A team from highly respected The Chinese University of Hong Kong, comprised of Ronghai Yang  [PhD Candidate, Department of Information Engineering, The Chinese University of Hong Kong],  Wing Cheong Lau [Associate Professor, Department of Information Engineering, The Chinese University of Hong Kong], and Tianyu Liu have discovered a highly exploitable flaw in OAuth 2.0. Read the document here: Blackhat EU 2016's 'Signing into One Billion Mobile App Accounts Effortlessly with OAuth2.0'. HatTip!

"OAuth2.0 protocol has been widely adopted by mainstream Identity Providers (IdPs) to support Single-Sign-On service. Since this protocol was originally de- signed to serve the authorization need for 3rd party websites, different pitfalls have been uncovered when adapting OAuth to support mobile app authentication. To the best of our knowledge, all the attacks discovered so far, including BlackHat USA’16 [3], CCS’14 [2] and ACSAC’15 [5], require to interact with the victim, for example via malicious apps or network eavesdropping, etc. On the contrary, we have discovered a new type of widespread but incorrect usages of OAuth by 3rd party mobile app developers, which can be exploited remotely and solely by the attacker to sign into a victim’s mobile app account without any involvement/ awareness of the victim. To demonstrate the prevalence and severe impact of this vulnerability, we have developed an exploit to examine the implementations of 600 top-ranked US and Chinese Android Apps which use the OAuth2.0-based authen- tication service provided by three top-tier IdPs, namely Facebook, Google or Sina. Our empirical results are alarming: on average, 41.21% of these apps are vulner- able to this new attack. We have reported our findings to the affected IdPs, and received their acknowledgements/ rewards in various ways." - via Blackhat EU 2016's publication 'Signing into One Billion Mobile App Accounts Effortlessly with OAuth2.0'

According to New York Times reporter Vindu Goel, Apple Inc. (NasdaqGS: AAPL) has apparently lost a certain measure of control within it's App Store ecosystem, as hundreds of fake retail targeted applications manage to slither past Apple Inc.'s various App Store security system gatekeepers. On the other hand, they did manage to ban one of the most expensive apps within the confines of Apple's retail marketplace...

"We’re seeing a barrage of fake apps,” said Chris Mason, chief executive of Branding Brand, a Pittsburgh company that helps retailers build and maintain apps. He said his company constantly tracks new shopping apps, and this was the first time it had seen so many counterfeit iPhone apps emerge in a short period of time." - via New York Times reporter Vindu Goel