Signing into secure websites with Facebook or Google is awfully convenient—especially when using a mobile device. But widespread, incorrect usages of a foundational technology by third-party mobile app developers gives hackers almost-effortless access to more than one billion apps and millions of devices.

A study from Ronghai Yang, Wing Cheong Lau and Tianyu Liu of the University of Hong Kong shows that implementation flaws with the OAuth2.0 protocol can be exploited remotely to sign into a victim’s mobile app account without any involvement or awareness of the victim.

OAuth has been widely adopted by mainstream identity providers (IdPs) to support single-sign-on service—yet it doesn’t specify how it can securely interact with third parties. This has led to a number of bespoke implementations, many of them rife with flaws.

“Unfortunately, the implicit security assumptions and operational requirements of such home-brewed adaptations/APIs are often not clearly documented or well-understood by the third-party mobile app developers,” the researchers wrote in the paper. “Worse still, there is also a lack of security-focused SSO-API-usage-guidelines for the third-party app developers.”

The researchers examined 600 top US and Chinese mobile apps that leverage OAuth 2.0 APIs from Facebook, Google and China’s Sina to authenticate users. They found that 41.2% percent of them—which collectively have been downloaded 2.4 million times—can be compromised.

The vector is an attacker-owned SSL man-in-the-middle proxy that allows hackers to sign into a victim’s app using their own credentials. Once the hackers are in, they can use these popular dating, travel, shopping, hotel booking, finance, chat, music and news apps for a range of nefarious deeds, including making free phone calls and making fraudulent purchases.

“After signing into the victim’s vulnerable mobile app account using our exploit, the attacker will have, in many cases, full access to the victim’s sensitive and private information (chat logs, photos, contact lists) which is hosted by the backend server(s) of the vulnerable mobile app,” wrote researchers “For some of these mobile applications, the online-currency/service credits associated with the victim’s account are also at the disposal of the attacker.”

The researchers said that they have reported the findings to the affected IdPs, and have received their acknowledgements in various ways, so hopefully much of this will be cleaned up soon.

Photo © tanuha2001/Shutterstock.com