An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications

Source code available in GitHub


Introduction


As the open standard for authorization, OAuth 2.0 enables endusers to grant third-party applications the data access right to their private resources stored on the service provider. Driven by the broad adoption of OAuth and the boom of mobile apps, many prestigious Identity Providers (IdPs), e.g., Facebook and Sina Weibo, have recently tailored OAuth to support SSO for third-party mobile apps. It is worth to note that OAuth was initially designed to provide secure authorization service for web applications. The protocol is actually re-purposed for authentication when used for SSO in mobile platforms.

Although the security testing for real-world SSO deployments has attracted considerable attention in recent years , existing work either focuses on websites or relies on the manual discovery of specific and previously known vulnerabilities. As such, we design and implement MoSSOT (Mobile SSO Tester), an automated blackbox security testing tool for Android applications utilizing the SSO services from three main- stream service providers.

Architecture


Figure below presents the system architecture of MoSSOT. The tool is composed of five modules: UI Explorer, Test Engine, Test Learner, System Model, and Test Oracle. The framework can be divided into three portions

MoSSOT architecture

  • UI Explorer: This module automatically explores the UI widgets within the mobile apps that need triggering to reach the desired destination, e.g., login page. Then, Test Engine can automatically perform SSOs and drive the app to the expected state for the actual testing.
  • Test Learner and System Model: We first construct an initial model manually based on protocol specification and IdP documentation, which caters to the IdP customizations. Then, Test Learner analyzes the network traffic from normal SSOs to learn the app-specific implementations by RPs, which complement the initial model.
  • Test Engine and Test Oracle: To execute concrete test cases, Test Engine performs SSOs and drives the mobile app to the expected state. At the same time, Test Engine feeds back observations to Test Oracle for monitoring the state change and identifies potential vulnerabilities. Besides, once unexpected app behaviors are detected, the tool will try to recover the app to the correct state.
.: TOP :.
Last Updated on Jun 6 2019.
Copyright © 2022. All Rights Reserved. MobiTeC, The Chinese University of Hong Kong.
Disclaimer Privacy Statement