Vulnerabilties m

Published on November 6th, 2016 | 9,507 views Post Views

Millions of Android app accounts can easily be hacked by a very simple trick

More than a billion Android app accounts are at risk

If it wasn’t for the efforts of three researchers from the Chinese University of Hong Kong, we would have never figured out this vulnerability in Google’s Android platform. These researchers scanned multiple Google apps on the US and Chinese app store and found a serious loophole. This flaw resides in the way OAuth 2.0 is implemented in these apps. We’ll be explaining OAuth 2.0 and what is it, but the one thing you need to know is that a hacker can remotely exploit a victim’s app and access his or her personal information.

For those that do not know, OAuth 2.0 is a standard that lets users verify their logins on third-party apps using Google or Facebook accounts. You will probably recognize this with those annoying pop-ups that show up on your screen and you click on them without giving a second thought, but it looks like you will be more careful with what you click on and do not.

When a user logs into any service using OAuth, the apps performs a complete check with the ID provider, such as Google or FaceBook. If these credentials are identical then OAuth gets an access token from the ID provider. This lets the app allow the user to login using their Facebook or Google credentials. Unfortunately, using this approach can lead to a serious threat in the Android app ecosystem. The fault actually lies with developers, who do not check the validity of the information sent by the ID provider.

▼Advertisements

Forbes has reported that another mistake happened to be the failure to verify the signature attached to the authentication information retrieved from Google and Facebook. Often, the app server would only check for the user ID retrieved from the ID provider. According to the research, a total of 2.4 billion downloads are actually vulnerable to this issue, so a large-scale is definitely an understatement. The research wasn’t conducted on iPhones, because the security researchers know that iOS is more secure compared to Android.

However, these security researchers could do us a huge favor, if they were able to conduct a thorough exercise on Apple’s iPhone too.

Share on Facebook1Share on Google+1Tweet about this on TwitterShare on Reddit0Email this to someonePrint this pageShare on StumbleUpon0Digg thisPin on Pinterest0Share on LinkedIn0












One Response to Millions of Android app accounts can easily be hacked by a very simple trick

  1. Amazing tricks thanks for the sharing !

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑

You Might Also Like:
WORDPRESS TURNS ON FREE ENCRYPTION

All custom domains hosted on WordPress.com will soon have their sites automatically encrypted for free. WordPress said late Friday afternoon...

Close