Full Program »
Vulnerability Assessment of OAuth Implementations in Android Applications
As a result, insecure OAuth implementations are still widely used and the situation is far from optimistic in many mobile app ecosystems.
To address this problem, we propose a systematic vulnerability assessment framework for OAuth implementations on Android platform. Different from traditional OAuth security analyses that are experiential with a restrictive three-party model, our proposed framework utilizes an systematic security assessing methodology that adopts a five-party, three-stage model to detect typical vulnerabilities of popular OAuth implementations in Android apps. Based on this framework, a comprehensive investigation on vulnerable OAuth implementations is conducted at the level of an entire mobile app ecosystem. The investigation studies the Chinese mainland mobile app markets (e.g., Baidu App Store, Tencent, Anzhi) that covers 15 mainstream OAuth service providers. Top 100 relevant relying party apps (RP apps) are thoroughly assessed to detect vulnerable OAuth implementations, and we further perform an empirical study of over 4,000 apps to validate how frequently developers misuse the OAuth protocol. The results demonstrate that 86.2\% of the apps incorporating OAuth services are vulnerable,and this ratio of Chinese mainland Android app market is much higher than that (58.7\%) of Google Play.
Author(s):
Hui Wang
Shanghai Jiao Tong University
China
Yuanyuan Zhang
Shanghai Jiao Tong University
China
Juanru Li
Shanghai Jiao Tong University
China
Hui Liu
Shanghai Jiao Tong University
China
Wenbo Yang
Shanghai Jiao Tong University
China
Bodong Li
Shanghai Jiao Tong University
China
Dawu Gu
Shanghai Jiao Tong University
China