Is it possible to make oauth secure on iOS?
I am investigating OAuth 2.0 as a means to implement single sign-on + authorization for a "suite" of iOS apps. To explain my concerns, I'll simplify and use Facebook + a 3rd party app that uses Facebook for authentication (let's say Words/"Words with Friends").
For the purpose of example, I'll assume that Facebook registers to support scheme/protocol "facebook://" and that Words registers to support "words://"
I also make the assumption that it is not possible to secure the "client-secret" or the protocol in an iOS application because you can decompile the application. Any ways that I have come up with to secure this results in security by obscurity.
Another assumption is that there is no way to prevent two applications from registering to handle the same protocol. The behavior when two apps both register for the same protocol is indeterminate. (Although it appears that the first app to launch on the device gets registered while the second apps registration is ignored)
If I understand the workflow between Facebook (user-agent) and Words (client) on the iOS device:
Assuming the above is correct, if I want to be malicious and access random people's friends list, I could create an application that also registers to handle the protocol "words://" and get it on the app store. If someone has my app and Words installed and my app is the one that successfully registered (i.e. launched on the device before Words), then:
I am hoping that my reasoning is flawed above or I would have to conclude (specifically) that Facebook iOS authentication for 3rd party apps is insecure.
More generically, is it possible to implement OAuth 2.0 (authorization/implicit grant workflows) securely on iOS application?
OAuth2 lets users grant third-party apps access to their web resources, without sharing their passwords, through a security object known as an access token. OAuth2 works with the following four actors: authorization server: responsible for authentication and authorization; provides the access token.
Overview. Starting with iOS 12 and macOS 10.14, Apple has added OAuth 2.0 support for Exchange ActiveSync accounts that can be deployed through an Enterprise Mobility Management.
Most modern, 3rd party email clients support modern authentication (OAUTH). Examples include (but are not necessarily limited to): Mail app for macOS Mojave 10.14+ (generally, Macs from mid 2012 or newer can run at least macOS Mojave) Mail app (built in) for iOS 11.3.
Google has come up with an experimental solution for this problem that they call OAuth 2.0 for Installed Applications.
The Google OAuth 2.0 endpoint supports applications that are installed on a device...it is assumed that these applications cannot keep secrets.
Essentially, the shared secret is treated as non-secret.
At the time of this writing, most OAuth 2.0 servers do not seem to support this experimental design.
This design introduces the risk that an attacker could create a new client that represents itself as your application to the authorization server (the attacker would need to obtain the client identifier as you describe in your question, or by following one of the techniques suggested here).
However, this risk seems to be mitigated by the fact that the resource owner (the user) would be unlikely to authorize the malicious application to take any action on protected resources, since he/she will know that the application is not, in fact, your application.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With