OAuth implicit flow security with PhoneGap

Question

I'm implementing an authorization server for our Web API 2 RESTful API using Bearer tokens. To give some context, I am building an MVC web application as well as a PhoneGap mobile application (to be deployed to both iOS and Android) that will consume the RESTful API. I've done a lot of research on the subject, and understand I want to go with the authorization code flow for my MVC app (as the client secret will be kept safe), however, it is my understanding that I must use the implicit grant flow for the PhoneGap application, with it being a purely client side application it is assumed it cannot hold a secret.

With that said, I'm still fighting over my understanding of the security implications of the implicit grant flow. When executed in a browser, I understand it to be somewhat secure (by validating the redirect uri, short-lived tokens, etc). However, because PhoneGap will execute within its own browser instance (thus returning the token via hash fragment that I will need to parse), how does this lock down the API to only my PhoneGap client?

What's to stop a malicious hacker from simply stealing the client_id (embedded in the HTML/JS) and build their own PhoneGap application (or any other) and simply go through the implicit authorization/authentication process, thus spoofing the "approved" or "official" PhoneGap app? This problem does not seem specific to my API - does this mean this problem exists for all API's out there that implement the implicit flow (including the big players e.g. Facebook, Twitter, etc.)? How can I prevent this from happening, does it mean I have to deny/not implement the implicit flow? If so, how do I consume the API securely from my PhoneGap application?

Thanks!

Answer 1

Oauth2 Implicit flow in general is not secure. Like you mentioned, anyone can see your client_id and can create a login URL to spoof users, and can steal access_token. This is possible with any service that uses Oauth2 implicit flow including big players.

Spam apps are actually doing this with Instagram, they use someone else's client_id to allow login,collect access_token and are using it to spam like/comment on Instagram.

Oauth2 authorization code grant flow is possible to implement in Phonegap app, but is not recommended since you have to store client_secret in HTML/JS. Same with Implicit grant flow, it is possible in Phonegap, but people can get your client_id and spoof users.

One way you can make it a bit more secure in Phonegap app is by using Oauth2 authorization code grant flow, after you get the code from redirect, POST it to your server with an hash to validate, and your server can do the actual Oauth2 POST to the service API with client_secret to get access_token. So in this case client_secret is not in the app HTML/JS, but is on your server. (This can also be spoofed by hacker, but you have a bit more control)