Cybersecurity researchers came across a new Android app security problem at Chinese University of Hong Kong (CUHK) discovered a bug in the OAuth 2.0 protocol through Android app security testing. The exploit makes it possible to log in to close to a billion Android app accounts to steal data from social media services such as Facebook.

OAuth 2.0 is a single sign-in protocol that users use to sign in to third party sites and services with their social media accounts, including Facebook, without creating a new username for the service. Around 600 well-known apps on Google Play in China and the US were checked, with 182 found to be using the single sign-in option for Google, Facebook and Sina Weibo.

Originally, the protocol was intended to be used for websites. This is why app developers had problems implementing this for Android app security in 41% of the analyzed apps, such as apps for hotel booking, VoIP calls, mobile banking, shopping, music, video, etc.

The exploit works when you open an app and choose the option to sign in with your Facebook ID instead of making a new ID, so Facebook sends you a token. Many app developers failed to put a check on the information being sent by the social media accounts. These apps log in immediately even if the user information sent by social media apps fails to match with that of the user signing in to the Android app. According to the researchers, hackers could easily get around standard Android app security with a Man in the Middle Attack. When a hacker has the details of your social media email address and your name, they can download the same app and use MiTM attack to put their profile in place of yours. When the app is used for transactions, such as e-commerce or mobile banking, the attacker can easily pay through your credit card, transfer money into their account or use your details to carry out fraudulent transactions.

Researchers made clear that responsibility lies with the identification providers Google, Facebook and Sina Weibo to give a clear Android app security testing framework to third party app developers.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android app security testing, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.