Breaking and Fixing Mobile App Authentication with OAuth2.0-based Protocols

  • Ronghai YangEmail author
  • Wing Cheong Lau
  • Shangcheng Shi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10355)


Although the OAuth2.0 protocol was originally designed to serve the authorization need for websites, mainstream identity providers like Google and Facebook have made significant changes on this protocol to support authentication for mobile apps. Prior research mainly focuses on how the features of mobile operating systems can affect the OAuth security. However, little has been done to analyze whether these significant modifications of the protocol call-flow can be well understood and implemented by app developers. Towards this end, we report a field-study on the Android OAuth2.0-based single-sign-on systems. In particular, we perform an in-depth static code analysis on three identity provider apps including Facebook, Google and Sina as well as their official SDKs to understand their OAuth-related transactions. We then dynamically test 600 top-ranked US and Chinese Android apps. Apart from various types of existing vulnerabilities, we also discover three previously unknown security flaws among these first-tier identity providers and a large number of popular 3rd-party apps. For example, 41% apps under study are susceptible to a newly discovered profile attack, which unlike prior works, enables remote account hijacking without any need to trick or interact with the victim. The prevalence of vulnerabilities further motivates us to propose/implement an alternative, fool-proof OAuth SDK for one of the affected IdPs to automatically prevent from these vulnerabilities. To facilitate the adoption of our proposed fixes, our solution requires minimal code changes by the 3rd-party-developers of the affected mobile apps.


OAuth2.0 OpenID Connect Mobile app authentication 



This project is supported in part by the Innovation and Technology Commission of Hong Kong (project no. ITS/216/15) and NSFC Grant (No. 61572415).


  1. 1.
  2. 2.
  3. 3.
    Man in the middle proxy.
  4. 4.
    One major Chinese App store.
  5. 5.
  6. 6.
  7. 7.
    Social login continues strong adoption (2014).
  8. 8.
    Bai, G., Lei, J., Meng, G., Venkatraman, S.S., Saxena, P., Sun, J., Liu, Y., Dong, J.S.: AUTHSCAN: automatic extraction of web authentication protocols from implementations. In: NDSS (2013)Google Scholar
  9. 9.
    Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: IEEE CSF (2012)Google Scholar
  10. 10.
    Chari, S., Jutla, C.S., Roy, A.: Universally composable security analysis of OAuth v2.0. Cryptology ePrint Archive, Report 2011/526 (2011)Google Scholar
  11. 11.
    Chen, E.Y., Chen, S., Qadeer, S., Wang, R.: Securing multiparty online services via certification of symbolic transactions. In: IEEE S&P (2015)Google Scholar
  12. 12.
    Chen, E.Y., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: ACM CCS (2014)Google Scholar
  13. 13.
    Mainka, C., Vladislav Mladenov, J.S., Wich, T.: SoK: Single Sign-On security- an evaluation of OpenID Connect. In: IEEE EuroS&P (2017)Google Scholar
  14. 14.
    Denniss, W., Bradley, J.: OAuth 2.0 for native apps (2016)Google Scholar
  15. 15.
    Elenkov, N.: Android Security Internals: An In-Depth Guide to Android’s Security Architecture. No Starch Press, San Francisco (2014)Google Scholar
  16. 16.
    Fett, D., Küsters, R., Schmitz, G.: An expressive model for the web infrastructure: definition and application to the browser ID SSO system. In: IEEE S&P (2014)Google Scholar
  17. 17.
    Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: ACM CCS (2016)Google Scholar
  18. 18.
    Hardt, D.: The OAuth 2.0 authorization framework (2012)Google Scholar
  19. 19.
    Homakov, E.: The Achilles Heel of OAuth or Why Facebook Adds Special Fragment (2013)Google Scholar
  20. 20.
    Hu, P., Yang, R., Li, Y., Lau, W.C.: Application impersonation: problems of OAuth and API design in online social networks. In: ACM Conference on Online Social Networks, COSN (2014)Google Scholar
  21. 21.
    Li, W., Mitchell, C.J.: Analysing the security of Google’s implementation of OpenID Connect. In: SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA (2016)Google Scholar
  22. 22.
    Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations (2013)Google Scholar
  23. 23.
    Mladenov, V., Mainka, C., Krautwald, J., Feldmann, F., Schwenk, J.: On the security of modern Single Sign-On protocols: OpenID Connect 1.0. CoRR abs/1508.04324 (2015)Google Scholar
  24. 24.
    Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using Alloy framework. In: IEEE International Conference on Communication Systems and Network Technologies, CSNT (2011)Google Scholar
  25. 25.
    Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: OpenID Connect core 1.0. The OpenID Foundation (2014)Google Scholar
  26. 26.
    Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K.: More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 239–260. Springer, Cham (2015). doi: 10.1007/978-3-319-20550-2_13 CrossRefGoogle Scholar
  27. 27.
    Sun, S., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: ACM CCS (2012)Google Scholar
  28. 28.
    Wang, H., Zhang, Y., Li, J., Gu, D.: The achilles heel of OAuth: a multi-platform study of OAuth-based authentication. In: ACM ACSAC (2016)Google Scholar
  29. 29.
    Wang, H., Zhang, Y., Li, J., Liu, H., Yang, W., Li, B., Gu, D.: Vulnerability assessment of OAuth implementations in Android applications. In: ACM ACSAC (2015)Google Scholar
  30. 30.
    Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through Facebook and Google: a traffic-guided security study of commercially deployed Single-Sign-On web services. In: IEEE S&P (2012)Google Scholar
  31. 31.
    Wang, R., Xing, L., Wang, X., Chen, S.: Unauthorized origin crossing on mobile platforms: threats and mitigation. In: ACM CCS (2013)Google Scholar
  32. 32.
    Xing, L., Chen, Y., Wang, X., Chen, S.: InteGuard: toward automatic protection of third-party web service integrations. In: NDSS (2013)Google Scholar
  33. 33.
    Yang, R., Lee, G., Lau, W.C., Zhang, K., Hu, P.: Model-based security testing: an empirical study on OAuth 2.0 implementations. In: ACM ASIACCS (2016)Google Scholar
  34. 34.
    Ye, Q., Bai, G., Wang, K., Dong, J.S.: Formal analysis of a Single Sign-On protocol implementation for Android. In: International Conference on Engineering of Complex Computer Systems, ICECCS (2015)Google Scholar
  35. 35.
    Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for Single Sign-On vulnerabilities. In: USENIX (2014)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Ronghai Yang
    • 1
    Email author
  • Wing Cheong Lau
    • 1
  • Shangcheng Shi
    • 1
  1. 1.Department of Information EngineeringThe Chinese University of Hong KongHong KongChina

Personalised recommendations