OAuthLint: An Empirical Study on OAuth Bugs in Android Applications
Mobile developers use OAuth APIs to implement Single-Sign-On services. However, the OAuth protocol was originally designed for the authorization for third-party websites not to authenticate users in third-party mobile apps. As a result, it is challenging for developers to correctly implement mobile OAuth securely. These vulnerabilities due to the misunderstanding of OAuth and inexperience of developers could lead to data leakage and account breach. In this paper, we perform an empirical study on the usage of OAuth APIs in Android applications and their security implications. In particular, we develop OAUTHLINT, that incorporates a query-driven static analysis to automatically check programs on the Google Play marketplace. OAUTHLINT takes as input an anti-protocol that encodes a vulnerable pattern extracted from the OAuth specifications and a program P. Our tool then generates a counter-example if the anti-protocol can match a trace of P’s possible executions. To evaluate the effectiveness of our approach, we perform a systematic study on 600+ popular apps which have more than 10 millions of downloads. The evaluation shows that 101 (32%) out of 316 applications that use OAuth APIs make at least one security mistake.
Tue 12 NovDisplayed time zone: Tijuana, Baja California change
16:00 - 17:40 | SecurityDemonstrations / Research Papers / Journal First Presentations at Hillcrest Chair(s): Julia Rubin University of British Columbia | ||
16:00 20mTalk | Performance-Boosting Sparsification of the IFDS Algorithm with Applications to Taint AnalysisACM SIGSOFT Distinguished Paper Award Research Papers Dongjie He University of New South Wales; Institute of Computing Technology, CAS; University of Chinese Academy of Sciences, Haofeng Li Institute of Computing Technology, CAS; University of Chinese Academy of Sciences, Lei Wang Institute of Computing Technology, Chinese Academy of Science, Haining Meng Institute of Computing Technology, CAS; University of Chinese Academy of Sciences, Hengjie Zheng Institute of Computing Technology, CAS; University of Chinese Academy of Sciences, Jie Liu University of New South Wales, Shuangwei Hu vivo AI Lab, Lian Li Institute of Computing Technology at Chinese Academy of Sciences, China, Jingling Xue UNSW Sydney | ||
16:20 20mTalk | Characterizing Android App Signing Issues Research Papers Haoyu Wang Beijing University of Posts and Telecommunications, China, Hongxuan Liu Peking University, Xusheng Xiao Case Western Reserve University, Guozhu Meng Institute of Information Engineering, Chinese Academy of Sciences, Yao Guo Peking University | ||
16:40 20mTalk | OAuthLint: An Empirical Study on OAuth Bugs in Android Applications Research Papers Tamjid Al Rahat University of Virginia, Yu Feng University of California, Santa Barbara, Yuan Tian University of Virginia Pre-print | ||
17:00 20mTalk | Are Free Android App Security Analysis Tools Effective in Detecting Known Vulnerabilities? Journal First Presentations Link to publication DOI Pre-print Media Attached | ||
17:20 10mDemonstration | SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods Demonstrations Goran Piskachev Fraunhofer IEM, Lisa Nguyen Quang Do Google, Oshando Johnson Fraunhofer IEM, Eric Bodden Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEM Pre-print Media Attached File Attached | ||
17:30 10mDemonstration | Sip4J: Statically Inferring Access Permission Contracts for Parallelising Sequential Java Programs Demonstrations Ayesha Sadiq Monash University, Li Li Monash University, Australia, Yuan-Fang Li Monash University, Ijaz Ahmed University of Lahore, Sea Ling Monash University | ||