{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,1]],"date-time":"2025-11-01T13:48:40Z","timestamp":1762004920300,"version":"3.40.3"},"publisher-location":"Cham","reference-count":35,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319612034"},{"type":"electronic","value":"9783319612041"}],"license":[{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017]]},"DOI":"10.1007\/978-3-319-61204-1_16","type":"book-chapter","created":{"date-parts":[[2017,6,25]],"date-time":"2017-06-25T06:02:42Z","timestamp":1498370562000},"page":"313-335","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Breaking and Fixing Mobile App Authentication with OAuth2.0-based Protocols"],"prefix":"10.1007","author":[{"given":"Ronghai","family":"Yang","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wing Cheong","family":"Lau","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shangcheng","family":"Shi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2017,6,26]]},"reference":[{"key":"16_CR1","unstructured":"Access token hijacking. https:\/\/developers.facebook.com\/docs\/facebook-login\/security#tokenhijacking"},{"key":"16_CR2","unstructured":"Android account manager. http:\/\/developer.android.com\/reference\/android\/accounts\/AccountManager.html"},{"key":"16_CR3","unstructured":"Man in the middle proxy. https:\/\/mitmproxy.org\/"},{"key":"16_CR4","unstructured":"One major Chinese App store. http:\/\/sj.qq.com\/myapp\/category.htm"},{"key":"16_CR5","unstructured":"Sina access token API. http:\/\/open.weibo.com\/wiki\/OAuth2\/access_token"},{"key":"16_CR6","unstructured":"SSL unpinning. https:\/\/github.com\/ac-pm\/SSLUnpinning_Xposed"},{"key":"16_CR7","unstructured":"Social login continues strong adoption (2014). http:\/\/janrain.com\/blog\/social-login-continues-strong-adoption\/"},{"key":"16_CR8","unstructured":"Bai, G., Lei, J., Meng, G., Venkatraman, S.S., Saxena, P., Sun, J., Liu, Y., Dong, J.S.: AUTHSCAN: automatic extraction of web authentication protocols from implementations. In: NDSS (2013)"},{"key":"16_CR9","doi-asserted-by":"crossref","unstructured":"Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: IEEE CSF (2012)","DOI":"10.1109\/CSF.2012.27"},{"key":"16_CR10","unstructured":"Chari, S., Jutla, C.S., Roy, A.: Universally composable security analysis of OAuth v2.0. Cryptology ePrint Archive, Report 2011\/526 (2011)"},{"key":"16_CR11","doi-asserted-by":"crossref","unstructured":"Chen, E.Y., Chen, S., Qadeer, S., Wang, R.: Securing multiparty online services via certification of symbolic transactions. In: IEEE S&P (2015)","DOI":"10.1109\/SP.2015.56"},{"key":"16_CR12","doi-asserted-by":"crossref","unstructured":"Chen, E.Y., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: ACM CCS (2014)","DOI":"10.1145\/2660267.2660323"},{"key":"16_CR13","doi-asserted-by":"crossref","unstructured":"Mainka, C., Vladislav Mladenov, J.S., Wich, T.: SoK: Single Sign-On security- an evaluation of OpenID Connect. In: IEEE EuroS&P (2017)","DOI":"10.1109\/EuroSP.2017.32"},{"key":"16_CR14","doi-asserted-by":"crossref","unstructured":"Denniss, W., Bradley, J.: OAuth 2.0 for native apps (2016)","DOI":"10.17487\/RFC8252"},{"key":"16_CR15","volume-title":"Android Security Internals: An In-Depth Guide to Android\u2019s Security Architecture","author":"N Elenkov","year":"2014","unstructured":"Elenkov, N.: Android Security Internals: An In-Depth Guide to Android\u2019s Security Architecture. No Starch Press, San Francisco (2014)"},{"key":"16_CR16","doi-asserted-by":"crossref","unstructured":"Fett, D., K\u00fcsters, R., Schmitz, G.: An expressive model for the web infrastructure: definition and application to the browser ID SSO system. In: IEEE S&P (2014)","DOI":"10.1109\/SP.2014.49"},{"key":"16_CR17","doi-asserted-by":"crossref","unstructured":"Fett, D., K\u00fcsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: ACM CCS (2016)","DOI":"10.1145\/2976749.2978385"},{"key":"16_CR18","doi-asserted-by":"crossref","unstructured":"Hardt, D.: The OAuth 2.0 authorization framework (2012)","DOI":"10.17487\/rfc6749"},{"key":"16_CR19","unstructured":"Homakov, E.: The Achilles Heel of OAuth or Why Facebook Adds Special Fragment (2013)"},{"key":"16_CR20","doi-asserted-by":"crossref","unstructured":"Hu, P., Yang, R., Li, Y., Lau, W.C.: Application impersonation: problems of OAuth and API design in online social networks. In: ACM Conference on Online Social Networks, COSN (2014)","DOI":"10.1145\/2660460.2660463"},{"key":"16_CR21","doi-asserted-by":"crossref","unstructured":"Li, W., Mitchell, C.J.: Analysing the security of Google\u2019s implementation of OpenID Connect. In: SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA (2016)","DOI":"10.1007\/978-3-319-40667-1_18"},{"key":"16_CR22","doi-asserted-by":"crossref","unstructured":"Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations (2013)","DOI":"10.17487\/rfc6819"},{"key":"16_CR23","unstructured":"Mladenov, V., Mainka, C., Krautwald, J., Feldmann, F., Schwenk, J.: On the security of modern Single Sign-On protocols: OpenID Connect 1.0. CoRR abs\/1508.04324 (2015)"},{"key":"16_CR24","doi-asserted-by":"crossref","unstructured":"Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using Alloy framework. In: IEEE International Conference on Communication Systems and Network Technologies, CSNT (2011)","DOI":"10.1109\/CSNT.2011.141"},{"key":"16_CR25","unstructured":"Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: OpenID Connect core 1.0. The OpenID Foundation (2014)"},{"key":"16_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"239","DOI":"10.1007\/978-3-319-20550-2_13","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"E Shernan","year":"2015","unstructured":"Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K.: More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 239\u2013260. Springer, Cham (2015). doi:10.1007\/978-3-319-20550-2_13"},{"key":"16_CR27","doi-asserted-by":"crossref","unstructured":"Sun, S., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: ACM CCS (2012)","DOI":"10.1145\/2382196.2382238"},{"key":"16_CR28","doi-asserted-by":"crossref","unstructured":"Wang, H., Zhang, Y., Li, J., Gu, D.: The achilles heel of OAuth: a multi-platform study of OAuth-based authentication. In: ACM ACSAC (2016)","DOI":"10.1145\/2991079.2991105"},{"key":"16_CR29","doi-asserted-by":"crossref","unstructured":"Wang, H., Zhang, Y., Li, J., Liu, H., Yang, W., Li, B., Gu, D.: Vulnerability assessment of OAuth implementations in Android applications. In: ACM ACSAC (2015)","DOI":"10.1145\/2818000.2818024"},{"key":"16_CR30","doi-asserted-by":"crossref","unstructured":"Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through Facebook and Google: a traffic-guided security study of commercially deployed Single-Sign-On web services. In: IEEE S&P (2012)","DOI":"10.1109\/SP.2012.30"},{"key":"16_CR31","doi-asserted-by":"crossref","unstructured":"Wang, R., Xing, L., Wang, X., Chen, S.: Unauthorized origin crossing on mobile platforms: threats and mitigation. In: ACM CCS (2013)","DOI":"10.1145\/2508859.2516727"},{"key":"16_CR32","unstructured":"Xing, L., Chen, Y., Wang, X., Chen, S.: InteGuard: toward automatic protection of third-party web service integrations. In: NDSS (2013)"},{"key":"16_CR33","doi-asserted-by":"crossref","unstructured":"Yang, R., Lee, G., Lau, W.C., Zhang, K., Hu, P.: Model-based security testing: an empirical study on OAuth 2.0 implementations. In: ACM ASIACCS (2016)","DOI":"10.1145\/2897845.2897874"},{"key":"16_CR34","doi-asserted-by":"crossref","unstructured":"Ye, Q., Bai, G., Wang, K., Dong, J.S.: Formal analysis of a Single Sign-On protocol implementation for Android. In: International Conference on Engineering of Complex Computer Systems, ICECCS (2015)","DOI":"10.1109\/ICECCS.2015.20"},{"key":"16_CR35","unstructured":"Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for Single Sign-On vulnerabilities. In: USENIX (2014)"}],"container-title":["Lecture Notes in Computer Science","Applied Cryptography and Network Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-61204-1_16","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,26]],"date-time":"2022-06-26T00:04:40Z","timestamp":1656201880000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-319-61204-1_16"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017]]},"ISBN":["9783319612034","9783319612041"],"references-count":35,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-61204-1_16","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2017]]},"assertion":[{"value":"26 June 2017","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ACNS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Applied Cryptography and Network Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Kanazawa","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Japan","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2017","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"10 July 2017","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"12 July 2017","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"15","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"acns2017","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/cy2sec.comm.eng.osaka-u.ac.jp\/acns2017\/index.html","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}