You know that nifty tool that lets you log into new websites and services using your Facebook or Twitter profile? Chinese researchers have discovered a new attack that enables hackers to steal your information and hijack your accounts on a huge number of different Android apps, which have collectively been downloaded over one billion times.
Cybersecurity researchers from the Chinese University of Hong Kong (CUHK) have found security flaws in the OAuth2.0 single sign-on protocol, which was designed to enable users to quickly sign into third-party services and apps using their social media accounts, rather than having to create a username and password.
The researchers analysed 600 of the most popular Android apps on Google Play US and Google Play China and found that 182 apps support single sign-on using Facebook, Google and Sina Weibo accounts.
Because the OAuth protocol was originally designed for websites, the researchers found that app developers had struggled to apply the protocol correctly in 41% of these apps, including hotel booking apps, holiday planning apps, VoIP call apps, shopping apps, online dating apps, banking apps, news apps, browser apps, video apps and music apps.
When you sign into an app – for illustration purposes, let's say the IMDB app – the app asks Facebook to authenticate your identity, and Facebook's server responds with an access token. However, on many of the Android apps, the app developers were not checking whether the information being sent by the social media accounts was correct.
And sometimes, the researchers found that the apps would immediately log in an individual even if the user ID information sent through by Facebook, Google or Sina Weibo didn't even match the account details of the user that had an account with the Android app.
Man-in-the-Middle attack lets hacker hijack Android app accounts
At Black Hat Europe 2016, the researchers demonstrated that if the attacker could discover the email address associated with your Facebook profile, and your name that they could then get out their own mobile device, download the IMDB app and use a man-in-the-middle proxy to replace your profile with their profile.
So when the IMDB app asked for the access token, it would look as if Facebook had returned the attacker's profile, instead of yours. And with this, the attacker can then directly control your apps. This might not be a big deal with the IMDB app, but in the case of the hotel booking app, the hacker would be able to pay for room bookings on your credit card, purchase music and videos from the music and video services, and even impersonate you on chat apps.
CUHK PhD candidate and lead author of the research Yang Ronghai says that the attack can't only be blamed on app developers – the identification providers Facebook, Google and Sina Weibo are responsible too.
"Identity providers don't offer clear developer guidelines for third-party app developers. After we reported this issue to Facebook, Google and Sina, all of them recognised the need to improve the guidelines. Their respective Software Development Kits (SDK) are also confusing for the third-party app developers to use," he told IBTimes UK, adding that Google and Sina have taken action to make OAuth 2.0 guidelines clearer for app developers.
"When receiving the identity proof, ie. the access token and user info, the app developers should make a server-to-server verification of the access token and not directly use the user information. In other words, the back-end server should use the access token to retrieve the user data from the back-end server of the identity providers and then use this data to identify the user."