Beruflich Dokumente
Kultur Dokumente
• Exploit
✤ Case study
• Corresponding Remedies
2
What is OAuth2.0?
3
Three Parties in OAuth2.0
Goal: The user can log into the RP via the IdP
4
Basic Interactions
among User, RP and IdP
RP server User IdP server
Who are you?
Tell IMDB my identity
Welcome, Ronghai!
6
OAuth2.0 Protocol Flow for Mobile:
Implicit Flow
7
OAuth2.0 Protocol Flow for Mobile:
Implicit Flow
8
OAuth2.0 Protocol Flow for Mobile:
Implicit Flow
{"token_type":"Bearer",
"expires_in":7104,
“id”: “100008512695261”
"access_token":"CAABzj3PSN8C6OELrcr44hSlITO6…”}
9
OAuth2.0 Protocol Flow for Mobile:
Implicit Flow
https://graph.facebook.com/me?
access_token=CAABzj3PSNiUBAF9MQrrNHwoZ...
10
OAuth2.0 Protocol Flow for Mobile:
Implicit Flow
11
Unwell-defined Portions
of Protocol Call-flow
• Neither RFC nor IdPs
provides the complete call-
flow
✤ How to communicate
between RP app and
IdP app: the browser
splits into two apps
13
Common Mistake 1
Android Account Manager
RP server RP App IdP App IdP server
Auth request
Account Info
user email Authentication &
Token request Authorization
{
Not verify signature “uid”:1001,
“email”:ronghai@xxx,
“app”:imdb,
• id_token …
✤ includes user profile information }
4. +
us
AT o AT f o
er
+ 2. er i n
inf
us
1. proprietary message
exchanges
3. no scalable
19
Trick 2: Use WebView to
bypass certificate pinning
• Certificate pinning
20
Trick 3: Modify IdP app to
remove certificate pinning
• Some IdPs do NOT support
WebView
✤ SSLUnpinning
• Reverse engineering
✤ Remove certificate
pinning function
✤ Repackage
21
Trick 4: Modify RP app to remove
the certificate comparison by SDK
• Modify RP app
22
Demonstration
Attacking Answers App
23
Demonstration
Attacking Answers App
24
Demonstration
Attacking Answers App
Answers app uses access token to retrieve user data
26
Demonstration
Attacking Answers App
30
A Partial List of Vulnerable
Android Mobile Apps
31
Responsible Disclosure
32
Suggested Remedies
1. For IdPs:
❖ Facebook has adopted this practice since May 2014, but due to
the backward compatibility reason, old users are still vulnerable.
33
Thanks and Q&A
34