OAuth Demystified for Mobile Application Developers

OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial objective of the protocol was specific: it serves the authorization needs for websites. What motivates our work is the realization that the protocol has been significantly re-purposed and re-targeted over the years: (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication; (2) developers have re-targeted OAuth to the mobile platforms, in addition to the traditional web platform. Therefore, we believe that it is necessary and timely to conduct an in-depth study to demystify OAuth for mobile application developers. Our work consists of two pillars: (1) an in-house study of the OAuth protocol documentation that aims to identify what might be ambiguous or unspecified for mobile developers; (2) a field-study of over 600 popular mobile applications that highlights how well developers fulfill the authentication and authorization goals in practice. The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable. In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications.

[1]  Setuid Demystified , 2002, USENIX Security Symposium.

[2]  Alessandro Armando,et al.  Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps , 2008, FMSE '08.

[3]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[4]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[5]  Eran Hammer-Lahav,et al.  The OAuth 1.0 Protocol , 2010, RFC.

[6]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[7]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[8]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[9]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[10]  Jörg Schwenk,et al.  On Breaking SAML: Be Whoever You Want to Be , 2012, USENIX Security Symposium.

[11]  D. Recordon,et al.  The OAuth 2.0 Authorization Framework: Bearer Token Usage , 2012, RFC.

[12]  David A. Wagner,et al.  AdDroid: privilege separation for applications and advertisers in Android , 2012, ASIACCS '12.

[13]  Xuxian Jiang,et al.  Unsafe exposure analysis of mobile in-app advertisements , 2012, WISEC '12.

[14]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Michael B. Jones,et al.  The OAuth 2.0 Authorization Framework: Bearer Token Usage , 2012, RFC.

[16]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.

[17]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[18]  Shashi Shekhar,et al.  AdSplit: Separating Smartphone Advertising from Applications , 2012, USENIX Security Symposium.

[19]  Hao Chen,et al.  Investigating User Privacy in Android Ad Libraries , 2012 .

[20]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[21]  Kirstie Hawkey,et al.  Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures , 2012, Computers & security.

[22]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[23]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[24]  Yuri Gurevich,et al.  Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization , 2013, USENIX Security Symposium.

[25]  Jun Sun,et al.  AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations , 2013, NDSS.

[26]  Rui Wang,et al.  Unauthorized origin crossing on mobile platforms: threats and mitigation , 2013, CCS.

[27]  Fadi Mohsen,et al.  Towards Enhancing the Security of OAuth Implementations in Smart Phones , 2014, 2014 IEEE International Conference on Mobile Services.

[28]  Stewart Bryant,et al.  Internet Engineering Task Force (IETF) , 2015 .