1000 Ways to Die in Mobile OAuth

by Yuan Tian, Eric Chen, Shuo Chen, Yutong Pei, Robert Kotcher, Patrick Tague
Sept. 14, 2017 1 comment www.blackhat.com belen_caty Encryption & Authentication mobile

OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial objective of the protocol was specific: it serves the authorization needs for websites. However, the protocol has been significantly repurposed and re-targeted over the years: (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication; (2) developers have re-targeted OAuth to the mobile platforms, in addition to the traditional web platform. Therefore, we believe that it is necessary and timely to conduct an in-depth study to demystify OAuth for mobile application developers.


Steven Ulm 6 months ago

Haha, good title :) Happy though there are only 1000 ways - there could have been 10000 ... or more!