Android single sign-on security

Issues, taxonomy and directions

Xing Liu, Jiqiang Liu, Wei Wang, Sencun Zhu

Research output: Contribution to journalArticle

2 Citations (Scopus)

Abstract

Single Sign-On (SSO) is a mechanism that allows a user to log in to other applications using his identity registered with an identity provider. One of the most popular protocols for SSO is OAuth 2.0, which is an open standard for authorization. However, due to the lack of detailed instructions on how to implement OAuth 2.0 on Android, there are many vulnerabilities in the current Android OAuth 2.0 implementations. While much research effort has been made to exploit such vulnerabilities, there is a lack of systematical collation and summary of these researches, resulting in the appearance of common vulnerabilities in new applications. Hence, it is crucial to collate and summarize related work. Meanwhile, the rapid development of the Internet of Things (IoT) also requires an understanding of the usage of OAuth 2.0 in the IoT environment. In this work, we first describe the OAuth 2.0 authorization code grant flow and the implicit grant flow in detail and summarize the differences between the Web environment and the Android environment that affect OAuth 2.0 security. Then, we summarize the security issues in the implementations of OAuth 2.0 on Android. These security issues include: storing client_secret or access token locally, using embedded WebView as user-agent, incorrect usage of authentication proof, handling redirection in mobile app improperly, lacking transmission protection and third-party app authentication. Attacks on these vulnerabilities, such as WebView hijacking, linking hijacking and phishing, as well as attack results are elaborated subsequently. Against these security issues and attacks, we summarize the related research work in terms of vulnerability analysis, defense, and protocol analysis. At last, we discuss the directions for mitigating these security issues and discuss some OAuth-based protocols for the IoT environment.

Original languageEnglish (US)
Pages (from-to)402-420
Number of pages19
JournalFuture Generation Computer Systems
Volume89
DOIs
StatePublished - Dec 1 2018

Fingerprint

Taxonomies
Application programs
Network protocols
Authentication
Internet of things

All Science Journal Classification (ASJC) codes

  • Software
  • Hardware and Architecture
  • Computer Networks and Communications

Cite this

Liu, Xing ; Liu, Jiqiang ; Wang, Wei ; Zhu, Sencun. / Android single sign-on security : Issues, taxonomy and directions. In: Future Generation Computer Systems. 2018 ; Vol. 89. pp. 402-420.
@article{5a1a30731f7a4b79b19bdc6ca116fbd3,
title = "Android single sign-on security: Issues, taxonomy and directions",
abstract = "Single Sign-On (SSO) is a mechanism that allows a user to log in to other applications using his identity registered with an identity provider. One of the most popular protocols for SSO is OAuth 2.0, which is an open standard for authorization. However, due to the lack of detailed instructions on how to implement OAuth 2.0 on Android, there are many vulnerabilities in the current Android OAuth 2.0 implementations. While much research effort has been made to exploit such vulnerabilities, there is a lack of systematical collation and summary of these researches, resulting in the appearance of common vulnerabilities in new applications. Hence, it is crucial to collate and summarize related work. Meanwhile, the rapid development of the Internet of Things (IoT) also requires an understanding of the usage of OAuth 2.0 in the IoT environment. In this work, we first describe the OAuth 2.0 authorization code grant flow and the implicit grant flow in detail and summarize the differences between the Web environment and the Android environment that affect OAuth 2.0 security. Then, we summarize the security issues in the implementations of OAuth 2.0 on Android. These security issues include: storing client_secret or access token locally, using embedded WebView as user-agent, incorrect usage of authentication proof, handling redirection in mobile app improperly, lacking transmission protection and third-party app authentication. Attacks on these vulnerabilities, such as WebView hijacking, linking hijacking and phishing, as well as attack results are elaborated subsequently. Against these security issues and attacks, we summarize the related research work in terms of vulnerability analysis, defense, and protocol analysis. At last, we discuss the directions for mitigating these security issues and discuss some OAuth-based protocols for the IoT environment.",
author = "Xing Liu and Jiqiang Liu and Wei Wang and Sencun Zhu",
year = "2018",
month = "12",
day = "1",
doi = "10.1016/j.future.2018.06.049",
language = "English (US)",
volume = "89",
pages = "402--420",
journal = "Future Generation Computer Systems",
issn = "0167-739X",
publisher = "Elsevier",

}

Android single sign-on security : Issues, taxonomy and directions. / Liu, Xing; Liu, Jiqiang; Wang, Wei; Zhu, Sencun.

In: Future Generation Computer Systems, Vol. 89, 01.12.2018, p. 402-420.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Android single sign-on security

T2 - Issues, taxonomy and directions

AU - Liu, Xing

AU - Liu, Jiqiang

AU - Wang, Wei

AU - Zhu, Sencun

PY - 2018/12/1

Y1 - 2018/12/1

N2 - Single Sign-On (SSO) is a mechanism that allows a user to log in to other applications using his identity registered with an identity provider. One of the most popular protocols for SSO is OAuth 2.0, which is an open standard for authorization. However, due to the lack of detailed instructions on how to implement OAuth 2.0 on Android, there are many vulnerabilities in the current Android OAuth 2.0 implementations. While much research effort has been made to exploit such vulnerabilities, there is a lack of systematical collation and summary of these researches, resulting in the appearance of common vulnerabilities in new applications. Hence, it is crucial to collate and summarize related work. Meanwhile, the rapid development of the Internet of Things (IoT) also requires an understanding of the usage of OAuth 2.0 in the IoT environment. In this work, we first describe the OAuth 2.0 authorization code grant flow and the implicit grant flow in detail and summarize the differences between the Web environment and the Android environment that affect OAuth 2.0 security. Then, we summarize the security issues in the implementations of OAuth 2.0 on Android. These security issues include: storing client_secret or access token locally, using embedded WebView as user-agent, incorrect usage of authentication proof, handling redirection in mobile app improperly, lacking transmission protection and third-party app authentication. Attacks on these vulnerabilities, such as WebView hijacking, linking hijacking and phishing, as well as attack results are elaborated subsequently. Against these security issues and attacks, we summarize the related research work in terms of vulnerability analysis, defense, and protocol analysis. At last, we discuss the directions for mitigating these security issues and discuss some OAuth-based protocols for the IoT environment.

AB - Single Sign-On (SSO) is a mechanism that allows a user to log in to other applications using his identity registered with an identity provider. One of the most popular protocols for SSO is OAuth 2.0, which is an open standard for authorization. However, due to the lack of detailed instructions on how to implement OAuth 2.0 on Android, there are many vulnerabilities in the current Android OAuth 2.0 implementations. While much research effort has been made to exploit such vulnerabilities, there is a lack of systematical collation and summary of these researches, resulting in the appearance of common vulnerabilities in new applications. Hence, it is crucial to collate and summarize related work. Meanwhile, the rapid development of the Internet of Things (IoT) also requires an understanding of the usage of OAuth 2.0 in the IoT environment. In this work, we first describe the OAuth 2.0 authorization code grant flow and the implicit grant flow in detail and summarize the differences between the Web environment and the Android environment that affect OAuth 2.0 security. Then, we summarize the security issues in the implementations of OAuth 2.0 on Android. These security issues include: storing client_secret or access token locally, using embedded WebView as user-agent, incorrect usage of authentication proof, handling redirection in mobile app improperly, lacking transmission protection and third-party app authentication. Attacks on these vulnerabilities, such as WebView hijacking, linking hijacking and phishing, as well as attack results are elaborated subsequently. Against these security issues and attacks, we summarize the related research work in terms of vulnerability analysis, defense, and protocol analysis. At last, we discuss the directions for mitigating these security issues and discuss some OAuth-based protocols for the IoT environment.

UR - http://www.scopus.com/inward/record.url?scp=85049595271&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85049595271&partnerID=8YFLogxK

U2 - 10.1016/j.future.2018.06.049

DO - 10.1016/j.future.2018.06.049

M3 - Article

VL - 89

SP - 402

EP - 420

JO - Future Generation Computer Systems

JF - Future Generation Computer Systems

SN - 0167-739X

ER -