OAuth is a popular authorization schema used by many iOS and Android apps to delegate user authentication and authorization to a known third-party entity such as Google, Facebook or LinkedIn. This includes apps that enterprises develop or use to connect to G Suite or cloud providers such as BOX and Google Firebase. When users grant an app to access their Gmail account or GDrive, they normally only expect limited access. But there are several functionalities one can do with the access even when the user is not using the app, which often comes as a surprise to the user. It is mostly because users are not aware of the amount of data that an application can access while they are offline, as well as the consequences of sharing that data with the application. Depending on the requested permissions and access type, an app can essentially keep the user authenticated forever and access their protected resources such as Gmail, Gdrive, or Calendar. With no built-in security in OAuth, it is mostly the app developer’s responsibility to prevent unauthorized access or authorization misuse by adding state-based parameters to requests, validating access tokens before making API calls, revoking access tokens, etc.
