OAuth demystified for mobile application developers

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2014, Pages 892-903

  Chen, Eric ^a   Pei, Yutong ^a   Chen, Shuo ^b   Tian, Yuan ^a   Kotcher, Robert ^a   Tague, Patrick ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

^b MICROSOFT RESEARCH   (United States)

Author keywords

Android; IOS; Mobile platform; Same origin policy

Indexed keywords

DRILLING PLATFORMS; MOBILE COMPUTING;

ANDROID; AUTHENTICATION AND AUTHORIZATION; IDENTITY PROVIDERS; MOBILE APPLICATIONS; MOBILE PLATFORM; REPRESENTATIVE CASE; SAME-ORIGIN POLICY; USER AUTHENTICATION;

AUTHENTICATION;

EID: 84910671293     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2660267.2660323     Document Type: Conference Paper

References (43)

1. Apple Inc. Advanced app tracks. https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/AdvancedAppTricks/AdvancedAppTricks.html.
2. Apple Inc. Implementing custom url schemes. https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/AdvancedAppTricks/AdvancedAppTricks.html#//apple-ref/doc/uid/TP40007072-CH7-SW50.
3. Apple Inc. Uiwebview class reference. https://developer.apple.com/library/ios/documentation/uikit/reference/UIWebView-Class/Reference/Reference.html.
4. A. Armando, R. Carbone, L. Compagna, J. Cuellar, and L. Tobarra. Formal analysis of saml 2.0 web browser single sign-on: Breaking the saml-based single sign-on for google apps. In Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, FMSE '08, pages 1-10, New York, NY, USA, 2008. ACM.
5. G. Bai, J. Lei, G. Meng, S. S. Venkatraman, P. Saxena, J. Sun, Y. Liu, and J. S. Dong. Authscan: Automatic extraction of web authentication protocols from implementations. In NDSS. The Internet Society, 2013.
6. A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. Commun. ACM, 52(6):83-91, June 2009.
7. J. Bradley. The problem with oauth for authentication. http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html.
8. H. Chen, D. Wagner, and D. Dean. Setuid demystified. In Proceedings of the 11th USENIX Security Symposium, pages 171-190, Berkeley, CA, USA, 2002. USENIX Association.
9. E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys '11, pages 239-252, New York, NY, USA, 2011. ACM.
10. L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege escalation attacks on android. In Proceedings of the 13th International Conference on Information Security, ISC'10, pages 346-360, Berlin, Heidelberg, 2011. Springer-Verlag.
11. M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire: Lightweight provenance for smart phone operating systems. In Proceedings of the 20th USENIX Conference on Security, SEC'11, pages 23-23, Berkeley, CA, USA, 2011. USENIX Association.
12. A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In USENIX Security Symposium. USENIX Association, 2011.
13. B. Fitzpatrick and D. Recordon. Openid authentication 1.1. http://openid.net/specs/openid-authentication-1-1.html.
14. M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: Validating ssl certificates in non-browser software. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 38-49, New York, NY, USA, 2012. ACM.
15. N. Goldshlager. How i hacked any facebook account..again! http://www.breaksec.com/?p=5753.
16. N. Goldshlager. How i hacked facebook oauth to get full permission on any facebook account (without app "allow" interaction). http://www.breaksec.com/?p=5734.
17. Google Inc. Intent. http://developer.android.com/reference/android/content/Intent.html.
18. Google Inc. Intents and intent filter. http://developer.android.com/guide/components/intents-filters.html.
19. Google Inc. Webview. http://developer.android.com/reference/android/webkit/WebView.html.
20. M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC '12, pages 101-112, New York, NY, USA, 2012. ACM.
21. M. C. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock android smartphones. In NDSS. The Internet Society, 2012.
22. E. Hammer-Lahav. Oauth 2.0 and the road to hell. http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/.
23. E. Hammer-Lahav. Oauth security advisory: 2009.1. http://oauth.net/advisories/2009-1/.
24. E. Homakov. How we hacked facebook with oauth2 and chrome bugs. http://homakov.blogspot.ca/2013/02/hacking-facebook-with-oauth2-and-chrome.html.
25. E. Homakov. Oauth1, oauth2, oauth..? http://homakov.blogspot.ca/2013/03/oauth1-oauth2-oauth.html.
26. Internet Engineering Task Force (IETF). The oauth 1.0 protocol. http://tools.ietf.org/html/rfc5849.
27. Internet Engineering Task Force (IETF). The oauth 2.0 authorization framework. http://tools.ietf.org/html/rfc6749.
28. Internet Engineering Task Force (IETF). The oauth 2.0 authorization framework: Bearer token usage. http://tools.ietf.org/html/rfc6750.
29. Internet Engineering Task Force (IETF). Oauth core 1.0 revision a. http://oauth.net/core/1.0a/.
30. L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 229-240, New York, NY, USA, 2012. ACM.
31. T. Luo, H. Hao, W. Du, Y. Wang, and H. Yin. Attacks on webview in the android system. In Annual Computer Security Applications Conference, pages 343-352, 2011.
32. P. Pearce, A. P. Felt, G. Nunez, and D. Wagner. Addroid: Privilege separation for applications and advertisers in android. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, ASIACCS '12, pages 71-72, New York, NY, USA, 2012. ACM.
33. M. Shehab and F. Mohsen. Towards enhancing the security of oauth implementations in smart phones. In Proceedings of the IEEE 3rd International Conference on Mobile Services, 2014.
34. S. Shekhar, M. Dietz, and D. S. Wallach. Adsplit: Separating smartphone advertising from applications. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 28-28, Berkeley, CA, USA, 2012. USENIX Association.
35. J. Somorovsky, A. Mayer, J. Schwenk, M. Kampmann, and M. Jensen. On breaking saml: Be whoever you want to be. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 21-21, Berkeley, CA, USA, 2012.
36. R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen. Investigating user privacy in android ad libraries. In IEEE Mobile Security Technologies (MoST), 2012.
37. S.-T. Sun and K. Beznosov. The devil is in the (implementation) details: An empirical analysis of oauth sso systems. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 378-390, New York, NY, USA, 2012. ACM.
38. S.-T. Sun, K. Hawkey, and K. Beznosov. Systematically breaking and fixing openid security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures. Computers & Security, 31(4):465-483, 2012.
39. Tencent Holdings Limited. Tencent announces 2012 fourth quarter and annual results. http://www.prnewswire.com/news-releases/tencent-announces-2012-fourth-quarter-and-annual-results-199130711.html.
40. Tencent Holdings Limited. Tencent announces 2013 first quarter results. http://www.prnewswire.com/news-releases/tencent-announces-2013-first-quarter-results-207507531.html.
41. R. Wang, S. Chen, and X. Wang. Signing me onto your accounts through facebook and google: A trafic-guided security study of commercially deployed single-sign-on web services. In IEEE Symposium on Security and Privacy, pages 365-379, 2012.
42. R. Wang, L. Xing, X. Wang, and S. Chen. Unauthorized origin crossing on mobile platforms: Threats and mitigation. In Proceedings of the 2013 ACM SIGSAC Conference on Computer; Communications Security, CCS '13, pages 635-646, New York, NY, USA, 2013. ACM.
43. R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich. Explicating sdks: Uncovering assumptions underlying secure authentication and authorization. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 399-414, Berkeley, CA, USA, 2013. USENIX Association.