Abstract

Federated Single Sign-On (SSO) is a widely used authentication method that delegates user login to Identity Providers (IdPs) such as Google and Facebook. While convenient, SSO raises privacy and security concerns, particularly, as we observed, when permissions vary across different platforms (web vs.\ mobile, even different versions of an app). Existing work on SSO logins completely lacks the exploration of such variances, and their privacy consequences, even though many users may use a service both via web and mobile platforms. This study examines such discrepancies at scale, alongside an analysis of dangerous permissions specifically requested on websites and Android apps. We developed a framework to automate SSO logins on both platforms, systematically measuring permission discrepancies. Our analysis, based on 661 and 318 successful logins using Google and Facebook SSO, respectively, across both the Android app and its corresponding website for the same service, reveals a 12.58\% discrepancy in Facebook SSO permissions and a 3.48\% discrepancy in Google SSO permissions between web and Android platforms. These findings, along with our analysis of top-5K Tranco websites, indicate that Android apps tend to request more intrusive permissions, underscoring the need for incremental authorization mechanisms to minimize unnecessary data exposure.