Securing OAuth implementations in smart phones

CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy Pub Date : 2014-03-03 DOI:10.1145/2557547.2557588

Mohamed Shehab, Fadi Mohsen

{"title":"Securing OAuth implementations in smart phones","authors":"Mohamed Shehab, Fadi Mohsen","doi":"10.1145/2557547.2557588","DOIUrl":null,"url":null,"abstract":"With the roaring growth and wide adoption of smart mobile devices, users are continuously integrating with culture of the mobile applications (apps). These apps are not only gaining access to information on the smartphone but they are also able gain users' authorization to access remote servers on their behalf. The Open standard for Authorization (OAuth) is widely used in mobile apps for gaining access to user's resources on remote service providers. In this work, we analyze the different OAuth implementations adopted by some SDKs of the popular resource providers on smartphones and identify possible attacks on most OAuth implementations. We give some statistics on the trends followed by the service providers and by mobile applications developers. In addition, we propose an application-based OAuth Manager framework, that provides a secure OAuth flow in smartphones that is based on the concept of privilege separation and does not require high overhead.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"417 1","pages":"167-170"},"PeriodicalIF":0.0000,"publicationDate":"2014-03-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2557547.2557588","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 12

Abstract

With the roaring growth and wide adoption of smart mobile devices, users are continuously integrating with culture of the mobile applications (apps). These apps are not only gaining access to information on the smartphone but they are also able gain users' authorization to access remote servers on their behalf. The Open standard for Authorization (OAuth) is widely used in mobile apps for gaining access to user's resources on remote service providers. In this work, we analyze the different OAuth implementations adopted by some SDKs of the popular resource providers on smartphones and identify possible attacks on most OAuth implementations. We give some statistics on the trends followed by the service providers and by mobile applications developers. In addition, we propose an application-based OAuth Manager framework, that provides a secure OAuth flow in smartphones that is based on the concept of privilege separation and does not require high overhead.

查看原文本刊更多论文

保护智能手机中的OAuth实现

随着智能移动设备的迅猛发展和广泛采用，用户不断融入移动应用程序的文化。这些应用程序不仅可以访问智能手机上的信息，还可以获得用户的授权，代表用户访问远程服务器。开放授权标准(OAuth)广泛应用于移动应用程序中，用于访问远程服务提供商上的用户资源。在这项工作中，我们分析了智能手机上一些流行资源提供商的sdk采用的不同OAuth实现，并确定了大多数OAuth实现可能受到的攻击。我们提供了一些服务提供商和移动应用程序开发人员所遵循的趋势统计数据。此外，我们提出了一个基于应用程序的OAuth管理器框架，它在智能手机中提供了一个基于特权分离概念的安全OAuth流，并且不需要高开销。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy

自引率

0.00%

发文量