[Openid-specs-ab] ProgrammableWeb article about App to help you hack APIs

John Bradley ve7jtb at ve7jtb.com
Mon Aug 10 23:42:41 UTC 2015


Hi Mike,

Thanks for the pointer.   I know the author and will get in touch with him.  

He is confusing app secrets from OAuth 1.1 with codes and refresh tokens.

We have always known that secrets distributed in apps are not secrets. 

In this case if you install the app, and give it permissions to start a VPN connection and install there root certificate in your device then of course the app can monitor all your traffic,  it is a traffic monitor like WireShark etc.  

Nothing in the article lets a 3rd party app steal refresh or access tokens from the wire, unless the user tries really hard to be compromised.

It is true that thinking API are secret is a mistake,  that has been shown lots of times.   

John B.
> On Aug 10, 2015, at 7:38 PM, Mike Schwartz <mike at gluu.org> wrote:
> 
> OpenID Connect gurus:
> 
> Lovely article in ProgrammableWeb today that references OAuth...
> 
>   WANT TO STEAL A MOBILE APP'S SECRETS? THERE'S AN APP FOR THAT
>   http://gluu.co/app-to-hack
> 
> - Mike
> 
> -------------------------------------
> Michael Schwartz
> Gluu
> Founder / CEO
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4326 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150810/03035749/attachment.p7s>


More information about the Openid-specs-ab mailing list