Source code available in GitHub
As the open standard for authorization, OAuth 2.0 enables endusers to grant third-party applications the data access right to their private resources stored on the service provider. Driven by the broad adoption of OAuth and the boom of mobile apps, many prestigious Identity Providers (IdPs), e.g., Facebook and Sina Weibo, have recently tailored OAuth to support SSO for third-party mobile apps. It is worth to note that OAuth was initially designed to provide secure authorization service for web applications. The protocol is actually re-purposed for authentication when used for SSO in mobile platforms.
Although the security testing for real-world SSO deployments has attracted considerable attention in recent years , existing work either focuses on websites or relies on the manual discovery of specific and previously known vulnerabilities. As such, we design and implement MoSSOT (Mobile SSO Tester), an automated blackbox security testing tool for Android applications utilizing the SSO services from three main- stream service providers.
Figure below presents the system architecture of MoSSOT. The tool is composed of five modules: UI Explorer, Test Engine, Test Learner, System Model, and Test Oracle. The framework can be divided into three portions