Shangcheng Shi
ABSTRACT
Mobile applications today increasingly integrate Single Sign-On (SSO) into their account management mechanisms. Unfortunately, the involved multi-party protocol, i.e., OAuth 2.0, was originally designed to serve websites for authorization purpose. Due to the complexity of the adapted protocol, a large number of insecure SSO implementations still exist in the wild. Although the security testing for real-world SSO deployments has attracted considerable attention in recent years, existing work either focuses on websites or relies on the manual discovery of specific and previously-known vulnerabilities. In the paper, we design and implement MoSSOT (Mobile SSO Tester), an automated blackbox security testing tool for Android applications utilizing the SSO services from three mainstream service providers. The tool detects the vulnerabilities within the practical SSO implementations by fuzzing related network messages. We used MoSSOT to examine over 500 first-tier third-party Android applications from US and Chinese app markets. According to the test result, around 72% of the tested applications incorrectly implement SSO and are thus vulnerable. Besides, our test identifies an unknown vulnerability as well as a new variant, in addition to four known ones. The vulnerabilities enable the attacker to illegally log into the mobile applications as the victims or gain access to the protected resources. MoSSOT has been released as an open-source project.
- Domenico Amalfitano, Anna Rita Fasolino, Porfirio Tramontana, Salvatore De Carmine, and Atif M Memon. 2012. Using GUI ripping for automated testing of Android applications. In ASE12. ACM. Google Scholar
Digital Library
- Apkpure. 2017. Apkpure. https://apkpure.com/.Google Scholar
- Tanzirul Azim and Iulian Neamtiu. 2013. Targeted and depth-first exploration for systematic testing of android apps. In ACM Sigplan Notices, Vol. 48. ACM. Google ScholarDigital Library
- Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek Saxena, Jun Sun, Yang Liu, and Jin Song Dong. 2013. AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations. In NDSS13.Google Scholar
- Chetan Bansal, Karthikeyan Bhargavan, and Sergio Maffeis. 2012. Discovering Concrete Attacks on Website Authorization by Formal Analysis. In CSF12. Google ScholarDigital Library
- Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall. 2014. Brahmastra: Driving Apps to Test the Security of Third-Party Components.. In USENIX14. Google ScholarDigital Library
- Bruno Blanchet. 2014. The ProVerif homepage. http://prosecco.gforge.inria.fr/personal/bblanche/proverif/Google Scholar
- Nataniel P Borges Jr, Maria Gómez, and Andreas Zeller. 2018. Guiding app testing with mined interaction models. In MOBILESoft18. ACM. Google ScholarDigital Library
- Suresh Chari, Charanjit S. Jutla, and Arnab Roy. 2011. Universally Composable Security Analysis of OAuth v2.0. Cryptology ePrint Archive, Report 2011/526.Google Scholar
- Eric Y Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, and Patrick Tague. 2014. OAuth demystified for mobile application developers. In CCS14. Google ScholarDigital Library
- Wontae Choi, George Necula, and Koushik Sen. 2013. Guided gui testing of android apps with minimal restart and approximate learning. In ACM Sigplan Notices, Vol. 48. ACM. Google ScholarDigital Library
- Feng Dong, Haoyu Wang, Yuanchun Li, Yao Guo, Li Li, Shaodong Zhang, and Guoai Xu. 2017. FrauDroid: An Accurate and Scalable Approach to Automated Mobile Ad Fraud Detection. arXiv preprint arXiv:1709.01213 (2017).Google Scholar
- Facebook. 2017. Facebook SSO developer document. https://developers.facebook.com/docs/facebook-login/.Google Scholar
- Daniel Fett, Ralf Küsters, and Guido Schmitz. 2016. A Comprehensive Formal Security Analysis of OAuth 2.0. CCS16 (2016).Google Scholar
- Genymotion. 2017. Genymotion. https://www.genymotion.com/Google Scholar
- Google. 2017a. Android webview. http://developer.android.com/reference/android/webkit/WebView.htmlGoogle Scholar
- Google. 2017b. AVD. https://developer.android.com/studio/run/emulator.Google Scholar
- Google. 2017c. Monkey. http://developer.android.com/tools/help/monkeyGoogle Scholar
- Shuai Hao, Bin Liu, Suman Nath, William GJ Halfond, and Ramesh Govindan. 2014. PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps. In MobiSys14. ACM. Google ScholarDigital Library
- Dick Hardt. 2012. The OAuth 2.0 authorization framework.Google Scholar
- Pili Hu, Ronghai Yang, Yue Li, and Wing Cheong Lau. 2014. Application impersonation: problems of OAuth and API design in online social networks. In COSN14. Google ScholarDigital Library
- Jonathan Jacky. 2011. PyModel: Model-based testing in Python. In SciPy11.Google Scholar
- Wang Jing. 2017. Covert Redirect Vulnerability.Google Scholar
- M Jones and Dick Hardt. 2012. The OAuth 2.0 Authorization Framework: Bearer Token Usage. Technical Report. RFC 6750, October.Google Scholar
- Michael Jones, Paul Tarjan, Yaron Goland, Nat Sakimura, John Bradley, John Panzer, and Dirk Balfanz. 2012. JSON Web Token (JWT). (2012).Google Scholar
- Wing Lam, Zhengkai Wu, Dengfeng Li, Wenyu Wang, Haibing Zheng, Hui Luo, Peng Yan, Yuetang Deng, and Tao Xie. 2017. Record and replay for Android: are we there yet in industrial cases?. In ESEC/FSE17. ACM. Google ScholarDigital Library
- Wanpeng Li, Chris J Mitchell, and Tom Chen. 2018. Your code is my code: Exploiting a common weakness in OAuth 2.0 implementations.Google Scholar
- Wanpeng Li and Chris J. Mitchell. 2016. Analysing the Security of Google's implementation of OpenID Connect. In Proceeedings of DIMVA16. Google ScholarDigital Library
- Yuanchun Li, Ziyue Yang, Yao Guo, and Xiangqun Chen. 2017. Droidbot: a lightweight ui-guided test input generator for android. In ICSE17. IEEE. Google ScholarDigital Library
- Torsten Lodderstedt, Mark McGloin, and Phil Hunt. 2013. OAuth 2.0 threat model and security considerations.Google Scholar
- Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An input generation system for android apps. In ESEC/FSE13. ACM. Google ScholarDigital Library
- mitmproxy. 2017. Man in the Middle Proxy. https://mitmproxy.org/Google Scholar
- MoSSOT. 2019. MoSSOT. https://github.com/MoSSOT/MoSSOT.Google Scholar
- Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: automatic security analysis of smartphone applications. In ACM CODASPY13. Google ScholarDigital Library
- Ariel Rosenfeld, Odaya Kardashov, and Orel Zang. 2018. Automation of Android Applications Functional Testing Using Machine Learning Activities Classification. In MOBILESoft18. ACM. Google ScholarDigital Library
- Natsuhiko Sakimura, J Bradley, M Jones, B de Medeiros, and C Mortimore. 2014. OpenID Connect core 1.0. (2014).Google Scholar
- Mohammed Shehab and Fadi Mohsen. 2014. Towards Enhancing the Security of OAuth Implementations In Smart Phones. In IEEE MS14. Google ScholarDigital Library
- Ethan Shernan, Henry Carter, Dave Tian, Patrick Traynor, and Kevin Butler. 2015. More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations. In DIMVA15. Springer. Google ScholarDigital Library
- Sina. 2017. Sina Developer Documentation. http://open.weibo.com/wiki/Google Scholar
- Softonic. 2017. Softonic. https://bit.ly/2DUAjhp.Google Scholar
- Ting Su, Guozhu Meng, Yuting Chen, Ke Wu, Weiming Yang, Yao Yao, Geguang Pu, Yang Liu, and Zhendong Su. 2017. Guided, stochastic model-based gui testing of android apps. In ESEC/FSE17. ACM. Google ScholarDigital Library
- San-Tsai Sun and Konstantin Beznosov. 2012. The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In CCS'12. Google ScholarDigital Library
- Tencent. 2017. WeChat SSO developer document. https://open.weixin.qq.com.Google Scholar
- Wandoujia. 2017. Wandoujia App Market. https://www.wandoujia.com/.Google Scholar
- Hui Wang, Yuanyuan Zhang, Juanru Li, and Dawu Gu. 2016. The Achilles Heel of OAuth: A Multi-platform Study of OAuth-based Authentication (ACSAC '16). Google ScholarDigital Library
- Hui Wang, Yuanyuan Zhang, Juanru Li, Hui Liu, Wenbo Yang, Bodong Li, and Dawu Gu. 2015. Vulnerability Assessment of OAuth Implementations in Android Applications. In ACSAC15. ACM. Google ScholarDigital Library
- Xposed. 2017. Xposed Module Repository. https://repo.xposed.infoGoogle Scholar
- Ronghai Yang, Wing Cheong Lau, and Shangcheng Shi. 2017. Breaking and Fixing Mobile App Authentication with OAuth2.0-based Protocols. In ACNS17.Google Scholar
- Ronghai Yang, Guancheng Lee, Wing Cheong Lau, and Kehuan Zhang. 2016. Model-based Security Testing: an Empirical Study on OAuth 2.0 Implementations. In ASIACCS 2016. Google ScholarDigital Library
- Quanqi Ye, Guangdong Bai, Kailong Wang, and Jin Song Dong. 2015. Formal Analysis of a Single Sign-On Protocol Implementation for Android. In ICECCS15. Google ScholarDigital Library
- E. YOO. 2017. Technode. https://bit.ly/2Zi1JVn.Google Scholar
- Yuchen Zhou and David Evans. 2014. SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In USENIX14. Google ScholarDigital Library
- Chaoshun Zuo, Qingchuan Zhao, and Zhiqiang Lin. 2017. Authscope: Towards automatic discovery of vulnerable authorizations in online services. In CCS17. Google ScholarDigital Library
Recommendations
Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications SecurityMotivated by the prevalence of OAuth-related vulnerabilities in the wild, large-scale security testing of real-world OAuth 2.0 implementations have received increasing attention lately [31,37,42]. However, these existing works either rely on manual ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Anatomy of the Facebook solution for mobile single sign-on
While there exist many secure authentication and authorization solutions for web applications, their adaptation in the mobile context is a new and open challenge. In this paper, we argue that the lack of a proper reference model for Single Sign-On (SSO) ...
Comments