphone advertising from applications. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 28--28, Berkeley, CA, USA, 2012. USENIX Association. Google ScholarDigital Library
J. Somorovsky, A. Mayer, J. Schwenk, M. Kampmann, and M. Jensen. On breaking saml: Be whoever you want to be. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 21--21, Berkeley, CA, USA, 2012. Google ScholarDigital Library
R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen. Investigating user privacy in android ad libraries. In IEEE Mobile Security Technologies (MoST), 2012.Google Scholar
S.-T. Sun and K. Beznosov. The devil is in the (implementation) details: An empirical analysis of oauth sso systems. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 378--390, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
S.-T. Sun, K. Hawkey, and K. Beznosov. Systematically breaking and fixing openid security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures. Computers & Security, 31(4):465--483, 2012. Google ScholarDigital Library
Tencent Holdings Limited. Tencent announces 2012 fourth quarter and annual results. http://www.prnewswire.com/news-releases/tencent-announces-2012-fourth-quarter-and-annual-results-199130711.html.Google Scholar
Tencent Holdings Limited. Tencent announces 2013 first quarter results. http://www.prnewswire.com/news-releases/tencent-announces-2013-first-quarter-results-207507531.html.Google Scholar
R. Wang, S. Chen, and X. Wang. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In IEEE Symposium on Security and Privacy, pages 365--379, 2012. Google ScholarDigital Library
R. Wang, L. Xing, X. Wang, and S. Chen. Unauthorized origin crossing on mobile platforms: Threats and mitigation. In Proceedings of the 2013 ACM SIGSAC Conference on Computer; Communications Security, CCS '13, pages 635--646, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich. Explicating sdks: Uncovering assumptions underlying secure authentication and authorization. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 399--414, Berkeley, CA, USA, 2013. USENIX Association. Google ScholarDigital Library

Index Terms

OAuth Demystified for Mobile Application Developers
1. Security and privacy

Recommendations

Unauthorized origin crossing on mobile platforms: threats and mitigation
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

With the progress in mobile computing, web services are increasingly delivered to their users through mobile apps, instead of web browsers. However, unlike the browser, which enforces origin-based security policies to mediate the interactions between ...
Read More
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Read More
Cross-Compiling Android Applications to iOS and Windows Phone 7

Android is currently leading the smartphone segment in terms of market share since its introduction in 2007. Android applications are written in Java using an API designed for mobile apps. Other smartphone platforms, such as Apple's iOS or Microsoft's ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
November 2014
1592 pages
ISBN:9781450329576
DOI:10.1145/2660267
General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 November 2014
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
android
iOS
mobile platform
same-origin policy
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '14 Paper Acceptance Rate114of585submissions,19%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 95
  Total Citations
  View Citations
- 1,107
  Total Downloads
- Downloads (Last 12 months)52
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

OAuth Demystified for Mobile Application Developers

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Unauthorized origin crossing on mobile platforms: threats and mitigation

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective

Cross-Compiling Android Applications to iOS and Windows Phone 7