MASTER
Workshop Room in Joyce Entrepreneurship CentreWindsor, ON, Canada
 
 

Cybersecurity Breakfast Talk with Elaheh Samani

By WiCyS Windsor (other events)

Friday, September 27 2019 10:00 AM 11:30 AM
 
ABOUT ABOUT

This event is sponsored by University of Windsor - School of Computer Science and WeTech Alliance

**** A great opportunity for everyone to listen from a Cybersecurity industry professional ****

Biography of Keynote Speaker Elaheh Samani, Senior Security Researcher at Symantec:


Elaheh Samani is a security researcher specializing in malware and software reverse engineering. She's been part of Symantec’s Modern OS Security (MOS) team researching threats targeting mobile users. Prior to that, she was a member of Tailored Reverse Engineer Expertise team of Google Chrome in Montreal. She has been involved in the development of various network security projects for more than 8 years.


Title: OAUTH2 for mobile apps, what could go wrong? 
Abstract:


OAuth is a popular authorization schema used by many iOS and Android apps to delegate user authentication and authorization to a known third-party entity such as Google, Facebook or LinkedIn. When users grant an app to access their Gmail account or GDrive, they normally only expect limited access. But there are several functionalities one can do with the access even when the user is not using the app, which often comes as a surprise to the user. It is mostly because users are not aware of the amount of data that an application can access while they are offline, as well as the consequences of sharing that data with the application. Depending on the requested permissions and access type, an app can essentially keep the user authenticated forever and access their protected resources such as Gmail, Gdrive, or Calendar. With no built-in security in OAuth, it is mostly the app developer’s responsibility to prevent unauthorized access or authorization misuse by adding state-based parameters to requests, validating access tokens before making API calls, revoking access tokens, etc.