Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Shouldn't OAuth2 redirect the user to the external browser instead of just loading the login screen into WebView

Tags:

android

security

ios

oauth-2.0

what is the correct way of handling OAuth on mobile devices? Android, iOS, etc.. As I am seeing most apps just do load the login screen into an in-app browser like WebView, or so..Isn't it actually trampling the whole principle of OAuth? because I can as a developer easily read the password the user enters into the textfield..Is there a way how to do that with the startActivityForResult pattern (on Android particularly)? Because when the user would enter their login and password into the main system browser, it should be a way more solid approach to maintaning security and trustfulness for the app?

like image 826
simekadam Avatar asked Nov 12 '22 19:11

simekadam

1 Answers

Passing data between the app and the browser

You have to read the response (the reloaded url) from the page, after the user has logged in, to get the authorization code used to request the authentication and refresh tokens. If a (default) browser has to take responsibility for returning the authorization code for you, then it has to have (documented) implementation of receiving such intents for such a result.

Letting the browser know your app's credentials

There is another even more serious problem - usually you request authorization/authentication using your app's credentials (client id + client secret). You put them somewhere in the headers or in the url as parameters. You'll have to provide them to the browser to put them in the headers/url of the request for you.

Combined:

And when the browser has both authorization code and your app's credentials it can acquire auth/refresh tokens for the user's account and not only have access to it but also pretend to be your app. Having in mind that this is the built-in browser that comes with the device the user will be calm because he'll probably trust the manufacturer as he's buying it's device but can the app's developers trust the manufacturers? And when a user chooses a 3rd party browser as default and/or uninstall the built-in one?

In short:

Instead of the user trusting the application he/she installs, both the user and the developer have to trust the 3rd party - the browser

like image 142
stan0 Avatar answered Nov 15 '22 04:11

stan0
Sign in to Comment

Related questions

finding pixel location of Listview item seems to return wrong value
Crashlytics reports Failed to retrieve settings from https://settings.crashlytics.com/
Dynamic view with swiping horizontally and vertically
How to fetch email addresses of Google plus circles (Friends added in Google plus circles)
Activity Recognition Api Not working in some devices
How to select distinct values from ORMlite?
Google map V3 usage limit in Phonegap applications
In Android, what's the difference between force stop and kill process
Pass ArrayList data into SOAP web service in android
Building recognition in vuforia?
Getting the "best guess" info of an image like google reverse image search
android uiautomator runtest error didn't find class
Why android GPS is not able to find location untill google map is on even if my phone supports A-GPS
Python 3.3.2+ on android
Navigation Drawer ListView selection problems on android 2.3
Eclipse application package renaming tool give an error
How can i drag and drop multiple imageviews over other imageviews android
java.lang.Exception: Custom runner class AndroidJUnit4 should have a public constructor with signature AndroidJUnit4(Class testClass)
Change remoteView ImageView background
Android Failed to instantiate one or more classes

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!