ABSTRACT
OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial objective of the protocol was specific: it serves the authorization needs for websites. What motivates our work is the realization that the protocol has been significantly re-purposed and re-targeted over the years: (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication; (2) developers have re-targeted OAuth to the mobile platforms, in addition to the traditional web platform. Therefore, we believe that it is necessary and timely to conduct an in-depth study to demystify OAuth for mobile application developers. Our work consists of two pillars: (1) an in-house study of the OAuth protocol documentation that aims to identify what might be ambiguous or unspecified for mobile developers; (2) a field-study of over 600 popular mobile applications that highlights how well developers fulfill the authentication and authorization goals in practice. The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable. In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications.
- Apple Inc. Advanced app tracks. https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/AdvancedAppTricks/AdvancedAppTricks.html.Google Scholar
- Apple Inc. Implementing custom url schemes. https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/AdvancedAppTricks/AdvancedAppTricks.html#//apple_ref/doc/uid/TP40007072-CH7-SW50.Google Scholar
- Apple Inc. Uiwebview class reference. https://developer.apple.com/library/ios/documentation/uikit/reference/UIWebView_Class/Reference/Reference.html.Google Scholar
- A. Armando, R. Carbone, L. Compagna, J. Cuellar, and L. Tobarra. Formal analysis of saml 2.0 web browser single sign-on: Breaking the saml-based single sign-on for google apps. In Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, FMSE '08, pages 1--10, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- G. Bai, J. Lei, G. Meng, S. S. Venkatraman, P. Saxena, J. Sun, Y. Liu, and J. S. Dong. Authscan: Automatic extraction of web authentication protocols from implementations. In NDSS. The Internet Society, 2013.Google Scholar
- A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. Commun. ACM, 52(6):83--91, June 2009. Google ScholarDigital Library
- J. Bradley. The problem with oauth for authentication. http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html.Google Scholar
- H. Chen, D. Wagner, and D. Dean. Setuid demystified. In Proceedings of the 11th USENIX Security Symposium, pages 171--190, Berkeley, CA, USA, 2002. USENIX Association. Google ScholarDigital Library
- E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys '11, pages 239--252, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege escalation attacks on android. In Proceedings of the 13th International Conference on Information Security, ISC'10, pages 346--360, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
- M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire: Lightweight provenance for smart phone operating systems. In Proceedings of the 20th USENIX Conference on Security, SEC'11, pages 23--23, Berkeley, CA, USA, 2011. USENIX Association. Google ScholarDigital Library
- A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In USENIX Security Symposium. USENIX Association, 2011. Google ScholarDigital Library
- B. Fitzpatrick and D. Recordon. Openid authentication 1.1. http://openid.net/specs/openid-authentication-1_1.html.Google Scholar
- M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: Validating ssl certificates in non-browser software. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 38--49, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- N. Goldshlager. How i hacked any facebook account...again! http://www.breaksec.com/?p=5753.Google Scholar
- N. Goldshlager. How i hacked facebook oauth to get full permission on any facebook account (without app "allow" interaction). http://www.breaksec.com/?p=5734.Google Scholar
- Google Inc. Intent. http://developer.android.com/reference/android/content/Intent.html.Google Scholar
- Google Inc. Intents and intent filter. http://developer.android.com/guide/components/intents-filters.html.Google Scholar
- Google Inc. Webview. http://developer.android.com/reference/android/webkit/WebView.html.Google Scholar
- M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC '12, pages 101--112, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- M. C. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock android smartphones. In NDSS. The Internet Society, 2012.Google Scholar
- E. Hammer-Lahav. Oauth 2.0 and the road to hell. http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/.Google Scholar
- E. Hammer-Lahav. Oauth security advisory: 2009.1. http://oauth.net/advisories/2009--1/.Google Scholar
- E. Homakov. How we hacked facebook with oauth2 and chrome bugs. http://homakov.blogspot.ca/2013/02/hacking-facebook-with-oauth2-and-chrome.html.Google Scholar
- E. Homakov. Oauth1, oauth2, oauth...? http://homakov.blogspot.ca/2013/03/oauth1-oauth2-oauth.html.Google Scholar
- Internet Engineering Task Force (IETF). The oauth 1.0 protocol. http://tools.ietf.org/html/rfc5849.Google Scholar
- Internet Engineering Task Force (IETF). The oauth 2.0 authorization framework. http://tools.ietf.org/html/rfc6749.Google Scholar
- Internet Engineering Task Force (IETF). The oauth 2.0 authorization framework: Bearer token usage. http://tools.ietf.org/html/rfc6750.Google Scholar
- Internet Engineering Task Force (IETF). Oauth core 1.0 revision a. http://oauth.net/core/1.0a/.Google Scholar
- L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 229--240, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- T. Luo, H. Hao, W. Du, Y. Wang, and H. Yin. Attacks on webview in the android system. In Annual Computer Security Applications Conference, pages 343--352, 2011. Google ScholarDigital Library
- P. Pearce, A. P. Felt, G. Nunez, and D. Wagner. Addroid: Privilege separation for applications and advertisers in android. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, ASIACCS '12, pages 71--72, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- M. Shehab and F. Mohsen. Towards enhancing the security of oauth implementations in smart phones. In Proceedings of the IEEE 3rd International Conference on Mobile Services, 2014. Google ScholarDigital Library
- S. Shekhar, M. Dietz, and D. S. Wallach. Adsplit: Separating smartphone advertising from applications. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 28--28, Berkeley, CA, USA, 2012. USENIX Association. Google ScholarDigital Library
- J. Somorovsky, A. Mayer, J. Schwenk, M. Kampmann, and M. Jensen. On breaking saml: Be whoever you want to be. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 21--21, Berkeley, CA, USA, 2012. Google ScholarDigital Library
- R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen. Investigating user privacy in android ad libraries. In IEEE Mobile Security Technologies (MoST), 2012.Google Scholar
- S.-T. Sun and K. Beznosov. The devil is in the (implementation) details: An empirical analysis of oauth sso systems. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 378--390, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- S.-T. Sun, K. Hawkey, and K. Beznosov. Systematically breaking and fixing openid security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures. Computers & Security, 31(4):465--483, 2012. Google ScholarDigital Library
- Tencent Holdings Limited. Tencent announces 2012 fourth quarter and annual results. http://www.prnewswire.com/news-releases/tencent-announces-2012-fourth-quarter-and-annual-results-199130711.html.Google Scholar
- Tencent Holdings Limited. Tencent announces 2013 first quarter results. http://www.prnewswire.com/news-releases/tencent-announces-2013-first-quarter-results-207507531.html.Google Scholar
- R. Wang, S. Chen, and X. Wang. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In IEEE Symposium on Security and Privacy, pages 365--379, 2012. Google ScholarDigital Library
- R. Wang, L. Xing, X. Wang, and S. Chen. Unauthorized origin crossing on mobile platforms: Threats and mitigation. In Proceedings of the 2013 ACM SIGSAC Conference on Computer; Communications Security, CCS '13, pages 635--646, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich. Explicating sdks: Uncovering assumptions underlying secure authentication and authorization. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 399--414, Berkeley, CA, USA, 2013. USENIX Association. Google ScholarDigital Library
Index Terms
- OAuth Demystified for Mobile Application Developers
Recommendations
Unauthorized origin crossing on mobile platforms: threats and mitigation
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityWith the progress in mobile computing, web services are increasingly delivered to their users through mobile apps, instead of web browsers. However, unlike the browser, which enforces origin-based security policies to mediate the interactions between ...
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide WebWith the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Cross-Compiling Android Applications to iOS and Windows Phone 7
Android is currently leading the smartphone segment in terms of market share since its introduction in 2007. Android applications are written in Java using an API designed for mobile apps. Other smartphone platforms, such as Apple's iOS or Microsoft's ...
Comments