报告题目： Mobile OAuth的一千种死法
演讲人： 田园 卡内基梅隆大学 博士生
田园是卡内基梅隆大学博士生，她的研究兴趣在于系统安全和安全可用性。她目前的研究专注于移动安全和物联网安全。 她的安全研究曾发表于Oakland、CCS、NDSS等会议上， 并被多家业界公司采用，比如谷歌，脸书，三星， Dropbox等。她曾获得美国电子与计算机领域2016年度学术新星， IBM奖学金等荣誉。她曾在微软研究院，脸书，三星研究院等实习，并曾是清华大学网络与信息安全实验室的一员。
Speaker: Yuan Tian, Ph.D. candidate in Carnegie Mellon University
Title: 1000 Ways to Die in Mobile OAuth
OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial objective of the protocol was specific: it serves the authorization needs for websites. However, the protocol is repurposed for mobile applications and authentication in practice. We conduct an in-depth about OAuth for mobile application, and the result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable. Our study is acknowledged by many companies, including Facebook and Dropbox. In this talk, I’ll show several representative cases to concretely explain how real implementations fell into these pitfalls, and also pinpoint the key portions in each OAuth protocol flow that are security critical.
Yuan is a Ph.D candidate at Carnegie Mellon University. Her research interests involve security and privacy and its interactions with system, networking, and human-computer interaction. Her current research focuses on developing new technologies for protecting user privacy, particularly in the areas of mobile systems and Internet of Things. Her previous work about mobile and web security and privacy have been adopted by Google, Facebook, Microsoft, Samsung, Dropbox and others. She interned at Microsoft Research, Facebook, and Samsung Research, and NISL at Tsinghua University. She was awarded as Rising Stars in EECS 2016, Black Hat Future Female Leaders 2015. She was a recipient of IBM Fellowship and in the final list of Microsoft Research Fellowship and Qualcomm Innovation Fellowship.