More than a billion Android app accounts are at risk
If it wasn’t for the efforts of three researchers from the Chinese University of Hong Kong, we would have never figured out this vulnerability in Google’s Android platform. These researchers scanned multiple Google apps on the US and Chinese app store and found a serious loophole. This flaw resides in the way OAuth 2.0 is implemented in these apps. We’ll be explaining OAuth 2.0 and what is it, but the one thing you need to know is that a hacker can remotely exploit a victim’s app and access his or her personal information.
For those that do not know, OAuth 2.0 is a standard that lets users verify their logins on third-party apps using Google or Facebook accounts. You will probably recognize this with those annoying pop-ups that show up on your screen and you click on them without giving a second thought, but it looks like you will be more careful with what you click on and do not.
When a user logs into any service using OAuth, the apps performs a complete check with the ID provider, such as Google or FaceBook. If these credentials are identical then OAuth gets an access token from the ID provider. This lets the app allow the user to login using their Facebook or Google credentials. Unfortunately, using this approach can lead to a serious threat in the Android app ecosystem. The fault actually lies with developers, who do not check the validity of the information sent by the ID provider.
Forbes has reported that another mistake happened to be the failure to verify the signature attached to the authentication information retrieved from Google and Facebook. Often, the app server would only check for the user ID retrieved from the ID provider. According to the research, a total of 2.4 billion downloads are actually vulnerable to this issue, so a large-scale is definitely an understatement. The research wasn’t conducted on iPhones, because the security researchers know that iOS is more secure compared to Android.
However, these security researchers could do us a huge favor, if they were able to conduct a thorough exercise on Apple’s iPhone too.