Show simple item record

dc.contributor.authorYe, Q
dc.contributor.authorBai, G
dc.contributor.authorWang, K
dc.contributor.authorDong, JS
dc.description.abstractAs the boom of social networking, Single Sign-On (SSO) services developed by major commercial service providers like Facebook, Google and Twitter, have been widely used by web-based service providers as an alternative authentication scheme. Despite rich research has focused on browser-based web applications, little has been conducted on the implementation of SSO on mobile platforms. However, we reveal that due to the fundamental difference of isolation mechanism in mobile OS and applications from the origin-based isolation in browsers, the SSO encounters a novel attack surface and adversarial models. We perform the first formal analysis on the implementation of the most widely used SSO service -- Facebook Login. Our study takes as input the available implementation and dynamic execution traces of Facebook SDK for Android, from which we abstract the implementation-level protocol. The protocol is then modeled in typed Pi-calculus, and automatically checked against the mobile platform specific attack models in a protocol verifier Proverif. Our study has successfully identified a major vulnerability, which allows an attacker to steal authentication credentials from victims and log into their Facebook accounts.
dc.publisherInstitute of Electrical and Electronics Engineers (IEEE)
dc.publisher.placeUnited States of America
dc.relation.ispartofconferencenameICECCS 2015
dc.relation.ispartofconferencetitleProceedings of the IEEE International Conference on Engineering of Complex Computer Systems, ICECCS
dc.relation.ispartoflocationGold Coast, Australia
dc.subject.fieldofresearchSoftware engineering not elsewhere classified
dc.titleFormal Analysis of a Single Sign-On Protocol Implementation for Android
dc.typeConference output
dc.type.descriptionE1 - Conferences
dc.type.codeE - Conference Publications
gro.hasfulltextNo Full Text
gro.griffith.authorDong, Jin-Song
gro.griffith.authorBai, Guangdong

Files in this item


There are no files associated with this item.

This item appears in the following Collection(s)

  • Conference outputs
    Contains papers delivered by Griffith authors at national and international conferences.

Show simple item record