[Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH

John Bradley ve7jtb at ve7jtb.com
Wed Aug 10 15:16:03 UTC 2016


The OS attestation tha tWilliam and I are working on is our best bet to mitigate client spoofing.

The other is to use a cookie in the browser to show that it is not a web view in combination with claimed app claimed https redirect URI.  
That is mentioned in https://tools.ietf.org/html/draft-ietf-oauth-native-apps  though we may need to flesh out how a server detects if it is talking to a web view.

I personally would like to see the app stores ban apps that use webviews, that would allow the app claimed https redirect URI to be more reliable.

Using the attestation with the token binding id as the nonce is the most reliable way to do it at the moment.

The work we have been doing with AppAuth on mobile is now spreading to desktops like windows and OSX as well.   Those are one of the first places to beef up token verification.

I agree that we should do something for server clients as well.   That might also include token binding support for token verification in the future as well.

John B.
> On Aug 10, 2016, at 3:42 AM, Adam Dawes via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> I just looked through the deck and it seems that most of these relate to OAuth2 based auth flows. At the end, one of the recommendations is to adopt OIDC. 
> 
> But in our experience, developers also get OIDC wrong far too often. The thing that is the biggest problem is proper ID token verification (issuer and audience checks). I really think that the community would be very well served with excellent open source JWT validation libraries on all major frameworks/languages. Google would be very interested in working with others on this problem. Please let me know if you have interest/ideas about how to improve this.
> 
> The other area that concerns me but doesn't seem to be a major issue yet is clientID spoofing on platforms like iOS. Users don't pay enough attention to consent screens so spoofing another client is an interesting phishing vector.
> 
> On Tue, Aug 9, 2016 at 10:00 PM, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
> Just found a briefing in Blackhat 2016 titled “1000 WAYS TO DIE IN MOBILE OAUTH” <https://www.blackhat.com/us-16/briefings.html#1000-ways-to-die-in-mobile-oauth>
>  
> 
> Says:
> 
>  
> 
> >  (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication;”
> 
> > [..snip..]
> 
> > “The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable.
> 
>  
> 
> Maybe we should dig in.
> 
>  
> 
> --
> 
> PLEASE READ :This e-mail is confidential and intended for the
> 
> named recipient only. If you are not an intended recipient,
> 
> please notify the sender  and delete this e-mail.
> 
>  
> 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
> 
> 
> 
> 
> -- 
> Adam Dawes | Sr. Product Manager | adawes at google.com <mailto:adawes at google.com> | +1 650-214-2410
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160810/dbae1372/attachment.html>


More information about the Openid-specs-ab mailing list