Security researchers have discovered a way of hacking in Android and iOS apps. In a nutshell, researchers could connect remotely to applications that violate them without the victim knowing it.
A team of three researchers, (Ronghai Yang, Wing Cheong Lau, and Tianyu Liu) from the Chinese University of Hong Kong discovered a vulnerability affecting most of the popular cell phones that support single sign-on (SSO) by implementing OAuth 2.0.
OAuth 2.0 is an open standard for authorization that allows users to sign in to services third parties without registering. They simply verify their identity with accounts of Google, Facebook, or other major companies.
Let's see how:
When a user logs into a application τρίτου χρησιμοποιώντας το πρότυπο OAuth, η εφαρμογή θα πρέπει πραγματοποιήσει έλεγχο με τον πάροχο ID, ας πούμε, το Facebook. Η εφαρμογή θα προσπαθήσει να ανακαλύψει αν τα στοιχεία ταυτότητας είναι σωστά. Αφού το κάνει, το OAuth δίνει πρόσβαση στο ‘Access Token' του Facebook το οποίο στη συνέχεια παραδίδεται στον εξυπηρετητή (server) of the mobile application.
Once the access token is issued, the application server requests user authentication information from Facebook, checks them, and then grants a login to the user with the credentials it uses on Facebook.
Where is the error?
Researchers have found that Android app developers do not properly check the validity of information sent by identity providers such as Facebook or Google.
Instead of verifying OAuth (Access Token) information if the user and the identity provider are logged in, the application server only checks for the username used by the authentication provider.
Because of this malfunction, a remote hacker can download the vulnerable application, connect with its own data, and then change the user name to the person who wants to attack by setting up a server to modify the data sent from Facebook , Google or some other identity provider.
Once this is done, the hacker has complete control over the data that exists within the application according to Forbes. Imagine being a banking application…
"The OAuth protocol is quite complex," Lau told Forbes.
"Many application developers do not have the ability. "Most of the time they use Google and Facebook credentials, but if they don't do it right, their apps are wide open."
Researchers have discovered hundreds of popular Android apps that are vulnerable as they support SSO with a total of more than 2,4 billion downloads.
Taking into account the number of users choosing OAuth links, researchers estimate that over one billion different application bills are at risk.
Researchers did not try the exploits on the iPhone, but they believe their attack could work on any vulnerable app on Apple's iOS.
Yang and Lau presented their research work entitled Signing into One Billion Mobile App Accounts Effortlessly with OAuth2.0 at the conference Black Hat Europe on Friday.
