OAuth 2.0 insecure: 1 billion Androids vulnerable

24-11-2016

OAuth 2.0 insecureResearchers find a widespread risk for users of apps with insecure OAuth 2.0 implementation, which could lead to attackers being able to access the data held within a vulnerable app.

Security researchers have discovered a way to target a huge number of Android and iOS apps that could allow them to remotely sign into any victim’s mobile app account without any knowledge of the victim.

Insecure implementation of OAuth 2.0

It is found  that most of the popular mobile apps that support single sign-on (SSO) service have insecurely implemented OAuth 2.0. OAuth 2.0 is an open standard for authorization that allows users to sign in for other third-party services by verifying existing identity of their social media accounts. Once authenticated, the users haven’t to provide their credentials to access other services. This process enables users to sign-in via SSO to any service without providing additional usernames or passwords.

It’s definitely convenient to skip account creation or signing in for every single app you install, but it’s not without risks. In this case, the risk is serious: 41.2% of the aforementioned 600 apps are putting users at risk to have their Facebook or Google accounts hijacked. That’s around 250 top apps, accounting for over one billion downloads on Android alone. Chances are good there’s at least one on your device, and the flaw is platform agnostic.

Missing key components

Some app developers, particularly small, third-party operations, missed key components to user ID authentication, leaving a whole host of apps vulnerable to hackers. Hackers are able to log in with their info on vulnerable apps and later switch it out with the username of a target. These flaws can be exploited on a person’s phone without them knowing.

The paper, which you can read at Forbes, doesn’t mention any affected apps, so we’re left to speculate as to what could happen. Attackers could perform in-app purchases, book hotels, buy products—essentially any app you have installed that uses SSO could potentially be used against you.

Mobile authentication

There are various solutions on the market that can be used for authentication. However, in an increasingly digital world, the need for solutions that go further and can also be deployed for generating legally binding signatures and/or for ensuring privacy protection is also growing. AET Europe created the ConsentID Authentication Service to empower users in mobile multifactor authentication and digital signing ensuring high privacy protection by using Public Key Infrastructure (PKI) technology. Through the tamper-proof electronic distribution of documents, as well as the ability to sign and encrypt information directly through email, PKI allows information or identities to be secured quickly, simply and flexibly.