Re: [OAUTH-WG] Android App Links (AKA Universal Links)

2020-11-04 Thread George Fletcher 
The focus of the IIW session was "Mobile App Impersonation" and what can 
be done about it. Obviously moving to Universal Links (iOS) and App 
Links (Android) is an important first step but not sufficient on Android 
as you point out. Other areas of exploration are around dynamic client 
registration (forces the app impersonator to call a specific endpoint 
which can increase the ability to detect the impersonation). Also 
possibly combining device attestation and app attestation into the mix 
could provide a mechanism to ensure only the intended apps can get 
access. However, this is a fair amount of work for developers to prevent 
app impersonation. There is a big question regarding ROI of closing this 
attack vector:)


I'm especially interested in whether anyone has even looked at their 
logs and tried to detect app impersonation of their public clients. Feel 
free to message me privately if you don't want to share with the group :)


Thanks,
George

On 11/4/20 7:29 AM, Joseph Heenan wrote:

Thanks George :) That’s a shame, I would have liked to listen to the recording.

My email below was thinking of the OSW interactive sessions (we had about 2 
hours of technical discussion on some of the issues with implementing app2app 
in practice particularly on Android), but now I’ve looked I think perhaps the 
recordings of those weren’t published. I have been working on a blog post with 
others that delves more into the Android side of things, hopefully we will 
publish that in the not too distant future.

I did an identiverse session too, which although it starts out quite similar 
diverges after about 10 minutes, delving less into the detail of security and 
covering more of the higher level what/why/how: 
https://identiverse.gallery.video/detail/video/6186099813001/

Joseph


On 3 Nov 2020, at 22:12, George Fletcher  wrote:

I sent in some notes but I don't have a link for the recording. I don't believe 
the recordings were being kept much past the end of the conference. I'm pretty 
sure I heard that the recordings would be removed after N days (I don't 
remember what N was stated as:)

Joseph explanation is better than I could have given and matches my 
understanding as well.

Thanks,
George

On 11/3/20 2:13 PM, Dick Hardt wrote:

Thanks Joseph.

George Fletcher ran a great session on the topic at the last IIW as well.

George: do you have a link?

ᐧ

On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan  
 wrote:


Hi Dick

I didn’t attend the call so don’t know the background of this and the
exact situation, but the general problem is mostly where the Authorization
Server’s app is *not* installed. In that case Android falls back to much
weaker mechanisms that allow other apps to get a look in. App links also
aren’t consistently supported across all commonly used android browsers
which causes further problems.

In general to do app2app oauth redirections securely on Android it’s
necessary for both apps to fetch the /.well-known/assetlinks.json for the
url they want to redirect to, and verify that the intent the app intends to
launch to handle the url is signed using the expected certificate. Web2app
flows are trickier, on both iOS and on Android. There were lengthy
discussions on at least the Android case at OAuth Security Workshop this
year (recordings available).

Joseph


On 20 Oct 2020, at 00:09, Dick Hardt  
 wrote:

Hey Vittorio

(cc'ing OAuth list as this was brought up in the office hours today)

https://developer.android.com/training/app-links 


An app is the default handler and the developer has verified ownership of
the HTTPS URL. While a user can override the app being the default handler
in the system settings -- I don't see how a malicious app can be the
default setting.

What am I missing?

/Dick
ᐧ
___
OAuth mailing list
OAuth@ietf.org 
https://www.ietf.org/mailman/listinfo/oauth 







___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Android App Links (AKA Universal Links)

2020-11-04 Thread Joseph Heenan 
Thanks George :) That’s a shame, I would have liked to listen to the recording.

My email below was thinking of the OSW interactive sessions (we had about 2 
hours of technical discussion on some of the issues with implementing app2app 
in practice particularly on Android), but now I’ve looked I think perhaps the 
recordings of those weren’t published. I have been working on a blog post with 
others that delves more into the Android side of things, hopefully we will 
publish that in the not too distant future.

I did an identiverse session too, which although it starts out quite similar 
diverges after about 10 minutes, delving less into the detail of security and 
covering more of the higher level what/why/how: 
https://identiverse.gallery.video/detail/video/6186099813001/

Joseph

> On 3 Nov 2020, at 22:12, George Fletcher  wrote:
> 
> I sent in some notes but I don't have a link for the recording. I don't 
> believe the recordings were being kept much past the end of the conference. 
> I'm pretty sure I heard that the recordings would be removed after N days (I 
> don't remember what N was stated as:)
> 
> Joseph explanation is better than I could have given and matches my 
> understanding as well.
> 
> Thanks,
> George
> 
> On 11/3/20 2:13 PM, Dick Hardt wrote:
>> Thanks Joseph.
>> 
>> George Fletcher ran a great session on the topic at the last IIW as well.
>> 
>> George: do you have a link?
>> 
>> ᐧ
>> 
>> On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan  
>>  wrote:
>> 
>>> Hi Dick
>>> 
>>> I didn’t attend the call so don’t know the background of this and the
>>> exact situation, but the general problem is mostly where the Authorization
>>> Server’s app is *not* installed. In that case Android falls back to much
>>> weaker mechanisms that allow other apps to get a look in. App links also
>>> aren’t consistently supported across all commonly used android browsers
>>> which causes further problems.
>>> 
>>> In general to do app2app oauth redirections securely on Android it’s
>>> necessary for both apps to fetch the /.well-known/assetlinks.json for the
>>> url they want to redirect to, and verify that the intent the app intends to
>>> launch to handle the url is signed using the expected certificate. Web2app
>>> flows are trickier, on both iOS and on Android. There were lengthy
>>> discussions on at least the Android case at OAuth Security Workshop this
>>> year (recordings available).
>>> 
>>> Joseph
>>> 
>>> 
>>> On 20 Oct 2020, at 00:09, Dick Hardt  
>>>  wrote:
>>> 
>>> Hey Vittorio
>>> 
>>> (cc'ing OAuth list as this was brought up in the office hours today)
>>> 
>>> https://developer.android.com/training/app-links 
>>> 
>>> 
>>> An app is the default handler and the developer has verified ownership of
>>> the HTTPS URL. While a user can override the app being the default handler
>>> in the system settings -- I don't see how a malicious app can be the
>>> default setting.
>>> 
>>> What am I missing?
>>> 
>>> /Dick
>>> ᐧ
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org 
>>> https://www.ietf.org/mailman/listinfo/oauth 
>>> 
>>> 
>>> 
>>> 
> 

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Android App Links (AKA Universal Links)

2020-11-03 Thread George Fletcher 
I sent in some notes but I don't have a link for the recording. I don't 
believe the recordings were being kept much past the end of the 
conference. I'm pretty sure I heard that the recordings would be removed 
after N days (I don't remember what N was stated as:)


Joseph explanation is better than I could have given and matches my 
understanding as well.


Thanks,
George

On 11/3/20 2:13 PM, Dick Hardt wrote:

Thanks Joseph.

George Fletcher ran a great session on the topic at the last IIW as well.

George: do you have a link?

ᐧ

On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan  wrote:


Hi Dick

I didn’t attend the call so don’t know the background of this and the
exact situation, but the general problem is mostly where the Authorization
Server’s app is *not* installed. In that case Android falls back to much
weaker mechanisms that allow other apps to get a look in. App links also
aren’t consistently supported across all commonly used android browsers
which causes further problems.

In general to do app2app oauth redirections securely on Android it’s
necessary for both apps to fetch the /.well-known/assetlinks.json for the
url they want to redirect to, and verify that the intent the app intends to
launch to handle the url is signed using the expected certificate. Web2app
flows are trickier, on both iOS and on Android. There were lengthy
discussions on at least the Android case at OAuth Security Workshop this
year (recordings available).

Joseph


On 20 Oct 2020, at 00:09, Dick Hardt  wrote:

Hey Vittorio

(cc'ing OAuth list as this was brought up in the office hours today)

https://developer.android.com/training/app-links

An app is the default handler and the developer has verified ownership of
the HTTPS URL. While a user can override the app being the default handler
in the system settings -- I don't see how a malicious app can be the
default setting.

What am I missing?

/Dick
ᐧ
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth





___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Android App Links (AKA Universal Links)

2020-11-03 Thread Tim Cappalli 
Here’s the OSW recording on app2app.

https://www.youtube.com/watch?v=vktyY5CXwjg


From: OAuth 
Date: Tuesday, November 3, 2020 at 14:14
To: Joseph Heenan , George Fletcher 
Cc: oauth 
Subject: Re: [OAUTH-WG] Android App Links (AKA Universal Links)
Thanks Joseph.

George Fletcher ran a great session on the topic at the last IIW as well.

George: do you have a link?

[https://mailfoogae.appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D=zerocontent=26f11e54-06bb-45f0-ba83-5ff627ed5579]ᐧ

On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan 
mailto:jos...@authlete.com>> wrote:
Hi Dick

I didn’t attend the call so don’t know the background of this and the exact 
situation, but the general problem is mostly where the Authorization Server’s 
app is *not* installed. In that case Android falls back to much weaker 
mechanisms that allow other apps to get a look in. App links also aren’t 
consistently supported across all commonly used android browsers which causes 
further problems.

In general to do app2app oauth redirections securely on Android it’s necessary 
for both apps to fetch the /.well-known/assetlinks.json for the url they want 
to redirect to, and verify that the intent the app intends to launch to handle 
the url is signed using the expected certificate. Web2app flows are trickier, 
on both iOS and on Android. There were lengthy discussions on at least the 
Android case at OAuth Security Workshop this year (recordings available).

Joseph



On 20 Oct 2020, at 00:09, Dick Hardt 
mailto:dick.ha...@gmail.com>> wrote:

Hey Vittorio

(cc'ing OAuth list as this was brought up in the office hours today)

https://developer.android.com/training/app-links<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.android.com%2Ftraining%2Fapp-links=04%7C01%7Ctim.cappalli%40microsoft.com%7Cd2d6114cfb3e4a723ce308d8802ca8fe%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400276604670109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=VANYGXEB4M5i%2F9nDW%2Bzhg69QSJXd5RA%2BwzJneO1Az8o%3D=0>

An app is the default handler and the developer has verified ownership of the 
HTTPS URL. While a user can override the app being the default handler in the 
system settings -- I don't see how a malicious app can be the default setting.

What am I missing?

/Dick
[https://mailfoogae.appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D=zerocontent=753a4eae-4c54-40f0-a603-09ea6cdfe434]ᐧ
___
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth=04%7C01%7Ctim.cappalli%40microsoft.com%7Cd2d6114cfb3e4a723ce308d8802ca8fe%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400276604670109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=0YxdQMCgnLMULQQayUjGwhCGd2fqP4y9cFSCK1jY9xk%3D=0>

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Android App Links (AKA Universal Links)

2020-11-03 Thread Dick Hardt 
Thanks Joseph.

George Fletcher ran a great session on the topic at the last IIW as well.

George: do you have a link?

ᐧ

On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan  wrote:

> Hi Dick
>
> I didn’t attend the call so don’t know the background of this and the
> exact situation, but the general problem is mostly where the Authorization
> Server’s app is *not* installed. In that case Android falls back to much
> weaker mechanisms that allow other apps to get a look in. App links also
> aren’t consistently supported across all commonly used android browsers
> which causes further problems.
>
> In general to do app2app oauth redirections securely on Android it’s
> necessary for both apps to fetch the /.well-known/assetlinks.json for the
> url they want to redirect to, and verify that the intent the app intends to
> launch to handle the url is signed using the expected certificate. Web2app
> flows are trickier, on both iOS and on Android. There were lengthy
> discussions on at least the Android case at OAuth Security Workshop this
> year (recordings available).
>
> Joseph
>
>
> On 20 Oct 2020, at 00:09, Dick Hardt  wrote:
>
> Hey Vittorio
>
> (cc'ing OAuth list as this was brought up in the office hours today)
>
> https://developer.android.com/training/app-links
>
> An app is the default handler and the developer has verified ownership of
> the HTTPS URL. While a user can override the app being the default handler
> in the system settings -- I don't see how a malicious app can be the
> default setting.
>
> What am I missing?
>
> /Dick
> ᐧ
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Android App Links (AKA Universal Links)

2020-11-03 Thread Joseph Heenan 
Hi Dick

I didn’t attend the call so don’t know the background of this and the exact 
situation, but the general problem is mostly where the Authorization Server’s 
app is *not* installed. In that case Android falls back to much weaker 
mechanisms that allow other apps to get a look in. App links also aren’t 
consistently supported across all commonly used android browsers which causes 
further problems.

In general to do app2app oauth redirections securely on Android it’s necessary 
for both apps to fetch the /.well-known/assetlinks.json for the url they want 
to redirect to, and verify that the intent the app intends to launch to handle 
the url is signed using the expected certificate. Web2app flows are trickier, 
on both iOS and on Android. There were lengthy discussions on at least the 
Android case at OAuth Security Workshop this year (recordings available).

Joseph


> On 20 Oct 2020, at 00:09, Dick Hardt  wrote:
> 
> Hey Vittorio
> 
> (cc'ing OAuth list as this was brought up in the office hours today)
> 
> https://developer.android.com/training/app-links 
> 
> 
> An app is the default handler and the developer has verified ownership of the 
> HTTPS URL. While a user can override the app being the default handler in the 
> system settings -- I don't see how a malicious app can be the default setting.
> 
> What am I missing?
> 
> /Dick
> ᐧ
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth