OAuth in Native Apps - OAuth Security Workshop

Transcript

1. Aaron Parecki aaronparecki.com OAuth in Native Apps: It's worse than

   we thought. OAuth Security Workshop April 2024 • Rome

2. OAuth 2.0 for Native Apps (RFC 8252) Summary • The

   client MUST use the system browser, not embedded web views • MUST be treated as a public client • The client MUST use PKCE • Redirect URLs can be: • custom URI scheme (com.example-app://redirect) • app-claimed https URL (https://example-app.com/redirect) • Loopback address with custom port (http://127.0.0.1:5192/redirect) • The AS SHOULD NOT automatically redirect without user consent • Unless the identity of the client can be assured (e.g. using app-claimed https URLs) https://datatracker.ietf.org/doc/html/rfc8252

3. Use the System Browser To conform to this best practice,

   native apps MUST use an external user-agent to perform OAuth authorization requests.

4. https://krausefx.com/blog/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking

5. None
6. None

7. https://auth0.com/blog/google-blocks-oauth-requests-from-embedded-browsers/

8. None
9. None
10. None
11. None
12. None
13. None

14. System Browser (vs Web View) • Platform-speci fi c API

    to launch a browser • The browser is not able to be observed or modi fi ed by the application • Safe to enter passwords, phishing-resistant MFA, etc • Domain name is visible in the popup browser

15. System Browser ✅ Good for security ✅ Good for third-party

    apps ❌ Bad UX for fi rst-party apps
16. None
17. None

18. MUST be treated as a public client native apps are

    classified as public clients, as defined by Section 2.1 of OAuth 2.0 [RFC6749]; they MUST be registered with the authorization server as such

19. Public Clients The application can't be deployed with a secret

    JavaScript/Single-Page apps: "view source" Native apps: decompile and extract strings

20. High score leaderboards Player 1 9000 Player 4 7800 Player

    2 4495 Player 8 2100 Player 5 700

21. POST https://api.game-server.example/score display_name=Hacker& score=99999999 Mobile game reports new high score

22. POST https://api.game-server.example/score Authorization: Bearer XXXXXXXXXXXX score=99999999 Mobile game reports new

    high score with an access token

23. “Is this request to the server being made by a

    legitimate instance of my application?”

24. …create a hardware- based, cryptographic key that uses Apple servers

    to certify that the key belongs to a valid instance of your app. https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity?language=objc

25. https://developer.android.com/google/play/integrity

26. via OAuth 2.0 Attestation-Based Client Authentication presented at IETF 119

27. PKCEbOPC?

28. None

29. POST /token client_id=XXXXX &authorization_code=XXXXX !

30. POST /token client_id=XXXXX &client_secret=XXXXX &authorization_code=XXXXX ?

31. POST /token client_id=XXXXX &code_verifier=XXXX &authorization_code=XXXXX :-)

32. PKCE was recommended for mobile apps, which can’t use a

    secret

33. Is PKCE is a replacement for a client secret? NO

34. Interception /redirect?code=XXXXX 😈 Injection /redirect?code=XXXXX 😈

35. Redirect URLs To fully support this best practice, authorization servers

    MUST offer at least the three redirect URI options described in the following subsections to native apps.

36. example-app://redirect? code=AUTHORIZATION_CODE_HERE& state=1234zyx https://example-app.com? code=AUTHORIZATION_CODE_HERE& state=1234zyx Custom URL Scheme App-Claimed

    URL Pattern Redirect URLs in Mobile Apps

37. Redirect URLs in Mobile Apps Custom URL Scheme App-Claimed URL

    Pattern No registry No validation Any app can claim any URL scheme Sometimes unde fi ned behavior if multiple apps use the same URL scheme aka "Universal Links" on iOS Requires proving ownership of the domain name by the app publisher Veri fi ed on app install and sometimes periodically afterwards

38. Redirect URLs in Mobile Apps But... none of this really

    matters

39. Redirect URLs + Use the System Browser + follow best

    practices

40. • Include https redirect URI in authorization request • Custom

    URL scheme is still required to launch ASWebAuthenticationSession

41. Before iOS 17.4 No User Interaction • Include https redirect

    URI in authorization request • Custom URL scheme is still required to launch ASWebAuthenticationSession • (User already is logged in) • Universal Link is not triggered • Browser ends up at redirect URL loaded in the browser • Native app has no way to recover Release Date: March 5, 2024

42. Before iOS 17.4 With User Interaction • Include https redirect

    URI in authorization request • Custom URL scheme is still required to launch ASWebAuthenticationSession • (User already is logged in) • Universal Link is triggered • iOS runs the Universal Link callback • Native app has to dismiss the active ASWebAuthenticationSession to resume

43. ASWebAuthenticationSession in iOS 17.4 • Adds ASWebAuthenticationSession.Callback • Takes an

    https URL that is validated the same way as Universal Links

44. ASWebAuthenticationSession in iOS 17.4 let callback = ASWebAuthenticationSession.Callback.https(host: "example-app.com", 


    path: "/redirect") url = URL(string: "https://authorization-server.com/authorize") print("Starting ASWebAuthenticationSession to ", url!, "callback: ", callback) aSWebAuthenticationSession = ASWebAuthenticationSession.init(url: url!,
 callback: callback,
 completionHandler: completionHandler)

45. ASWebAuthenticationSession in iOS 17.4 Attempting to use another app’s Universal

    Link as redirect URL ERROR: The operation couldn’t be completed. Application with identifier com.example-app.test is not associated with domain avocado.lol. Using HTTPS callbacks requires Associated Domains using the `webcredentials` service type for avocado.lol.

46. After iOS 17.4 With User Interaction • Universal Link binding

    is enforced • iOS runs the ASWebAuthenticationSession as expected Release Date: March 5, 2024

47. After iOS 17.4 No User Interaction • No change from

    previous example with user interaction Release Date: March 5, 2024

48. ASWebAuthenticationSession • iOS < 17.4 only allows passing custom URL

    scheme to ASWebAuthenticationSession • Any app can put in any scheme, it doesn’t actually launch the app, it just waits for that scheme to be returned in an HTTP Location header then dismisses the view and runs the callback • In order to use a Universal Link as the redirect URI in < 17.4, you have to hack your way around the API
49. None

50. The Hack • Find your target application's Client ID (easy)

    • Find your target application's custom URL scheme (easy) • Launch the system browser with a legitimate looking URL under the attacker's control, passing in the target application's custom URL scheme

51. The Hack • Redirect from your server to the target

    application's AS • example-app.com -> authorization-server.com • The AS will redirect to the custom URL scheme, which will trigger the ASWebAuthenticationSession callback • authorization-server.com -> example-app://redirect • If the user already has a session, they might not even see anything!

52. The Hack “Example App” starts ASWebAuthenticationSession using “lol.avocado://” custom URL

    scheme that belongs to another app. User already has a session, no interaction needed, authorization code is delivered to the callback. PKCE and DPoP didn't help, because the attacker uses their own secrets to initiate the fl ow.

53. Mitigations • Use https redirect URIs, and work around the

    iOS <17.4 limitation • Don't support custom URL scheme in your app or AS at all, 
 even for old iOS versions • Always require user interaction at the AS web page,
 even with an existing session