Detecting Vulnerable OAuth 2.0 Implementations in Android Applications

Damkham W.; Kunihiro S.; Teerakanok S.; Uehara T.

Detecting Vulnerable OAuth 2.0 Implementations in Android Applications

Issued Date

2023-01-01

Resource Type

Conference Paper

DOI

10.1109/QRS-C60940.2023.00024

Scopus ID

2-s2.0-85186744083

Journal Title

Proceedings - 2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security Companion, QRS-C 2023

Start Page

524

End Page

531

Rights Holder(s)

SCOPUS

Bibliographic Citation

Proceedings - 2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security Companion, QRS-C 2023 (2023) , 524-531

Suggested Citation

Damkham W., Kunihiro S., Teerakanok S., Uehara T. Detecting Vulnerable OAuth 2.0 Implementations in Android Applications. Proceedings - 2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security Companion, QRS-C 2023 (2023) , 524-531. 531. doi:10.1109/QRS-C60940.2023.00024 Retrieved from: https://repository.li.mahidol.ac.th/handle/20.500.14594/97559

Title

Detecting Vulnerable OAuth 2.0 Implementations in Android Applications

Author(s)

Damkham W.
Kunihiro S.
Teerakanok S.
Uehara T.

Author's Affiliation

Ritsumeikan University Biwako-Kusatsu Campus
Mahidol University

Corresponding Author(s)

Damkham W.

Other Contributor(s)

Mahidol University

Abstract

OAuth 2.0, a prevalent authorization framework, can be vulnerable to cross-site request forgery (CSRF) attacks, thus requiring developers' due diligence during implementation in Android applications. A key countermeasure includes a state parameter in the URL during the login transition. However, lacking state parameter doesn't necessarily imply an inherent vulnerability to CSRF attacks. To investigate this further, we developed an Android application to analyse other Android applications using OAuth 2.0 with Google accounts, focusing primarily on the utilisation of the state parameter in CSRF attack prevention. Our investigation involves assessing the login procedures of applications via both the Chrome application and the default browser. Through this, we aim to identify the presence or absence of the state parameter and the authorization code, critical components in a robust CSRF defence strategy. Our findings allow us to evaluate if Android applications using OAuth 2.0 have basic protections against CSRF attacks. The results of our research could protect users by identifying and discouraging the use of Android applications that employ OAuth 2.0 for social login yet remain vulnerable to CSRF attacks.

Keyword(s)

Computer Science
Engineering

URI

https://repository.li.mahidol.ac.th/handle/20.500.14594/97559

Collections

Scopus 2023

Full item page

Send Feedback

	Office Hour: Monday-Friday 08.30-12.00 and 13.00-16.30 hrs.
	Phutthamonthon Sai 4 Rd. Salaya, Nakhon Pathom 73170, Thailand
	The office: +66 (2) 800 2680 ext.4306
	thipsuda.van@mahidol.ac.th
	https://repository.li.mahidol.ac.th