Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to make oauth secure on iOS?

Is it possible to make oauth secure on iOS?

I am investigating OAuth 2.0 as a means to implement single sign-on + authorization for a "suite" of iOS apps. To explain my concerns, I'll simplify and use Facebook + a 3rd party app that uses Facebook for authentication (let's say Words/"Words with Friends").

For the purpose of example, I'll assume that Facebook registers to support scheme/protocol "facebook://" and that Words registers to support "words://"

I also make the assumption that it is not possible to secure the "client-secret" or the protocol in an iOS application because you can decompile the application. Any ways that I have come up with to secure this results in security by obscurity.

Another assumption is that there is no way to prevent two applications from registering to handle the same protocol. The behavior when two apps both register for the same protocol is indeterminate. (Although it appears that the first app to launch on the device gets registered while the second apps registration is ignored)

If I understand the workflow between Facebook (user-agent) and Words (client) on the iOS device:

  • User launches Words
  • user chooses to logon via Facebook credentials
  • Words invokes openUrl("facebook://") which contains, among other things an identifier for Words as an application and a redirect uri (i.e. "words://")
  • iOS launches Facebook application
  • User enteres credentials, which Facebook application validates against Facebook authorization server.
  • User prompted to authorize Words to access Facebook data (i.e. Words can access my friends list)
  • Facebook invokes callback uri provided by Words along with access token (i.e. words://access_token?token_here)
  • Words uses this token to access my friends list (i.e. protected resource data)

Assuming the above is correct, if I want to be malicious and access random people's friends list, I could create an application that also registers to handle the protocol "words://" and get it on the app store. If someone has my app and Words installed and my app is the one that successfully registered (i.e. launched on the device before Words), then:

  • Launch Words, choose to logon, launches Facebook
  • user authenticates / authorizes
  • Facebook attempts to redirect back to Words by invoking openUrl on the redirect url
  • My App (not Words) is launched
  • My App now has access to the auth code, which (with the secret learned by decompiling) can be exchanged for an access_token, with rights to access your friends list

I am hoping that my reasoning is flawed above or I would have to conclude (specifically) that Facebook iOS authentication for 3rd party apps is insecure.

More generically, is it possible to implement OAuth 2.0 (authorization/implicit grant workflows) securely on iOS application?

like image 875
jayraynet Avatar asked Nov 30 '11 18:11

jayraynet


People also ask

How does OAuth work in iOS?

OAuth2 lets users grant third-party apps access to their web resources, without sharing their passwords, through a security object known as an access token. OAuth2 works with the following four actors: authorization server: responsible for authentication and authorization; provides the access token.

Does Iphone use OAuth?

Overview. Starting with iOS 12 and macOS 10.14, Apple has added OAuth 2.0 support for Exchange ActiveSync accounts that can be deployed through an Enterprise Mobility Management.

Does iOS Mail support OAuth?

Most modern, 3rd party email clients support modern authentication (OAUTH). Examples include (but are not necessarily limited to): Mail app for macOS Mojave 10.14+ (generally, Macs from mid 2012 or newer can run at least macOS Mojave) Mail app (built in) for iOS 11.3.


1 Answers

Google has come up with an experimental solution for this problem that they call OAuth 2.0 for Installed Applications.

The Google OAuth 2.0 endpoint supports applications that are installed on a device...it is assumed that these applications cannot keep secrets.

Essentially, the shared secret is treated as non-secret.

At the time of this writing, most OAuth 2.0 servers do not seem to support this experimental design.

This design introduces the risk that an attacker could create a new client that represents itself as your application to the authorization server (the attacker would need to obtain the client identifier as you describe in your question, or by following one of the techniques suggested here).

However, this risk seems to be mitigated by the fact that the resource owner (the user) would be unlikely to authorize the malicious application to take any action on protected resources, since he/she will know that the application is not, in fact, your application.

like image 68
benvolioT Avatar answered Oct 20 '22 20:10

benvolioT