OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial objective of the protocol was specific: it serves the authorization needs for websites. However, the protocol has been significantly repurposed and re-targeted over the years: (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication; (2) developers have re-targeted OAuth to the mobile platforms, in addition to the traditional web platform. Therefore, we believe that it is necessary and timely to conduct an in-depth study to demystify OAuth for mobile application developers.
Our work consists of two pillars: (1) an in-house study of the OAuth protocol documentation that aims to identify what might be ambiguous or unspecified for mobile developers; (2) a field-study of over 600 popular mobile applications that highlights how well developers fulfill the authentication and authorization goals in practice. The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable. In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications
Yuan Tian is a Ph.D candidate in Carnegie Mellon Univeristy, working onmobile, web, and IoT security. She interned at Microsoft Research, Facebook'ssecurity infrastructure team, and Samsung's mobile security research group.She is listed on the Security Hall of Fame for Facebook, Evernote, and Zygna.She enjoys finding exploits as well as building secure systems.
Eric Chen is a software engineer of Gridspace, working on machine learning andsecurity related projects. Before that, he interned at Google Chrome'ssecurity team and Microsoft Research. He has a Ph.D from Carnegie MellonUniversity, where he worked on web security.
Shuo Chen is a senior researcher at Microsoft Research Redmond. His interestis on studying real-world operational systems to understand their securitychallenges and flaws. Specifically, he spends significant time studyingproblems about software-as-a-service, browser, web privacy/security andmemory-based issues. He served on the program committees for IEEE S&P;,USENIX Security, ACM CCS, WWW, etc. Shuo obtained his Ph.D. degree in computerscience under the guidance of Prof. Ravi Iyer from University of Illinois atUrbana-Champaign. He obtained his master's and bachelor's degree from TsinghuaUniversity and Peking University, both in computer science.
Yutong is a security engineer currently working at Uber Security R&D.; Hefocuses on building customer authentication platform and identity providersservice. He also works on user account integrity and account take-overdetection. He holds a Master's Degree in Information Security from CarnegieMellon University.
Robert is a recent graduate from Carnegie Mellon University. He publishedseveral security papers while he was a student at CMU, his favorite being atiming attack on CSS shaders in Google Chrome. He is listed on the Hall ofFame for Facebook and Evernote. Outside of security, Robert is extremelypassionate about building startup companies, and has sold two companies in thepast three years. He is currently a part of the Expii team, working to build aGPS for education. In his free time, Robert enjoys trading crypto-currencies,playing the violin, and rock climbing.
Patrick Tague is an Associate Research Professor at Carnegie Mellon Universitywith appointments in the Electrical and Computer Engineering Department andthe Information Networking Institute, and he is also the Associate Director ofthe INI. Patrick leads the Mobile, Embedded, and Wireless Security group atthe Silicon Valley Campus of CMU, and the group is affiliated with CMU CyLab.Patrick's research interests include wireless communications and networking;wireless/mobile security and privacy; robust and resilient networked systems;and analysis and sense-making of sensor network data. He received PhD and MSdegrees in Electrical Engineering from the University of Washington as amember of the Network Security Lab and BS degrees in Mathematics and ComputerEngineering from the University of Minnesota. Patrick received the YangResearch Award for outstanding graduate research in the UW ElectricalEngineering Department, the Outstanding Graduate Research Award from the UWCenter for Information Assurance and Cybersecurity, and the NSF CAREER award.