OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial objective of the protocol was specific: it serves the authorization needs for websites. However, the protocol has been significantly repurposed and re-targeted over the years: (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication; (2) developers have re-targeted OAuth to the mobile platforms, in addition to the traditional web platform. Therefore, we believe that it is necessary and timely to conduct an in-depth study to demystify OAuth for mobile application developers.
Our work consists of two pillars: (1) an in-house study of the OAuth protocol documentation that aims to identify what might be ambiguous or unspecified for mobile developers; (2) a field-study of over 600 popular mobile applications that highlights how well developers fulfill the authentication and authorization goals in practice. The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable. In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications
Eric Chen is a software engineer of Gridspace, working on machine learning and security related projects. Before that, he interned at Google Chrome's security team and Microsoft Research. He has a Ph.D from Carnegie Mellon University, where he worked on web security.
Yutong is a security engineer currently working at Uber Security R&D. He focuses on building customer authentication platform and identity providers service. He also works on user account integrity and account take-over detection. He holds a Master's Degree in Information Security from Carnegie Mellon University.
Yuan Tian is a Ph.D candidate in Carnegie Mellon Univeristy, working on mobile, web, and IoT security. She interned at Microsoft Research, Facebook's security infrastructure team, and Samsung's mobile security research group. She is listed on the Security Hall of Fame for Facebook, Evernote, and Zygna. She enjoys finding exploits as well as building secure systems.
Shuo Chen is a senior researcher at Microsoft Research Redmond. His interest is on studying real-world operational systems to understand their security challenges and flaws. Specifically, he spends significant time studying problems about software-as-a-service, browser, web privacy/security and memory-based issues. He served on the program committees for IEEE S&P, USENIX Security, ACM CCS, WWW, etc. Shuo obtained his Ph.D. degree in computer science under the guidance of Prof. Ravi Iyer from University of Illinois at Urbana-Champaign. He obtained his master's and bachelor's degree from Tsinghua University and Peking University, both in computer science.
Robert is a recent graduate from Carnegie Mellon University. He published several security papers while he was a student at CMU, his favorite being a timing attack on CSS shaders in Google Chrome. He is listed on the Hall of Fame for Facebook and Evernote. Outside of security, Robert is extremely passionate about building startup companies, and has sold two companies in the past three years. He is currently a part of the Expii team, working to build a GPS for education. In his free time, Robert enjoys trading crypto-currencies, playing the violin, and rock climbing.
Patrick Tague is an Associate Research Professor at Carnegie Mellon University with appointments in the Electrical and Computer Engineering Department and the Information Networking Institute, and he is also the Associate Director of the INI. Patrick leads the Mobile, Embedded, and Wireless Security group at the Silicon Valley Campus of CMU, and the group is affiliated with CMU CyLab. Patrick's research interests include wireless communications and networking; wireless/mobile security and privacy; robust and resilient networked systems; and analysis and sense-making of sensor network data. He received PhD and MS degrees in Electrical Engineering from the University of Washington as a member of the Network Security Lab and BS degrees in Mathematics and Computer Engineering from the University of Minnesota. Patrick received the Yang Research Award for outstanding graduate research in the UW Electrical Engineering Department, the Outstanding Graduate Research Award from the UW Center for Information Assurance and Cybersecurity, and the NSF CAREER award.
(Source: Black Hat USA 2016, Las Vegas)