2017
DOI: 10.1007/978-3-319-61204-1_16
|View full text |Cite
|
Sign up to set email alerts
|

Breaking and Fixing Mobile App Authentication with OAuth2.0-based Protocols

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1

Citation Types

0
3
0

Year Published

2019
2019
2024
2024

Publication Types

Select...
4
2
1

Relationship

0
7

Authors

Journals

citations
Cited by 13 publications
(3 citation statements)
references
References 20 publications
0
3
0
Order By: Relevance
“…However, none of them ensures that the identity tokens are sent to the designated RP only [35,36], because a WebView or the system browser cannot authenticate the RP Apps and the IdP App may be repackaged. The SSO protocols are modified to work for mobile Apps, but these modifications are not well understood by RP developers [35,37]. Vulnerabilities were disclosed in lots of Android applications, to break confidentiality [35][36][37][38], integrity [35,37], and RP designation [35,38] of SSO identity tokens.…”
Section: Extended Related Workmentioning
confidence: 99%
See 1 more Smart Citation
“…However, none of them ensures that the identity tokens are sent to the designated RP only [35,36], because a WebView or the system browser cannot authenticate the RP Apps and the IdP App may be repackaged. The SSO protocols are modified to work for mobile Apps, but these modifications are not well understood by RP developers [35,37]. Vulnerabilities were disclosed in lots of Android applications, to break confidentiality [35][36][37][38], integrity [35,37], and RP designation [35,38] of SSO identity tokens.…”
Section: Extended Related Workmentioning
confidence: 99%
“…The SSO protocols are modified to work for mobile Apps, but these modifications are not well understood by RP developers [35,37]. Vulnerabilities were disclosed in lots of Android applications, to break confidentiality [35][36][37][38], integrity [35,37], and RP designation [35,38] of SSO identity tokens. A software flaw was found in Google Apps [23], allowing a malicious RP to hijack a user's authentication attempt and inject a payload to steal the cookie (or identity token) for another RP.…”
Section: Extended Related Workmentioning
confidence: 99%
“…They also disclosed four scenarios where the state parameter can be misused by RP developers. Most recently, Yang, Lau and Shi [26] conducted a large scale study of Android OAuth 2.0-based SSO systems. They found three previously unknown security flaws among first-tier identity providers and a large number of popular third party apps.…”
Section: Rp → Uamentioning
confidence: 99%