From recent news, three researchers Ronghai Yang, Wing Cheong Lau, and Tianyu Liu – from the Chinese University of Hong Kong has discovered [PPT] a hack that allows them to get into victims Android or iOS device without any victim’s acknowledgement and this hack doesn’t require any information about victims device.
It is said to be a hack that can log into victims device directly, leaving no clue. These researchers have found that majority of the apps have been insecurely implemented OAuth 2.0 that supports SSO service. OAuth 2.0 lets users sign in or other third-party services by the verifying existing identity of their Google, Facebook, or Chinese firm Sina accounts.
With the help of this process, the user can sign-in to any service directly without providing additional usernames or passwords. So basically what happens is whenever a user logs into a third party app via OAuth, the application will go through a checking process that will verify the authentication details. In this case, let’s consider Twitter is an app.
When this process starts OAuth will have an ‘Access Token’ from Twitter that is issued to the server and when the access token is issued then the application server will ask the twitter about the authentication information and then verify it. And after all this process the user will be allowed to log in with his Twitter account information.
Lau told Forbes “The OAuth protocol is quite complicated, A lot of third party developers are ma and pa shops, they don’t have the capability. Most of the time they’re using Google and Facebook recommendations, but if they don’t do it correctly, their apps will be wide open.”
Aas soon as the world spread out the researchers have found that there are over 2.4 Billion downloads that are vulnerable to this issue of US and Chinese Android apps. These all apps support SSO service. after researchers found this issue a rough math concluded about over a Billion different mobile app accounts are at risk that can be hijacked with the following attack.
The researchers said, “Although our current attack is demonstrated over the Android platform, the exploit itself is platform-agnostic: any iOS or Android user of the vulnerable mobile app is affected as long as he/ she has used the OAuth2.0-based SSO service with the app before.”