<div dir="ltr">Did some work on this at Salesforce over the last couple weeks.<div><br></div><div>When calling aza, on iOS the app is able to determine calling app identity by an injected bundle id. On Android you can get a cert hash. Both are OS asserted so are relatively secure assuming a non-jailbroken device. There doesn't seem, at least on iOS, to be a good way from preventing hijacking of the aza's custom scheme, so this is likely susceptible to at least some sort of phishing</div>
<div><br></div><div>As far as callbacks back into the requesting app, we've looked at two approaches. Either Nat's <a href="http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03">http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03</a> as well as issuing an ephemeral public/private key, passing the public key in the request, and encrypting the response. Both seem to work well enough for protection against hijacked callbacks. At this point, we're heading towards the former given the relative simplicity. </div>
<div><br></div><div>-cmort</div><div><br></div><div> </div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jun 3, 2014 at 8:18 AM, Paul.madsen <span dir="ltr"><<a href="mailto:paul.madsen@gmail.com" target="_blank">paul.madsen@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Writ the URL scheme mechanism, has anybody done the exercise of assessing the associated security characteristics in Android and iOS?</div>
<div><br></div><div><br></div><div><div style="font-size:8px;color:#575757">Sent from my Samsung Galaxy smartphone.</div></div><div></div><br><br>-------- Original message --------<br>From: Lloyd Burch <u></u> <br>Date:06-03-2014 11:00 AM (GMT-05:00) <br>
To: <a href="mailto:paul.madsen@gmail.com" target="_blank">paul.madsen@gmail.com</a>, <a href="mailto:openid-specs-native-apps@lists.openid.net" target="_blank">openid-specs-native-apps@lists.openid.net</a> <br>Subject: Re: [Openid-specs-native-apps] IOS 8 interapp messaging <br>
<br><div><div>I have now watched it three time and am looking for more information on the details. </div><div> </div><div>What I would like to know is, can the called and calling application know the ID of each other and can that be validated via iOS?</div>
<div> </div><div>Using the URL Schema calls is a little SLOW, but it is all we have now. This should fix this.</div><div> </div><div>Lloyd </div><span> </span><div><span><br><br>>>> Paul Madsen <<a href="mailto:paul.madsen@gmail.com" target="_blank">paul.madsen@gmail.com</a>> 6/2/2014 1:42 PM >>><br>
</span><div class=""><div><span style="background-color:rgb(255,255,255)" text="#000000" bgcolor="#FFFFFF">>
<font size="+1"><font face="Arial"><a href="http://www.theverge.com/2014/6/2/5773080/ios-8-apps-can-talk-to-each-other" target="_blank">http://www.theverge.com/2014/6/2/5773080/ios-8-apps-can-talk-to-each-other</a></font></font></span></div>
<div><font size="+1"><font face="Arial">
</font></font></div><div><font size="+1"><font face="Arial">
perhaps relevant to mobile binding spec</font></font></div><div><font size="+1"><font face="Arial">
</font></font></div><div><font size="+1"><font face="Arial">
paul</font></font></div><div><font size="+1"><font face="Arial">
</font></font>
</div></div></div></div>
</div><br>_______________________________________________<br>
Openid-specs-native-apps mailing list<br>
<a href="mailto:Openid-specs-native-apps@lists.openid.net">Openid-specs-native-apps@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-native-apps" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-native-apps</a><br>
<br></blockquote></div><br></div>