Android single sign-on security: Issues, taxonomy and directions

Single Sign-On (SSO) is a mechanism that allows a user to log in to other applications using his identity registered with an identity provider. One of the most popular protocols for SSO is OAuth 2.0, which is an open standard for authorization. However, due to the lack of detailed instructions on how to implement OAuth 2.0 on Android, there are many vulnerabilities in the current Android OAuth 2.0 implementations. While much research effort has been made to exploit such vulnerabilities, there is a lack of systematical collation and summary of these researches, resulting in the appearance of common vulnerabilities in new applications. Hence, it is crucial to collate and summarize related work. Meanwhile, the rapid development of the Internet of Things (IoT) also requires an understanding of the usage of OAuth 2.0 in the IoT environment. In this work, we first describe the OAuth 2.0 authorization code grant flow and the implicit grant flow in detail and summarize the differences between the Web environment and the Android environment that affect OAuth 2.0 security. Then, we summarize the security issues in the implementations of OAuth 2.0 on Android. These security issues include: storing client_secret or access token locally, using embedded WebView as user-agent, incorrect usage of authentication proof, handling redirection in mobile app improperly, lacking transmission protection and third-party app authentication. Attacks on these vulnerabilities, such as WebView hijacking, linking hijacking and phishing, as well as attack results are elaborated subsequently. Against these security issues and attacks, we summarize the related research work in terms of vulnerability analysis, defense, and protocol analysis. At last, we discuss the directions for mitigating these security issues and discuss some OAuth-based protocols for the IoT environment.