In the aftermath of the revelation that a billion mobile apps could be hijacked through a vulnerability in OAuth 2.0 – as discovered by three Chinese researchers from the University of Hong Kong – OAuth 2.0 has claimed it is still secure, for non-mobile implementations.
In an email to customers, OAuth 2.0 has unsurprisingly reached out to quell fears about a security compromise of its API, as revealed by Chiense researchers.
In an attempt to reassure customers, the company writes in plain bold text:
IT IS ONLY FOR MOBILE APPS AND ONLY FOR APPS THAT USE THE MOBILE DEVICE’S GLOBAL USER IDENTIFIER TO AUTHENTICATE.
As an easier way of describing it to customers, OAuth 2.0 states that app developers used the global user identifier as their app’s password with their own servers. “It is not the protocol, but their implementation” that is the cause behind the shoddy security, the company argued.
With an example, the company pointed to SSH (Secure Shell), a network protocol that is, by design, secure. However, if a developer were to hard-code the authentication certificate in clear text, the security would be obsolete.
The company then explained:
The fundamental flaw is that some mobile app developers are lazy and will use the mobile device’s global user identifier instead of issuing their own identification token for their app. It is completely unrelated to the web-based authentication method used by the original, non-mobile version of OAuth used by Avanan.
As LIFARS reported yesterday, the researchers assessed 600 of the top apps that used OAuth 2.0 APIs from identity providers Facebook, Google and Chinese-based Sina, the operator of popular platform Weibo. Some of these apps are the most downloaded in the world, with hundreds of millions of downloads in some cases.
Altogether, the apps tested by the researchers had been downloaded over 2.4 billion times. The researchers concluded their testing by revealing that a little over 40% of those apps, were vulnerable. That’s a billion downloads of applications currently on users’ phones and other mobile devices.
Image credit: Pixabay.