DOCSLIB.ORG

The Technology Supporting Mobile Devices Moves Pretty Quickly. to Keep You up to Date with Developments in the Mobile Security F

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Technology Supporting Mobile Devices Moves Pretty Quickly. to Keep You up to Date with Developments in the Mobile Security F The technology supporting mobile devices moves pretty quickly. To keep you up to date with developments in the mobile security field, we have developed this interim update to accompany your SANS SEC575 course materials. Joshua Wright [email protected] @joswr1ght 1/31/2018 New in iOS 11 With iOS 11 we have several new security features and support for new hardware. Specifically, iOS 11 is the major software release to support the iPhone 8, 8+, and X (pronounced "ten"). iOS 11 supports several new features as well: • Native Screen Recording: iOS 11 supports native screen recording functionality, accessible from a control center option, and as a programmatic API in the ReplayKit library (RPScreenRecorder.startCapture()). When a screen recording is active, iOS places a red banner at the top of the screen that the user can tap on to stop the recording. When the recording is finished, it is saved to the Camera Roll. This feature could be used to record visible screen contents outside of the standard application functionality, but would only be accessible to the malicious application if it also has the Camera Roll privilege. • Offload Unused Apps: iOS 11 can also automatically remove applications that are not used from the device as a storage-saving measure. When the application is invoked again, the device downloads it on-demand from the iTunes app store. When an app is removed automatically, the data itself is retained on the device until the app is reinstalled and uninstalled manually. • App Password Autofill: Mobile Safari has had iCloud synchronization for login credentials since iOS 9, but this password autofill functionality has been limited to Mobile Safari. With iOS 11, password autofill is also extended to any application that designed to use this functionality (as shown on this page for the Twitter application, having obtained the password from iCloud storage following a visit to Twitter with Mobile Safari). When the user chooses to populate a password with autofill, they must authenticate to the device using Touch ID or Face ID. App password autofill is not limited to iCloud synchronization; password managers such as OnePass or 1Password can also be extended to take advantage of this functionality as a credential provider instead of only getting password from iCloud storage. Face ID Bypass With the loss of a home button on the iPhone X, Apple introduced Face ID as a new biometric authentication option. Face ID uses infrared light to illuminate a subject's face, comparing observed subdermal facial geometry with movement to stored biometric information. Apple indicates that Face ID is also motion aware, requiring the user blink or produce other facial movements that would not be available in a still subject (https://www.forbes.com/sites/quora/2017/09/13/how-does-apples-new-face-id-technology-work). Shortly after the release of the iPhone X, several YouTube videos started gaining popularity where identical twins could unlock each other's iPhone X devices, as well as close relatives (a mother and son pair demonstrate an unlock event at https://www.youtube.com/watch?v=dUMH6DVYskc). However, the iPhone X Face ID feature "learns" with each subsequent unlock (to allow for changes in a face over time, such as growing a beard) so it is not clear if these unlock events are shortcomings in Face ID or intended functionality with trained devices. In November 2017, Ngo Tuan Anh, Vice President of Bkav a computer security firm in Vietnam demonstrated to reporters that he was able to produce a mask capable of evading Face ID. Anh built the mask from paper tape, a silicon node, and paper eyes along with a framework designed on a 3D printer for $150. Anh indicated that the mask took a week to build such that it would bypass Face ID recognition and unlock a device (Image source: https://www.reuters.com/article/us-apple-vietnam-hack/vietnamese-researcher-shows-iphone-x-face-id- hack-idUSKBN1DE1TH). In practice, it is unlikely that Face ID bypass will be a practical attack technique for an adversary. Apple limits attempts to unlock an iPhone X with Face ID to 5; after 5 failed attempts, the device will require the user to enter the secondary authentication credential (a password or a PIN). While media reports indicate that Face ID bypass is possible, a targeted attack (where you intend to unlock a specific device) is unlikely to be successful with this 5 attempt limitation. Emergency SOS iOS 11 introduces a new feature called Emergency SOS where the user can disable biometric authentication and get a shortcut to place an emergency call (or immediately place an emergency call if configured to do so) by pressing the power button 5 times rapidly on the iPhone 7/7+ and earlier or by pressing and holding the side button while holding volume up or down on the iPhone 8, 8+, or X. When the user activates emergency SOS, even if an emergency call is not placed, the iOS device will disable biometric authentication access, requiring the user to enter the secondary authentication credential to unlock the device. This could be seen as a tiny snub to US law enforcement agencies and courts that say that biometric data is not protected by the US Constitution 5th amendment (the 5th amendment of the US Constitution is part of the Bill of Rights that protects individuals from being compelled to be witnesses against themselves in criminal cases). Essentially, lower courts in the US have ruled that biometric information is not protected, and a suspect can be forced to unlock an iOS device using a fingerprint or face scan. An individual about to be apprehended could trigger the emergency SOS feature, preventing the device from unlocking using biometric information. Intelligent Tracking Prevention (ITP) iOS 11 also takes steps to defend against cookie tracking using Intelligent Tracking Prevention (ITP). To understand ITP, we have to first differentiate the concept of first-party and third-party cookies. A first-party cookie is set when a user visits a website (either through a browser or app with a WebView) and the server returns a Set-Cookie response header. A third-party cookie is set when a user visits a website (browser or WebView), and the linked content generates additional requests to new websites (such as when you browse to cnn.com, and cnn.com links to an image on facebook.com). If the subsequent requests are returned with Set-Cookie headers, the cookies are known as third-party. With ITP, iOS applies different policies to cookies whether they are first-party or third-party. A third-party cookie is disabled after 24 hours if it is intended for user tracking purposes (the nature of the intent is not clear in the Apple documentation). First-party cookies are purged if the website that issued the cookie has not been visited within 30 days. Following this feature announcement from Apple, advertisers expressed discontent with the change, indicating that the change would hamper their ability to deliver a positive user experience that supplies desirable advertising to users (https://www.pmxagency.com/blog/2017/09/ios-11-intelligent-tracking-prevention-means- marketers). Many advertisers quickly responded to the change by refactoring how cookies are delivered. For example, Google Analytics' __gac cookie was formerly delivered by googleadservices.com (a third-party for most users), but has been changed such that it is delivered from the first-party site instead to "accurately understand attribution and campaign performance" (https://www.pmxagency.com/blog/2017/09/ios-11- intelligent-tracking-prevention-means-marketers/). iOS 11 Location Services Permission Change Prior to iOS 11, an app could dictate how the location privilege prompt is displayed to users, limiting the choice for users to allow or deny access to location services (shown on the left of the image on this page). iOS has supported a third option for privilege services, "only while using the app", but that option was not always accessible depending on how the developer write the app. With iOS 11, Apple will display the three location services options when the app attempts to access location services without the developer's ability to suppress the "while using" option. This change provides the user with more flexibility is how they grant location access to applications. Files App Also new in iOS 11 is a native file management app. Though long eschewed by Apple, Android feature parity warranted the introduction of a file manager that replaces the former iCloud Drive app, allowing the user to manage files from native and third-party cloud storage providers, as well as limited local storage (primarily the photo reel and deleted items folders). Third-party apps can leverage the Files app API set to read files from other cloud storage providers through the Files app. This creates the possibility for the Google Drive app to read files belonging to another third-party app stored in Dropbox or any other cloud storage provider. Instead of using a permission restriction to indicate which apps can read what files, the iOS 11 platform requires that all access to files is user-gated (that is, the user must choose the files they wish to share after initiating a Browse action as shown on this page). Apps are not allows to silently access data stored in cloud providers accessible to the Files app. iOS 11 SSL/TLS Changes iOS 11 also introduces new SSL/TLS changes that will affect developers and hosting providers while improving network transport security for end-users. With iOS 11, TLSv1.2 is the default preferred crypto capability negotiated in all secure HTTP requests (when the URLSession, URL, URLRequest, and NSURLConnection libraries are used; other third-party libraries may not also enforce this same crypto requirement).
Load more

Recommended publications
  • The Definitive Guide to Data-Driven Attribution Explore Marketing Performance Measurement Best Practices
    WHITE PAPER | Google Attribution 360 The definitive guide to data-driven attribution Explore marketing performance measurement best practices Google Inc. [email protected] g.co/360suite The definitive guide to data-driven attribution 1 WHITE PAPER | Google Attribution 360 Opportunities for Growth Data-driven attribution helps marketers know more and guess less. If your organization is still focused on crediting only the last touch point for your marketing success, you may be leaving up to 20%-40% of potential return on investment (ROI) on the table.1 This marketing performance measurement best practice offers an unprecedented level of visibility into the customer journey. It helps marketers make fact-based decisions, 5xTop-performing marketing organizations are five times more gain efficiencies, and realize greater returns on marketing investments. likely to use advanced attribution. This introduction to data-driven attribution will explain how and if data-driven attribution tools can help you move your marketing forward. We’ll cover the questions attribution 54% can help answer, how to find the right tool, and tips and tricks on getting started with By contrast, 54% of marketer still a data-driven attribution program. credit the last-click, only. What is attribution? 20–30% Summary: Assumptions about how marketing activities impact customers lead to a Decrease in effective display and retargeting CPA. misinformed marketing strategy. Data-driven attribution reveals the real path-to-purchase, allowing you to fine-tune strategies based on real customer behavior. 25–50% Attribution is the practice of tracking and valuing all marketing touch points that lead to Decrease in level of effort to pull, aggregate, and distribute a desired outcome.
    [Show full text]
  • Detecting and Exploiting Misexposed Components of Android Applications
    POLITECNICO DI TORINO Corso di Laurea in Ingegneria Informatica Tesi di Laurea Magistrale Detecting and exploiting misexposed components of Android applications Relatori prof. Antonio Lioy prof. Ugo Buy Francesco Pinci December 2018 To my parents, my sister, and my relatives, who have been my supporters throughout my entire journey, always believing in me, and providing me with continous encouragement. This accomplishment would not have been possible without them. Thank you. Summary Smartphones and tablets have become an essential element in our everyday lives. Everyone use these devices to send messages, make phone calls, make payments, manage appointments and surf the web. All these use cases imply that they have access to and collect user sensitive information at every moment. This has attracted the attention of attackers, who started targetting them. The attraction is demon- strated by the continuous increase in the sophistication and number of malware that has mobile devices as the target [1][2]. The Android project is an open-source software which can be downloaded and studied by anyone. Its openness has allowed, during the years, an intensive in- spection and testing by developers and researches. This led Google to constantly updating its product with new functionalities as well as with bug fixes. Various types of attacks have targetted the Android software but all of them have been mitigated with the introduction of new security mechanisms and extra prevention methods. Starting from September 2018, 16 major versions of the OS have been realized, reducing incredibly the attack surface exposed by the system. The application ecosystem developed by the Android project is a key factor for the incredible popularity of the mobile devices manufactured and sold with the OS.
    [Show full text]
  • Choosing the Right Digital Device
    Choosing the Right Digital Device Image: Core Education This guide will provide you with information that will help you as you decide which devices to choose for your school. It is important to consider not just the devices but how your students and teachers use them and which device is best for which sorts of activities for effective teaching and learning. It will also be useful for schools providing advice to parents about which type of device to purchase for a BYOD environment. This guide is intended for School Leaders, e-learning leaders and technical support staff. It is not necessary to have a background in technology but it is important to have a good pedagogical understanding of why you want to use digital devices and what your learning outcomes are. Overall, to make a choice, you should: 1 - Be clear about purpose 2 - Weigh up options and make decisions 3 - Implement, support and evaluate Choosing the right digital device 1 of 15 Contents Are you clear about the purpose? What features do you need? Health considerations How will you implement, support and evaluate ? Useful Links Appendix - Shared Use of Devices Once you have read this guide you are welcome to contact the Connected Learning Advisory to get more personal assistance. We aim to provide consistent, unbiased advice and are free of charge to all state and state-integrated New Zealand schools and kura. Our advisors can help with all aspects outlined in this guide as well as provide peer review of the decisions you reach before you take your next steps.
    [Show full text]
  • Realizing Elastic Design Principles for User Exploration in Bayesian Analysis
    Realizing Elastic Design Principles for User Exploration in Bayesian Analysis Master’s Thesis submitted to the Media Computing Group Prof. Dr. Jan Borchers Computer Science Department RWTH Aachen University by Devashish Jasani Thesis advisor: Prof. Dr. Jan Borchers Second examiner: Dr. Matthias Kaiser, SAP SE Registration date: 01.07.2016 Submission date: 13.02.2017 Eidesstattliche Versicherung ___________________________ ___________________________ Name, Vorname Matrikelnummer Ich versichere hiermit an Eides Statt, dass ich die vorliegende Arbeit/Bachelorarbeit/ Masterarbeit* mit dem Titel __________________________________________________________________________ __________________________________________________________________________ __________________________________________________________________________ selbständig und ohne unzulässige fremde Hilfe erbracht habe. Ich habe keine anderen als die angegebenen Quellen und Hilfsmittel benutzt. Für den Fall, dass die Arbeit zusätzlich auf einem Datenträger eingereicht wird, erkläre ich, dass die schriftliche und die elektronische Form vollständig übereinstimmen. Die Arbeit hat in gleicher oder ähnlicher Form noch keiner Prüfungsbehörde vorgelegen. ___________________________ ___________________________ Ort, Datum Unterschrift *Nichtzutreffendes bitte streichen Belehrung: § 156 StGB: Falsche Versicherung an Eides Statt Wer vor einer zur Abnahme einer Versicherung an Eides Statt zuständigen Behörde eine solche Versicherung falsch abgibt oder unter Berufung auf eine solche Versicherung
    [Show full text]
  • Maximizing Conversion Value with Marketing Analytics and Machine Learning a Braintrust Insights Case Study
    Maximizing Conversion Value with Marketing Analytics and Machine Learning A BrainTrust Insights Case Study Executive Summary The promise of digital marketing and the democratization of publishing tools was to put all brands on equal footing. The brands with the most skill at digital marketing and content creation would win, regardless of size. As advertising crept into the Internet, larger companies seized the advantage with big budgets and resources. However, the introduction of machine learning technology is leveling the playing field once more. Bigger brands, plagued with inertia and aging infrastructure, are not able to adopt new technologies as quickly, creating an opening for more nimble companies to use machine learning to seize market share. With machine learning, attribution analysis is more precise and nuanced; brands will understand the true impact of digital marketing channels, even with dozens or hundreds of steps leading to a conversion. Once a brand understands what truly drives business impact, it can extend its advantage using machine learning and predictive analytics to forecast likely business outcomes. Predictive forecasts give us a starting point, a roadmap for planning that’s truly data-driven. Instead of guessing when things are likely to happen in general, predictive analytics give us specificity, granularity to allocate budget and resources with precision. Nimble brands spend only when they need to, only when they are likely to generate outsized returns. Finally, predictive analytics and machine learning help us to understand what will be on the minds of our customers and when, allowing us to create strategies, tactics, and plans of execution that astonish and delight customers.
    [Show full text]
  • EPIC FTC Google Purchase Tracking Complaint
    Before the Federal Trade Commission Washington, DC In the Matter of ) ) Google Inc. ) ) ___________________________________) Complaint, Request for Investigation, Injunction, and Other Relief Submitted by The Electronic Privacy Information Center (EPIC) I. Introduction 1. This complaint concerns “Store Sales Measurement,” a consumer profiling technique pursued by the world’s largest Internet company to track consumers who make offline purchases. Google has collected billions of credit card transactions, containing personal customer information, from credit card companies, data brokers, and others and has linked those records with the activities of Internet users, including product searches and location searches. This data reveals sensitive information about consumer purchases, health, and private lives. According to Google, it can track about 70% of credit and debit card transactions in the United States. 2. Google claims that it can preserve consumer privacy while correlating advertising impressions with store purchases, but Google refuses to reveal—or allow independent testing of— the technique that would make this possible. The privacy of millions of consumers thus depends on a secret, proprietary algorithm. And although Google claims that consumers can opt out of being tracked, the process is burdensome, opaque, and misleading. 3. Google’s reliance on a secret, proprietary algorithm for assurances of consumer privacy, Google’s collection of massive numbers of credit card records through unidentified “third-party partnerships,” and Google’s use of an opaque and misleading “opt-out” mechanism are unfair and deceptive trade practices subject to investigation and injunction by the FTC. II. Parties 4. The Electronic Privacy Information Center (“EPIC”) is a public interest research center located in Washington, D.C.
    [Show full text]
  • Google Analytics Attribution Report
    Google Analytics Attribution Report Abortional or mail-clad, Arvie never belays any Thessaly! Centralizing and anaesthetic Gideon pents his ponds reverberated lusters round-the-clock. Gingerly blathering, Marcelo disobey Rachmaninoff and brawl recovery. Depending on x has been made readily available, analytics report is type: this will be. Does a project can balance among every preceding that looks at based. Select an optimal value of your rules and show up to do then? Just wanted the debate your soil on Jeroens comment a little. How did she figure this? Thank web sdk users have plenty of strings represents reality. Chris shares tips and techniques to help marketers track sales attribution. The single common question to distinct yourself when tracking scroll depth in GA is: How relevant people scroll your website at all? Google ads product several years, and run ecommerce is it must choose an attribution is. In your future media on! How that how that ran, analytics attribution report is that? This allows businesses with your sales data? So how magnificent this information be helpful? In analytics report on facebook really helped me to analyze all interactions that scale winner and more depth benchmarks based on, you can do. This is quite true. Where google analytics goals feature is especially for all of conversions that we reaffirmed our partners, shows the best? No credit card required. There is why does attribution is a value is critical, google analytics work for campaigns are new url attributed to google ads or subsequent marketing en función del marketing. This is soft, but what I best love via this section is boil it also allows you always view the device paths that lead led a conversion happening, similar to conversion paths in analytics, but with devices instead of marketing channels.
    [Show full text]
  • REGULAR MONTHLY BOARD MEETING March 28, 2017 7:00 PM
    REGULAR MONTHLY BOARD MEETING March 28, 2017 7:00 PM Educational Support Center Board Meeting Room 3600-52nd Street Kenosha, Wisconsin This page intentionally left blank Regular School Board Meeting March 28, 2017 Educational Support Center 7:00 PM I. Pledge of Allegiance II. Roll Call of Members III. Awards/Recognition A. KUSD Elementary Spelling Bee Winners B. KUSD Middle School Spelling Bee Winners C. Future Business Leaders of America Regional Leadership Conference Award Winners (Bradford & Tremper) D. Exchange Club of Kenosha A.C.E. Award Recipient IV. Administrative and Supervisory Appointments V. Introduction and Welcome of Student Ambassador VI. Legislative Report VII. Views and Comments by the Public VIII. Response and Comments by Board Members (Three Minute Limit) IX. Remarks by the President X. Superintendent’s Report XI. Consent Agenda A. Consent/Approve 4 Recommendations Concerning Appointments, Leaves of Absence, Retirements, Resignations and Separations B. Consent/Approve 5 Minutes of 2/23/17, 2/28/17 and 3/7/17 Special Meetings and Executive Sessions, 2/23/17, 3/6/17 and 3/7/17 Special Meetings, and 2/28/17 Regular Meeting C. Consent/Approve 20 Summary of Receipts, Wire Transfers and Check Registers D. Consent/Approve 27 Changes to Building Permit Fees & Regulations and Board Policies 1330 & 1331 (Second Reading) E. Consent/Approve 45 School Board Policies Update - Employee Handbook (Second Reading) XII. Old Business A. Discussion/Action 134 Employee Health Clinic Cost Savings Option XIII. New Business A. Discussion/Action 138 Resolution No. 331 Authorizing a State Trust Fund Loan in the Amount of $16,355,000 for Energy Efficiency Projects B.
    [Show full text]
  • Liquid Web Applications
    Liquid Web Applications Design and Implementation of the Decentralized Cross-Device Web Doctoral Dissertation submitted to the Faculty of Informatics of the Università della Svizzera Italiana in partial fulfillment of the requirements for the degree of Doctor of Philosophy presented by Andrea Gallidabino under the supervision of Prof. Cesare Pautasso June 2020 Dissertation Committee Prof. Maristella Matera Politecnico di Milano, Italy Prof. Tommi Mikkonen University of Helsinki, Finland Prof. Marc Langheinrich Università della Svizzera italiana, Lugano, Switzerland Prof. Michele Lanza Università della Svizzera italiana, Lugano, Switzerland Dissertation accepted on 25 June 2020 Research Advisor PhD Program Director Prof. Cesare Pautasso Prof. Dr. Walter Binder, Prof. Dr. Silvia Santini i I certify that except where due acknowledgement has been given, the work presented in this thesis is that of the author alone; the work has not been submit- ted previously, in whole or in part, to qualify for any other academic award; and the content of the thesis is the result of work which has been carried out since the official commencement date of the approved research program. Andrea Gallidabino Lugano, 25 June 2020 ii Learn this lesson, that to be self-contented is to be vile and ignorant, and to aspire is better than to be blindly and impotently happy. Edwin A. Abbott iii iv Abstract Web applications are traditionally designed having in mind a server-centric ar- chitecture, whereby the whole persistent data, dynamic state and logic of the application are stored and running on a Web server. The clients running in the Web browsers traditionally render only pre-computed views fetched from the server.
    [Show full text]
  • Building the Polargrid Portal Using Web 2.0 and Opensocial
    Building the PolarGrid Portal Using Web 2.0 and OpenSocial Zhenhua Guo, Raminderjeet Singh, Marlon Pierce Community Grids Laboratory, Pervasive Technology Institute Indiana University, Bloomington 2719 East 10th Street, Bloomington, Indiana 47408 {zhguo, ramifnu, marpierc}@indiana.edu ABSTRACT service gateway are still useful, it is time to revisit some of the Science requires collaboration. In this paper, we investigate the software and standards used to actually build gateways. Two feasibility of coupling current social networking techniques to important candidates are the Google Gadget component model science gateways to provide a scientific collaboration model. We and the REST service development style for building gateways. are particularly interested in the integration of local and third Gadgets are attractive for three reasons. First, they are much party services, since we believe the latter provide more long-term easier to write than portlets and are to some degree framework- sustainability than gateway-provided service instances alone. Our agnostic. Second, they can be integrated into both iGoogle prototype use case for this study is the PolarGrid portal, in which (Google’s Start Page portal) and user-developed containers. we combine typical science portal functionality with widely used Finally, gadgets are actually a subset of the OpenSocial collaboration tools. Our goal is to determine the feasibility of specification [5], which enables developers to provide social rapidly developing a collaborative science gateway that networking capabilities. Standardization is useful but more incorporates third-party collaborative services with more typical importantly one can plug directly into pre-existing social networks science gateway capabilities. We specifically investigate Google with millions of users without trying to establish a new network Gadget, OpenSocial, and related standards.
    [Show full text]
  • Insideradio.Com
    800.275.2840 MORE NEWS» insideradio.com THE MOST TRUSTED NEWS IN RADIO WEDNESDAY, JANUARY 7, 2015 Radio 2015: Big ideas on the Washington agenda. It will be the year of copyrights, predicts one radio industry lobbyist, as a new Republican-controlled Congress takes over and big issues dominate the agenda. Inside-the-Beltway players say the issue for 2015 will be how far lawmakers can get with their lofty goals, a list that includes many potential pitfalls for radio. While radio royalties may win the prize for best staying power across multiple sessions, radio’s biggest challenge in the 114th Congress may have nothing to do with music. “The fallout from the election strongly suggests that tax reform is one of the first things that are going to be on the table,” says Dan Jaffe, head of the Association of National Advertisers’ government relations office in Washington. It’s one of the few areas where there seems to be agreement between the White House and Capitol Hill, with an interest in, at the very Radio 2015: All this least, stretching out the timeline for marketers looking to deduct their advertising expense. Tax reform week Inside Radio will examine the also polls well with voters. “It’s the biggest threat to the ad deduction ever,” Jaffe warns. A coalition biggest issues facing of groups is working the backrooms of Congress, trying to maintain the status quo. But with an issue broadcasters, along that crosses partisan lines, no one is ready to predict which way a tax reform bill could come together.
    [Show full text]
  • On the Security of Single Sign-On
    On the Security of Single Sign-On Vladislav Mladenov (Place of birth: Pleven/Bulgaria) [email protected] 30th June 2017 Ruhr-University Bochum Horst G¨ortz Institute for IT-Security Chair for Network and Data Security Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨atf¨urElektrotechnik und Informationstechnik an der Ruhr-Universit¨atBochum First Supervisor: Prof. Dr. rer. nat. J¨org Schwenk Second Supervisor: Prof. Dr.-Ing. Felix Freiling www.nds.rub.de Abstract Single Sign-On (SSO) is a concept of delegated authentication, where an End- User authenticates only once at a central entity called Identity Provider (IdP) and afterwards logs in at multiple Service Providers (SPs) without reauthenti- cation. For this purpose, the IdP issues an authentication token, which is sent to the SP and must be verified. There exist different SSO protocols, which are implemented as open source libraries or integrated in commercial products. Google, Facebook, Microsoft and PayPal belong to the most popular SSO IdPs. This thesis provides a comprehensive security evaluation of the most popular and widely deployed SSO protocols: OpenID Connect, OpenID, and SAML. A starting point for this research is the development of a new concept called malicious IdP, where a maliciously acting IdP is used to attack SSO. Generic attack classes are developed and categorized according to the requirements, goals, and impact. These attack classes are adapted to different SSO proto- cols, which lead to the discovery of security critical vulnerabilities in Software- as-a-Service Cloud Providers, eCommerce products, web-based news portals, Content-Management systems, and open source implementations.
    [Show full text]