Security of Mobile Single Sign-On: A Rational Reconstruction of Facebook Login Solution

Giada Sciarretta, Alessandro Armando, Roberto Carbone, Silvio Ranise

2016

Abstract

While there exist many secure authentication and authorization solutions for web applications, their adaptation in the mobile context is a new and open challenge. In this paper, we argue that the lack of a proper reference model for Single Sign-On (SSO) for mobile native applications drives many social network vendors (acting as Identity Providers) to develop their own mobile solution. However, as the implementation details are not well documented, it is difficult to establish the proper security level of these solutions. We thus provide a rational reconstruction of the Facebook SSO flow, including a comparison with the OAuth 2.0 standard and a security analysis obtained testing the Facebook SSO reconstruction against a set of identified SSO attacks. Based on this analysis, we have modified and generalized the Facebook solution proposing a native SSO solution capable of solving the identified vulnerabilities and accommodating any Identity Provider.

References

  1. Armando, A., Carbone, R., Compagna, L., Cuéllar, J., and Tobarra, L. (2008). Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAMLbased Single Sign-On for Google Apps. In Proceedings of the 6th ACM workshop on Formal methods in security engineering (FMSE 7808), pages 1-10.
  2. Bansal, C., Bhargavan, K., and Maffeis, S. (2012). Discovering Concrete Attacks on Website Authorization by Formal Analysis. In 25th IEEE Computer Security Foundations Symposium (CSF'12), pages 247-262.
  3. Boyd, R. (2012). Getting Started with OAuth 2.0. http://itebooks.info/read/664/.
  4. Chen, E., Pei, Y., Chen, S., Tian, Y., Kotcher, R., and Tague, P. (2014). OAuth Demystified for Mobile Application Developers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).
  5. Chin, E., Felt, A. P., Greenwood, K., and Wagner, D. (2011). Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, pages 239-252.
  6. Facebook (2015). Getting Started with the Facebook SDK for Android. https://developers facebook. com/docs/android/getting-started/facebook-sdk-forandroid/.
  7. Facebook (2016). Signed Requests. https://developers. facebook.com/docs/reference/login/signed-request.
  8. Goldshlager, N. (2013). How I hacked any Facebook Account...again! http://www.nirgoldshlager.com/2013/ 03/how-i-hacked-any-facebook-accountagain.html.
  9. Homakov, E. (2013). How we hacked facebook with OAuth2 and Chrome bugs. http://homakov.blogspot.no/2013/02/hacking-face book-with-oauth2-and-chrome.html.
  10. IETF (2012a). The OAuth 2.0 Authorization Framework. http://tools.ietf.org/html/rfc6749.
  11. IETF (2012b). The OAuth 2.0 Authorization Framework: Bearer Token Usage. https://tools.ietf.org/html/ rfc6750.
  12. IETF (2015). JSON Web Token (JWT). https://tools.ietf.org/html/rfc7519.
  13. Khorana, T. (n.d.). Fake Facebook Phishing Attack. https://sites.google.com/site/mobilesecuritylabware/9- mobile-phishing/post-lab-activities/lab-1-fakefacebook-phishing-attack.
  14. Madsen, P. (2015a). Mobile OS Developments & Native Application Authentication. https://www.pingidentity.com/en/blog/2015/06/19/ mobile os developments native application authentica tion.html.
  15. Madsen, P. (2015b). NAPPS has left the building (but is still on the front lawn). https://www.pingidentity.com/en/blog/2015/07/22/ napps has left the building but is still on the front lawn.html.
  16. OASIS (2005). SAML V2.0 technical overview. https://docs.oasis-open.org/security/saml/v2.0/samlcore-2.0-os.pdf.
  17. OIDF (2014a). OpenID Connect Core 1.0. http://openid. net/specs/openid-connect-core-1 0.html.
  18. OIDF (2014b). OpenID Connect Native Application Token Agent Core 1.0. http://openid.bitbucket.org/draftnative-application-agent-core-01.html.
  19. Shehab, M. and Mohsen, F. (2014). Towards Enhancing the Security of OAuth Implementations in Smart Phones. In IEEE International Conference on Mobile Services (MS), pages 39-46.
  20. Sun, S. and Beznosov, K. (2012). The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems. In Proceedings of the ACM Conference on Computer and Communications Security (CCS'12).
  21. Wang, R., Chen, S., and Wang, X. (2012). Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services. In IEEE Symposium on Security and Privacy (SP), pages 365-379.
  22. Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., and Gurevich, Y. (2013). Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization. In Proceedings of the 22Nd USENIX Conference on Security (SEC'13), pages 399-414.
  23. Wulf, A. (2011). Stealing Passwords is Easy in Native Mobile Apps Despite OAuth. http://welcome.totheinter.net/2011/01/12/.
  24. Yao, Y. (2010). A serious OAuth security hole in Facebook SDK. http://security-ntech.blogspot.it/2010/11/serious-oauth-securityhole-in-facebook.html.
  25. Zhou, Y. and Evans, D. (2014). SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In 23rd USENIX Security Symposium (USENIX Security 14), pages 495-510.
Download


Paper Citation


in Harvard Style

Sciarretta G., Armando A., Carbone R. and Ranise S. (2016). Security of Mobile Single Sign-On: A Rational Reconstruction of Facebook Login Solution . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016) ISBN 978-989-758-196-0, pages 147-158. DOI: 10.5220/0005969001470158


in Bibtex Style

@conference{secrypt16,
author={Giada Sciarretta and Alessandro Armando and Roberto Carbone and Silvio Ranise},
title={Security of Mobile Single Sign-On: A Rational Reconstruction of Facebook Login Solution},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)},
year={2016},
pages={147-158},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005969001470158},
isbn={978-989-758-196-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)
TI - Security of Mobile Single Sign-On: A Rational Reconstruction of Facebook Login Solution
SN - 978-989-758-196-0
AU - Sciarretta G.
AU - Armando A.
AU - Carbone R.
AU - Ranise S.
PY - 2016
SP - 147
EP - 158
DO - 10.5220/0005969001470158