research-article

Vulnerability Assessment of OAuth Implementations in Android Applications

Authors:

Yuanyuan Zhang,

Dawu GuAuthors Info & Claims

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Pages 61 - 70

https://doi.org/10.1145/2818000.2818024

Published: 07 December 2015 Publication History

Abstract

Enforcing security on various implementations of OAuth in Android apps should consider a wide range of issues comprehensively. OAuth implementations in Android apps differ from the recommended specification due to the provider and platform factors, and the varied implementations often become vulnerable. Current vulnerability assessments on these OAuth implementations are ad hoc and lack a systematic manner. As a result, insecure OAuth implementations are still widely used and the situation is far from optimistic in many mobile app ecosystems.

To address this problem, we propose a systematic vulnerability assessment framework for OAuth implementations on Android platform. Different from traditional OAuth security analyses that are experiential with a restrictive three-party model, our proposed framework utilizes an systematic security assessing methodology that adopts a five-party, three-stage model to detect typical vulnerabilities of popular OAuth implementations in Android apps. Based on this framework, a comprehensive investigation on vulnerable OAuth implementations is conducted at the level of an entire mobile app ecosystem. The investigation studies the Chinese mainland mobile app markets (e.g., Baidu App Store, Tencent, Anzhi) that covers 15 mainstream OAuth service providers. Top 100 relevant relying party apps (RP apps) are thoroughly assessed to detect vulnerable OAuth implementations, and we further perform an empirical study of over 4,000 apps to validate how frequently developers misuse the OAuth protocol. The results demonstrate that 86.2% of the apps incorporating OAuth services are vulnerable, and this ratio of Chinese mainland Android app market is much higher than that (58.7%) of Google Play.

References

[1]

Androguard. https://github.com/androguard.

[2]

BurpSuite. http://portswigger.net/burp.

[3]

MitmProxy. https://mitmproxy.org.

[4]

Robotium. http://code.google.com/p/robotium/.

[5]

Stealing Passwords is Easy in Native Mobile Apps Despite OAuth. http://goo.gl/QskLq.

[6]

Eric Y Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, and Patrick Tague. OAuth Demystified for Mobile Application Developers. In Proc. of the 21st ACM SIGSAC Conference on Computer and Communications Security (CCS), 2014.

Digital Library

[7]

Homakov E and Labunets A. How We Hacked Facebook with OAuth2 and Chrome bugs. http://homakov.blogspot.ru/2013/02/hacking-facebook-with-oauth2-and-chrome.html.

[8]

Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, Lars Baumgärtner, and Bernd Freisleben. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. In Proc. of the 19th ACM Conference on Computer and Communications Security (CCS), 2012.

Digital Library

[9]

Nir Goldshlager. End User Authentication with OAuth 2.0. http://oauth.net/articles/authentication, 2013.

[10]

Internet Engineering Task Force (IETF). The OAuth 1.0 Protocol (RFC 5849), 2010.

[11]

Internet Engineering Task Force (IETF). OAuth 2.0 Threat Model and Security Considerations (RFC 6819). 2013.

[12]

Internet Engineering Task Force (IETF). The OAuth 2.0 Authorization Framework (RFC 6749), 2013.

[13]

Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. Attacks on WebView in the Android system. In Proc. of the 27th Annual Computer Security Applications Conference, 2011.

Digital Library

[14]

Ryan Paul. Compromising Twitter's OAuth Security System. Technical report, Ars Technica, 2010.

[15]

Ethan Shernan, Henry Carter, Dave Tian, Patrick Traynor, and Kevin R. B. Butler. More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations. In Proc. of the 12th Detection of Intrusions and Malware, and Vulnerability Assessment International Conference (DIMVA), 2015.

Digital Library

[16]

San-Tsai Sun and Konstantin Beznosov. The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems. In Proc. of the 19th ACM SIGSAC Conference on Computer and Communications Security (CCS), 2012.

Digital Library

[17]

Rui Wang, Shuo Chen, and XiaoFeng Wang. Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services. In Proc. of the 33rd IEEE Symposium on Security and Privacy (SP). IEEE, 2012.

Digital Library

[18]

Rui Wang, Yuchen Zhou, Shuo Chen, Shaz Qadeer, David Evans, and Yuri Gurevich. Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization. In Proc. of the 22nd USENIX Security Symposium, 2013.

Digital Library

[19]

IETF OAuth WG. OAuth Security Advisory: 2009.1. http://oauth.net/advisories/2009-1/.

[20]

Yuchen Zhou and David Evans. SSOScan: Automated Testing of Web Applications for Single-Sign-On Vulnerabilities. In Proc. of the 23rd USENIX Security Symposium, 2014.

Digital Library

Cited By

Thorn SEnglish KButler KEnck WKim YKim JKoushanfar FRasmussen K(2024)5GAC-Analyzer: Identifying Over-Privilege Between 5G Core Network FunctionsProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656134(66-77)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656134
Mousavi ZIslam CMoore KAbuadbba ABabar MQuek TGao DZhou JCardenas A(2024)An Investigation into Misuse of Java Security APIs by Large Language ModelsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3661134(1299-1315)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3661134
Jannett LMainka CWesters MMayer AWich TMladenov V(2024)SoK: SSO-MONITOR - The Current State and Future Research Directions in Single Sign-on Security Measurements2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00018(173-192)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00018
Show More Cited By

Vulnerability Assessment of OAuth Implementations in Android Applications
1. Security and privacy
  1. Security services
  2. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Detecting repackaged smartphone applications in third-party android marketplaces
CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and Privacy

Recent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized ...
Android: Changing the Mobile Landscape

The mobile phone landscape changed last year with the introduction of smart phones running Android, a platform marketed by Google. Android phones are the first credible threat to the iPhone market. Not only did Google target the same consumers as iPhone,...
Cross-compiling Android applications to the iPhone
PPPJ '10: Proceedings of the 8th International Conference on the Principles and Practice of Programming in Java

Smartphones such as Android-based devices and Apple's iPhone have become popular platforms for mobile applications. In particular, they allow the development of native applications that can take advantage of special purpose hardware such as ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

December 2015

489 pages

ISBN:9781450336826

DOI:10.1145/2818000

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

ACSAC 2015

ACSAC 2015: 2015 Annual Computer Security Applications Conference

December 7 - 11, 2015

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
702
Total Downloads

Downloads (Last 12 months)37
Downloads (Last 6 weeks)3

Reflects downloads up to 26 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Thorn SEnglish KButler KEnck WKim YKim JKoushanfar FRasmussen K(2024)5GAC-Analyzer: Identifying Over-Privilege Between 5G Core Network FunctionsProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656134(66-77)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656134
Mousavi ZIslam CMoore KAbuadbba ABabar MQuek TGao DZhou JCardenas A(2024)An Investigation into Misuse of Java Security APIs by Large Language ModelsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3661134(1299-1315)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3661134
Jannett LMainka CWesters MMayer AWich TMladenov V(2024)SoK: SSO-MONITOR - The Current State and Future Research Directions in Single Sign-on Security Measurements2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00018(173-192)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00018
Xu BJia SLin JZheng FMa YLiu LGu XSong L(2024)JWTKey: Automatic Cryptographic Vulnerability Detection in JWT ApplicationsComputer Security – ESORICS 202310.1007/978-3-031-51479-1_14(263-282)Online publication date: 12-Jan-2024
https://doi.org/10.1007/978-3-031-51479-1_14
Xu BZhang ZSun AGuo JWang ZLi BDong JJia SSong L(2023)T-FIM: Transparency in Federated Identity Management for Decentralized Trust and Forensics InvestigationElectronics10.3390/electronics1217359112:17(3591)Online publication date: 25-Aug-2023
https://doi.org/10.3390/electronics12173591
Baskaran SZhao LMannan MYoussef A(2023)Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat CaseProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607236(727-743)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607236
Sharma SKP J(2023)Security Analysis of OAuth 2.0 Implementation2023 Innovations in Power and Advanced Computing Technologies (i-PACT)10.1109/i-PACT58649.2023.10434479(1-8)Online publication date: 8-Dec-2023
https://doi.org/10.1109/i-PACT58649.2023.10434479
Cui ZCui BFu JBhargava B(2023)An Attack to One-Tap Authentication Services in Cellular NetworksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.330484018(5082-5095)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3304840
Damkham WKunihiro STeerakanok SUehara T(2023)Detecting Vulnerable OAuth 2.0 Implementations in Android Applications2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security Companion (QRS-C)10.1109/QRS-C60940.2023.00024(524-531)Online publication date: 22-Oct-2023
https://doi.org/10.1109/QRS-C60940.2023.00024
Rahat TFeng YTian YYin HStavrou ACremers CShi E(2022)CerberusProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3559381(2459-2473)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3559381
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents