Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth in Native Apps - OAuth Security Workshop

OAuth in Native Apps - OAuth Security Workshop

Slides from my presentation on OAuth in Native Apps at the OAuth Security Workshop. Unfortunately the embedded videos don't play in the PDF version. I extracted the video clips and posted them here: https://aaronparecki.com/2024/04/11/23/oauth-native-apps-osw-2024

Avatar for Aaron Parecki

Aaron Parecki

April 11, 2024
Tweet

More Decks by Aaron Parecki

Other Decks in Technology

Transcript

  1. Aaron Parecki aaronparecki.com OAuth in Native Apps: It's worse than

    we thought. OAuth Security Workshop April 2024 • Rome
  2. OAuth 2.0 for Native Apps (RFC 8252) Summary • The

    client MUST use the system browser, not embedded web views • MUST be treated as a public client • The client MUST use PKCE • Redirect URLs can be: • custom URI scheme (com.example-app://redirect) • app-claimed https URL (https://example-app.com/redirect) • Loopback address with custom port (http://127.0.0.1:5192/redirect) • The AS SHOULD NOT automatically redirect without user consent • Unless the identity of the client can be assured (e.g. using app-claimed https URLs) https://datatracker.ietf.org/doc/html/rfc8252
  3. Use the System Browser To conform to this best practice,

    native apps MUST use an external user-agent to perform OAuth authorization requests.
  4. System Browser (vs Web View) • Platform-speci fi c API

    to launch a browser • The browser is not able to be observed or modi fi ed by the application • Safe to enter passwords, phishing-resistant MFA, etc • Domain name is visible in the popup browser
  5. MUST be treated as a public client native apps are

    classified as public clients, as defined by Section 2.1 of OAuth 2.0 [RFC6749]; they MUST be registered with the authorization server as such
  6. Public Clients The application can't be deployed with a secret

    JavaScript/Single-Page apps: "view source" Native apps: decompile and extract strings
  7. “Is this request to the server being made by a

    legitimate instance of my application?”
  8. …create a hardware- based, cryptographic key that uses Apple servers

    to certify that the key belongs to a valid instance of your app. https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity?language=objc
  9. Redirect URLs To fully support this best practice, authorization servers

    MUST offer at least the three redirect URI options described in the following subsections to native apps.
  10. Redirect URLs in Mobile Apps Custom URL Scheme App-Claimed URL

    Pattern No registry No validation Any app can claim any URL scheme Sometimes unde fi ned behavior if multiple apps use the same URL scheme aka "Universal Links" on iOS Requires proving ownership of the domain name by the app publisher Veri fi ed on app install and sometimes periodically afterwards
  11. • Include https redirect URI in authorization request • Custom

    URL scheme is still required to launch ASWebAuthenticationSession
  12. Before iOS 17.4 No User Interaction • Include https redirect

    URI in authorization request • Custom URL scheme is still required to launch ASWebAuthenticationSession • (User already is logged in) • Universal Link is not triggered • Browser ends up at redirect URL loaded in the browser • Native app has no way to recover Release Date: March 5, 2024
  13. Before iOS 17.4 With User Interaction • Include https redirect

    URI in authorization request • Custom URL scheme is still required to launch ASWebAuthenticationSession • (User already is logged in) • Universal Link is triggered • iOS runs the Universal Link callback • Native app has to dismiss the active ASWebAuthenticationSession to resume
  14. ASWebAuthenticationSession in iOS 17.4 let callback = ASWebAuthenticationSession.Callback.https(host: "example-app.com", 


    path: "/redirect") url = URL(string: "https://authorization-server.com/authorize") print("Starting ASWebAuthenticationSession to ", url!, "callback: ", callback) aSWebAuthenticationSession = ASWebAuthenticationSession.init(url: url!,
 callback: callback,
 completionHandler: completionHandler)
  15. ASWebAuthenticationSession in iOS 17.4 Attempting to use another app’s Universal

    Link as redirect URL ERROR: The operation couldn’t be completed. Application with identifier com.example-app.test is not associated with domain avocado.lol. Using HTTPS callbacks requires Associated Domains using the `webcredentials` service type for avocado.lol.
  16. After iOS 17.4 With User Interaction • Universal Link binding

    is enforced • iOS runs the ASWebAuthenticationSession as expected Release Date: March 5, 2024
  17. After iOS 17.4 No User Interaction • No change from

    previous example with user interaction Release Date: March 5, 2024
  18. ASWebAuthenticationSession • iOS < 17.4 only allows passing custom URL

    scheme to ASWebAuthenticationSession • Any app can put in any scheme, it doesn’t actually launch the app, it just waits for that scheme to be returned in an HTTP Location header then dismisses the view and runs the callback • In order to use a Universal Link as the redirect URI in < 17.4, you have to hack your way around the API
  19. The Hack • Find your target application's Client ID (easy)

    • Find your target application's custom URL scheme (easy) • Launch the system browser with a legitimate looking URL under the attacker's control, passing in the target application's custom URL scheme
  20. The Hack • Redirect from your server to the target

    application's AS • example-app.com -> authorization-server.com • The AS will redirect to the custom URL scheme, which will trigger the ASWebAuthenticationSession callback • authorization-server.com -> example-app://redirect • If the user already has a session, they might not even see anything!
  21. The Hack “Example App” starts ASWebAuthenticationSession using “lol.avocado://” custom URL

    scheme that belongs to another app. User already has a session, no interaction needed, authorization code is delivered to the callback. PKCE and DPoP didn't help, because the attacker uses their own secrets to initiate the fl ow.
  22. Mitigations • Use https redirect URIs, and work around the

    iOS <17.4 limitation • Don't support custom URL scheme in your app or AS at all, 
 even for old iOS versions • Always require user interaction at the AS web page,
 even with an existing session