Title :
Towards Enhancing the Security of OAuth Implementations in Smart Phones
Author :
Shehab, Mohamed ; Mohsen, Fadi
Author_Institution :
Dept. of Software & Inf. Syst., Univ. of North Carolina at Charlotte, Charlotte, NC, USA
fDate :
June 27 2014-July 2 2014
Abstract :
With the roaring growth and wide adoption of smart mobile devices, users are continuously integrating with culture of the mobile applications (apps). These apps are not only gaining access to information on the smartphone but they are also able gain users´ authorization to access remote servers on their behalf. The Open standard for Authorization (OAuth) is widely used in mobile apps for gaining access to user´s resources on remote service providers. In this paper, we analyze the different OAuth implementations adopted by the SDKs of the popular resource providers on smartphones and demonstrate possible attacks on most OAuth implementations. By analyzing source code of more than 430 popular Android apps we summarized the trends followed by the service providers and by the OAuth development choices made by application developers. In addition, we propose an application-based OAuth Manager framework, that provides a secure OAuth flow in smartphones that is based on the concept of privilege separation and does not require high overhead.
Keywords :
authorisation; mobile radio; smart phones; software engineering; telecommunication security; Android apps; OAuth manager framework; SDK; mobile applications; mobile devices; open standard for authorization; smart phones; software development kit; users authorization; Androids; Authentication; Authorization; Browsers; Facebook; Mobile communication; Servers; OAuth; Security; Smartphone apps;
Conference_Titel :
Mobile Services (MS), 2014 IEEE International Conference on
Conference_Location :
Anchorage, AK
Print_ISBN :
978-1-4799-5059-1
DOI :
10.1109/MobServ.2014.15
