Federated Single Sign-On (SSO) is a widely used authentication method that delegates user login to Identity Providers (IdPs) such as Google and Facebook.
While convenient, SSO raises privacy and security concerns, particularly, as we observed, when permissions vary across different platforms (web vs. mobile, even different versions of an app).
This study examines such discrepancies at scale, alongside an analysis of dangerous permissions specifically requested on websites and Android apps.
Our findings indicate that Android apps generally request more intrusive permissions, with a 12.58% discrepancy in Facebook SSO permissions, and a 3.48% discrepancy in Google SSO permissions between web and Android platforms.
These results underscore the need for incremental authorization practices to minimize unnecessary data access.
RESULTS OVERVIEW
RECOMMENDATIONS
SSO systems streamline user access by enabling authentication across multiple services with a single login. However, they also introduce a unique set of privacy and security considerations. Unlike traditional login methods, SSO can grant broad, cross-platform access based on a single set of credentials, potentially exposing a wider range of user data. As such, developers implementing SSO, along with their users, must be vigilant about how permissions are granted, managed, and audited. We therefore provide the following recommendations.
