Third-party OAuth applications often over-collect user data due to service providers’ support for only coarse-grained permissions, even when developers aim to minimize access. This work proposes OAuthHub, a user-device-based intermediary framework that enforces fine-grained, cross-platform OAuth data access control through declarative policies across three typical scenarios: installation, user-triggered actions, and scheduled operations. OAuthHub introduces a centralized runtime permission model tailored for intermittently available personal devices. Evaluation on three real-world applications demonstrates that integrating OAuthHub requires minimal code changes and incurs negligible performance overhead. A user study with 18 developers shows that OAuthHub reduces average task completion time by 49% (from 18.0 to 9.1 minutes) and decreases required code by 70% (from 15.8 to 4.7 lines).

Most OAuth service providers, such as Google and Microsoft, offer only a limited range of coarse-grained data access. As a result, third-party OAuth applications often end up accessing more user data than necessary, even if their developers want to minimize data access. We present OAuthHub, a development framework that leverages users'personal devices as the intermediary controller for OAuth-based data sharing between cloud services. The key innovations of OAuthHub are: (1) the insight that discretionary data access is largely unnecessary for most OAuth apps, which typically only require access at three well-defined moments-during installation, in response to user actions, and at scheduled intervals; (2) a development framework that requires explicit declarations of intended data access and supports the three common access patterns through intermittently available personal devices; and (3) a centralized runtime permission model for managing OAuth access across providers. We evaluated OAuthHub with three real-world apps on both PCs and mobile phones and found that OAuthHub requires moderate changes to the application code and imposes insignificant performance overheads. Our study with 18 developers showed that participants completed programming tasks significantly faster (9.1 vs. 18.0 minutes) with less code (4.7 vs. 15.8 lines) using OAuthHub than conventional OAuth APIs.