Re: [OAUTH-WG] embedded UA detection

Joseph Heenan <> Thu, 24 October 2019 10:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 063C01207FC for <>; Thu, 24 Oct 2019 03:01:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yIuGdnGViXnk for <>; Thu, 24 Oct 2019 03:01:02 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8829112086B for <>; Thu, 24 Oct 2019 03:01:02 -0700 (PDT)
Received: by with SMTP id s1so16590213wro.0 for <>; Thu, 24 Oct 2019 03:01:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=rKirueFTG604vXhQIEzGISZRGajzjcHJocZGaVP0Snc=; b=wBdCvJks9PyJWD+uAMoECR+IpRHtTGP9XVDS8uQsfP7VqQya/97zpbBYxdD0d0+ju0 ZkUuPB3EDwAHS9oLKMPuknsRBZlpe3U7jmhr5UaFGtOYsg51xLHUYvoJAfhzqZ28ayM5 K5G6Nva0yUUq4mHCyuK2EBc4a6Cfe4bSpe6ONlKtrKF0puGRBib5HOavNVJD1kfptc6w jm7HOXQSgDFcKQvn6RVu6Qme7JSocX/tNfIQGd/1ZWlj7nvFag9T1cFnHr1yfjnyaCZ0 Pj1NfrryYVyeD/MINVjrHEOM5ydaxE4kCgoIbUXgzF3iJ52Xrd4hCrA3i0I991eHi3hS RQrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=rKirueFTG604vXhQIEzGISZRGajzjcHJocZGaVP0Snc=; b=SbLxgSNW71t3Hj0CjnNnStTFyi8dmBmm4gaVhECtjsw53fHnidI5lNfEqgPGSaVXnl TmCZJyPTGgP5OQy7qDgfpFSFZNCDWlG1umVx9DiLlE1ou8PMN62x6tUBAYPjIrMCsUgz P9lWF4tpcmHr5mymdmRDV/4TA96s9CEs1giBToJrkcASZQFiVUWtptsf+FFBn5WuOQyE LrhCxwbGaK5Ft3LS7x5wvJH5Mu3Y5xYfOFwQGQRi3s83PhL6XylvWGpZGIeQb/yRhmMT jZEXtw+mrIpGZAK4YEtT4ahpsI6nicHX1bBEnSbuCxyFcO1+SV/zQn0B1RxuS+wm2DRl kgRQ==
X-Gm-Message-State: APjAAAVGT3x02/srII6Vpkfm54uKkcCybMt07OySYk+/SFs3yIHIN/by CBD9YsHWUwaBCv6kPtPSEk8oFA==
X-Google-Smtp-Source: APXvYqysz/eSiTzhNa4vzSWpr2n/OpikIGpVvlHWbj7uN/M91fSYVFnIfL9T7CHHJ5XhS8i1X+Ygfw==
X-Received: by 2002:a5d:5707:: with SMTP id a7mr3121165wrv.177.1571911260736; Thu, 24 Oct 2019 03:01:00 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id n17sm1773985wmc.41.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 24 Oct 2019 03:00:59 -0700 (PDT)
From: Joseph Heenan <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8600065B-F8D6-4B6D-B268-C3BBA5155D08"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 24 Oct 2019 11:00:59 +0100
In-Reply-To: <>
To: Giada Sciarretta <>
References: <>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [OAUTH-WG] embedded UA detection
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Oct 2019 10:01:06 -0000

Hi Giada,

All methods can be bypassed by an attacker that has control of the app in question, it’s just a matter of effort. I believe many AS’s use client side javascript to provide a harder to bypass implementation.

Your aim here is probably mainly to prevent naive developers “accidentally” (or with good but misplaced intentions) using an embedded user agent.

In general the real state of the art would be for the party that owns the AS to have an associated first-party native mobile app, as that improves the user experience and greatly reduces the associated risks. I wrote about the pattern for doing this here:

That said all the choices and risks here are very complex and interact with each other - from the information given I definitely can’t say whether app2app is a good approach in your use case.



> On 11 Oct 2019, at 15:44, Giada Sciarretta <> wrote:
> Hello,
> We are working on a project that involves mobile native applications.
> The OAuth for native apps (RFC8252) spec "requires that native apps MUST NOT use embedded user-agents  to perform authorization requests and allows that authorization endpoints MAY take steps to detect and block authorization requests  in embedded user-agents".
> We would like to integrate in our AS the state-of-the-art techniques for detecting and blocking authorization requests in embedded user-agents. We are aware of the following techniques (link <>):
> doing a string checking on the User agent string value. In the chromium based-WebView
> in the older versions it adds the “Version/X.X” string into the UA field. For example: Mozilla/5.0 (Linux; U; Android 2.2.1; en-us; Nexus One Build/FRG83) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
> in the newer version it will add, “;wv”. For example: Mozilla/5.0 (Linux; Android 5.1.1; Nexus 5 Build/LMY48B; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.65 Mobile Safari/537.36
> checking the presence of X-Requested-With HTTP header, the value of this header will be the application's name that is running the webview.
> but we know that these detection methods can be bypassed by an attacker. Do you have any suggestions in this regard?
> Thank you in advance for your response.
> Kind regards,
> Giada Sciarretta
> --
> Le informazioni contenute nella presente comunicazione sono di natura privata e come tali sono da considerarsi riservate ed indirizzate esclusivamente ai destinatari indicati e per le finalità strettamente legate al relativo contenuto. Se avete ricevuto questo messaggio per errore, vi preghiamo di eliminarlo e di inviare una comunicazione all’indirizzo e-mail del mittente.
> --
> The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you received this in error, please contact the sender and delete the material.
> _______________________________________________
> OAuth mailing list