App Integrity Attestations for OAuth - OAuth Security Workshop 2022

Transcript

1. Aaron Parecki • @aaronpk OAuth Security Workshop • May 2022

   App Integrity Attestations as OAuth Client Authentication

2. Public Clients Confidential Clients Application running on a server Has

   the ability to keep strings secret since code is running in a trusted environment The application can't be configured with secrets JavaScript/Single-Page apps: "view source" Native apps: decompile and extract strings

3. PKCE

4. None

5. POST /token client_id=XXXXX &authorization_code=XXXXX !

6. POST /token client_id=XXXXX &client_secret=XXXXX &authorization_code=XXXXX ?

7. POST /token client_id=XXXXX &code_verifier=XXXX &authorization_code=XXXXX :-)

8. PKCE was recommended for mobile apps, which can’t use a

   secret

9. Is PKCE is a replacement for a client secret?

10. Interception /redirect?code=XXXXX 😈 Injection /redirect?code=XXXXX 😈

11. Mobile apps can’t be deployed with a client secret

12. example://redirect? code=AUTHORIZATION_CODE_HERE& state=1234zyx https://app.example.com? code=AUTHORIZATION_CODE_HERE& state=1234zyx Custom URL Scheme App-Claimed

    URL Pattern Redirect URLs in Mobile Apps

13. Neither of these is perfect

14. POST https://api.authorization-server.com/token grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRECT_URI& client_id=CLIENT_ID& code_verifier=VERIFIER_STRING Nothing here authenticates

    the app. It’s possible to impersonate any native app with its client_id. Authorization Code Exchange (with PKCE)

15. Redirect URL registration 
 + app-claimed URL patterns More or

    less protects against authorization code interception by malicious apps Does nothing to protect against app impersonation

16. Why is app impersonation a problem?

17. It may or may not be a problem for you

18. Some systems give additional privileges to apps based on their

    client_id • bypass the consent screen • access private API methods • higher rate limits

19. Where else is app impersonation a problem?

20. High score leaderboards Player 1 9000 Player 4 7800 Player

    2 4495 Player 8 2100 Player 5 700

21. POST https://api.game-server.example/score display_name=Hacker& score=99999999 Mobile game reports new high score

22. Does OAuth solve this?

23. Not really!

24. POST https://api.game-server.example/score Authorization: Bearer XXXXXXXXXXXX score=99999999 Mobile game reports new

    high score with an access token

25. App Integrity

26. “Is this request to the server being made by a

    legitimate instance of my application?”

27. …create a hardware- based, cryptographic key that uses Apple servers

    to certify that the key belongs to a valid instance of your app. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

28. Apple App Attestation https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

29. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

30. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

31. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

32. https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server

33. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

34. https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server

35. https://developer.android.com/google/play/integrity

36. Google Play Integrity https://developer.android.com/google/play/integrity

37. https://developer.android.com/google/play/integrity

38. Google Play Integrity https://developer.android.com/google/play/integrity

39. https://developer.android.com/google/play/integrity

40. https://developer.android.com/google/play/integrity https://playintegrity.googleapis.com/v1/PACKAGE_NAME:decodeIntegrityToken -d \ '{ "integrity_token": "INTEGRITY_TOKEN" }’ { requestDetails:

    requestDetails: { requestPackageName: "com.package.name" nonce: "aGVsbG8gd29scmQgdGhlcmU" timestampMillis: 1617893780 } appIntegrity: { appRecognitionVerdict: "PLAY_RECOGNIZED" packageName: "com.package.name" certificateSha256Digest: ["6a6a1474b5cbbb2b1aa57e0bc3"] versionCode: 42 } deviceIntegrity: { deviceRecognitionVerdict: ["MEETS_DEVICE_INTEGRITY"] } accountDetails: { licensingVerdict: "LICENSED" } }

41. Version Support DCAppAttestService iOS 14 2020 Google Play Integrity API

    (Replaces SafetyNet) Unknown Launched in 2021

42. How do we apply this to OAuth?

43. None
44. None

45. Should assertion happen at: • Install time (dynamic client registration)

    • On every authentication (at the token endpoint) • At every high-value API call (resource server)

46. iOS Questions • Apple suggests associating a private key with

    a user account • To use this as part of the login flow, when should this key get associated with a user? • Server stores key before the user logs in?

47. Both Platforms • A server-generated nonce is required before generating

    the assertion • What should the nonce be? • A separate pre-flight request the app makes before the authorization code flow starts? • Require PAR and include an additional parameter in the PAR response?

48. Unconference session?

49. Thanks! @aaronpk aaronpk.com