OAUTH2 for mobile apps, what could go wrong?

Friday, September 27, 2019 - 10:00 to 11:30

Computer Science Colloquium Series presents...


Room 239, Joyce Entrepreneurship Centre

Abstract: OAuth is a popular authorization schema used by many iOS and Android apps to delegate user authentication and authorization to a known third-party entity such as Google, Facebook or LinkedIn. When users grant an app to access their Gmail account or GDrive, they normally only expect limited access. But there are several functionalities one can do with the access even when the user is not using the app, which often comes as a surprise to the user. It is mostly because users are not aware of the amount of data that an application can access while they are offline, as well as the consequences of sharing that data with the application. Depending on the requested permissions and access type, an app can essentially keep the user authenticated forever and access their protected resources such as Gmail, Gdrive, or Calendar. With no built-in security in OAuth, it is mostly the app developer’s responsibility to prevent unauthorized access or authorization misuse by adding state-based parameters to requests, validating access tokens before making API calls, revoking access tokens, etc.

Bio: Elaheh Samani is an independent security researcher specializing in malware and software reverse engineering. She's been part of Symantec’s Modern OS Security (MOS) team researching threats targeting mobile users. Prior to that, she was a member of the Tailored Reverse Engineer Expertise team of Google Chrome in Montreal. She has been involved in the development of various network security projects for more than 8 years.