Billions of mobile app users can become easy targets to hackers worldwide due to a mobile development flaw found by three Hong Kong based researchers. Ronghai Yang, Tianyu Liu and Wing Cheong Lau from the Chinese University of Hong Kong found that these flaws are simple mobile app development oversight that can be prevented.
Have you ever signed in to a new website using your Facebook account? Thanks to OAuth, its now easier to log-in and sign-up to various sites and online apps. OAuth is an open standard authentication that allows an app to authenticate its users’ sign-in and sign-up through its users’ other accounts such as Facebook and Google. It makes signing up and signing in easier and faster for users while offering various strategic uses for publishers. Using OAuth, the user no longer need to fill out a sign-up form.
Instead, OAuth allows users to sign up by authorizing identity providers such as Facebook and Google to validate the users’ identification. A website or app that uses OAuth commonly bears the authorization statement “Sign-up using: Facebook or Google” or “Log-in with Facebook.” If the user responds yes by clicking on a specified element like the blue box in the illustration above, the ID provider will be notified, validate the user ID, send user ID info and send a token to the app server. Once the sent ID info and token are verified, the user will be given access without having to fill out a log-in form.
This type of authentication works efficiently on web apps but seems to fail immensely on mobile devices due to improper implementation. The study published in Black Hat reveals that 41% of the 600 sample apps have OAuth vulnerabilities in its mobile version. In most mobile apps, the oversight lies in faulty verification such as its inability to completely validate the information sent by the ID providers. There are instances where the app server was not able to verify if the attached OAuth information were linked to the user’s ID but still allowed the user to log in. In most cases the app server only verified the user ID returned by the ID provider.
The OAuth implementation flaws on these apps allow remote hackers to use the victim’s user ID and a server set up that tampers the info sent by ID providers such as Google and Facebook. This technique enables the hacker to log-in to the victim’s account by only using their user name. The researchers also add that this hijacking technique can target both Android and iOS apps. You can now know more about this OAuth implementation flaw in the researchers’ published research below.
The study lists 600 Android apps that has a recorded download of more than 2.4 billion in total. The data also categorize most of these apps as online shops that use Google and Facebook recommendations. If this discovery is alarming to users, its much more so for businesses online. This is yet another reason to reevaluate your company’s software development strategies.