Protecting Against OAuth Hacks

In this latest reported OAuth 2.0 hack entitled “One OAuth 2.0 hack, 1 Billion Android App Accounts potentially exposed“, it has been discovered that:

“…A remote simple hack devised by a group of security researchers threatens an amazing number of Android and iOS apps. An attacker can use the technique to sign into any victim’s mobile app account without any knowledge of the legitimate user…”

The Forum Sentry API Security Gateway implements OAuth end-to-end and is not vulnerable to this recently reported vulnerability. The reality is this hack pertains to mobile app vendors who do not use an API Security Gateway like Forum Sentry but instead design and build their own OAuth implementation relying on the insecure mobile device, where tampering can bypass security. In this case, the flawed mobile app uses OAuth to initially obtain front-end authorization but fails to use OAuth in properly securing user identification and the application back-end.

Unfortunately, this is only one of many common developers–centric mistakes we see on a regular basis. For example, in some cases, OAuth identity providers return unsecured user data and/or a signed OpenID token in addition to the OAuth access token. These mobile apps then mistakenly rely on the unsecured user data or fail to verify the OpenID signature. The Forum Sentry API Security Gateway, on the other hand only returns an access token that is tamper-proof, with no risk of the mobile app relying on the unverified information.

Another common mistake in developer-centric OAuth security is that some mobile clients validate the access token or verify the OpenID signature locally on the insecure mobile device before passing the user identity unsecured to the back-end application. Whereas, when using Forum Sentry, the back-end communication and identity are properly secured using the OAuth access token.

It continues to be unfortunate for organizations to learn the hard way not to rely on developer-centric security. Relying on developers to secure your applications and data is a losing battle. Sure, many times they may get it right, but it is the times they get it wrong that should be concerning. Having an API Security Gateway in the architecture protects your applications and data and provides a secure architecture to develop apps against rather than try to build security at the end-mile.

To learn more about the Forum Sentry API Security Gateway or about API security contact us