The focus of the IIW session was "Mobile App Impersonation" and what can
be done about it. Obviously moving to Universal Links (iOS) and App
Links (Android) is an important first step but not sufficient on Android
as you point out. Other areas of exploration are around dynamic client
registration (forces the app impersonator to call a specific endpoint
which can increase the ability to detect the impersonation). Also
possibly combining device attestation and app attestation into the mix
could provide a mechanism to ensure only the intended apps can get
access. However, this is a fair amount of work for developers to prevent
app impersonation. There is a big question regarding ROI of closing this
attack vector:)
I'm especially interested in whether anyone has even looked at their
logs and tried to detect app impersonation of their public clients. Feel
free to message me privately if you don't want to share with the group :)
Thanks,
George
On 11/4/20 7:29 AM, Joseph Heenan wrote:
Thanks George :) That’s a shame, I would have liked to listen to the recording.
My email below was thinking of the OSW interactive sessions (we had about 2
hours of technical discussion on some of the issues with implementing app2app
in practice particularly on Android), but now I’ve looked I think perhaps the
recordings of those weren’t published. I have been working on a blog post with
others that delves more into the Android side of things, hopefully we will
publish that in the not too distant future.
I did an identiverse session too, which although it starts out quite similar
diverges after about 10 minutes, delving less into the detail of security and
covering more of the higher level what/why/how:
https://identiverse.gallery.video/detail/video/6186099813001/
Joseph
On 3 Nov 2020, at 22:12, George Fletcher <gffle...@aol.com> wrote:
I sent in some notes but I don't have a link for the recording. I don't believe
the recordings were being kept much past the end of the conference. I'm pretty
sure I heard that the recordings would be removed after N days (I don't
remember what N was stated as:)
Joseph explanation is better than I could have given and matches my
understanding as well.
Thanks,
George
On 11/3/20 2:13 PM, Dick Hardt wrote:
Thanks Joseph.
George Fletcher ran a great session on the topic at the last IIW as well.
George: do you have a link?
ᐧ
On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan <jos...@authlete.com>
<mailto:jos...@authlete.com> wrote:
Hi Dick
I didn’t attend the call so don’t know the background of this and the
exact situation, but the general problem is mostly where the Authorization
Server’s app is *not* installed. In that case Android falls back to much
weaker mechanisms that allow other apps to get a look in. App links also
aren’t consistently supported across all commonly used android browsers
which causes further problems.
In general to do app2app oauth redirections securely on Android it’s
necessary for both apps to fetch the /.well-known/assetlinks.json for the
url they want to redirect to, and verify that the intent the app intends to
launch to handle the url is signed using the expected certificate. Web2app
flows are trickier, on both iOS and on Android. There were lengthy
discussions on at least the Android case at OAuth Security Workshop this
year (recordings available).
Joseph
On 20 Oct 2020, at 00:09, Dick Hardt <dick.ha...@gmail.com>
<mailto:dick.ha...@gmail.com> wrote:
Hey Vittorio
(cc'ing OAuth list as this was brought up in the office hours today)
https://developer.android.com/training/app-links
<https://developer.android.com/training/app-links>
An app is the default handler and the developer has verified ownership of
the HTTPS URL. While a user can override the app being the default handler
in the system settings -- I don't see how a malicious app can be the
default setting.
What am I missing?
/Dick
ᐧ
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
