Re: [OAUTH-WG] Public client cloning
Marius Scurtescu <marius.scurtescu@coinbase.com> Tue, 10 September 2019 17:23 UTC
Return-Path: <marius.scurtescu@coinbase.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41C741201CE for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2019 10:23:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=coinbase.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lRLljVK_dhNj for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2019 10:23:04 -0700 (PDT)
Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37932120041 for <oauth@ietf.org>; Tue, 10 Sep 2019 10:23:04 -0700 (PDT)
Received: by mail-pf1-x434.google.com with SMTP id r12so11955651pfh.1 for <oauth@ietf.org>; Tue, 10 Sep 2019 10:23:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coinbase.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2hPP6UpyxeHefaM4RmSlZGEhstx+ZtHzrPskPyvatQk=; b=VIPllPMJl78T+wARYEAj0XplB+1l435Pvfre7gplXs2byJhNKjq+Uv/4+71JznHCsf ERTYeqeGCP03bCSbVAtEWZIhqu9rMoyDpCFLw8/0IAtfS//oLRZoQpQ76dhyxavdx2fx RWLOEO6DvNr9/5b4ZMu0cHaYkqqTwkuDYms7M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2hPP6UpyxeHefaM4RmSlZGEhstx+ZtHzrPskPyvatQk=; b=aeMN0Nrta2kYu3Qj4MdCxbrDAZNUCA06oR8u81nbdV3YPPM6AuX+hvPEZu8Yrd6HTW NeXJnzi4rydxMSeke3U3AjKStjvZJwSosF/U1vbNyznvp+zxmtDwQ0cTRoiHDqd02DHT 1WCs3ndNOuAHq6yIOOX/s1S1u2f+wF1ILIUXOfqt8Df4DOeMpPeXAk+oV87NV1dtBIiE QjXWB0Tp734EJb0wuMhicZ9MS2Z+kc2KXzc0jbosIqVA2l1O2B16I+4dMv+IxkhDdLrY g2wmRzGK6F/51Ug6d1s/0B0YJk/vDVfdE8tYpfWWsUMoxMi6XdCqY+Tzgcx3Dhg9NZeB e78A==
X-Gm-Message-State: APjAAAVyOqIYVo/yOGvljCunFnEbHDWVF0tnBr5fqAR6wAWV/VD1OfdH X5jM7ZAf6C4VH4STYLM5P3dr4jfTG6+5MKjrB8KH2g==
X-Google-Smtp-Source: APXvYqycBSbvhHhNdBfhjyhB3bgtlL4Qat7voS0fYIG/gMKZo4O3DQoVMl2cUnkJp8joyooI2adEp7brkcq+D20qEmU=
X-Received: by 2002:a63:784c:: with SMTP id t73mr29735109pgc.268.1568136183472; Tue, 10 Sep 2019 10:23:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAP=REHFHeJT=w4ZCmHYJaL4QFQvntWqPTRaXVCH-fz4FciHh5A@mail.gmail.com>
In-Reply-To: <CAP=REHFHeJT=w4ZCmHYJaL4QFQvntWqPTRaXVCH-fz4FciHh5A@mail.gmail.com>
From: Marius Scurtescu <marius.scurtescu@coinbase.com>
Date: Tue, 10 Sep 2019 10:22:52 -0700
Message-ID: <CABpvcNufpaTRk3BnjJs26b5d9k_8+hd5ZEdFjsmtViTokJiXVg@mail.gmail.com>
To: Masakazu OHTSUKA <o.masakazu@gmail.com>
Cc: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002d1fcd0592362866"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CZBXbij8n1KWtuNqQqcPbPZXK_A>
Subject: Re: [OAUTH-WG] Public client cloning
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2019 17:23:06 -0000
If the phone is compromised, original app replaced by malicious app, then RFC8252 will not help. The assumption is that the phone is not compromised. On Tue, Sep 10, 2019 at 9:58 AM Masakazu OHTSUKA <o.masakazu@gmail.com> wrote: > Hi, > > I've read rfc8252 and have questions about native apps, that I couldn't > find answers on Internet. > > Imagine an attacker doing: > 1. original app and authorization server conforms to rfc8252 4.1. > Authorization Flow for Native Apps Using the Browser > 2. clone the original app, name it malicious app and install on the target > phone > 3. remove the original app from the target phone > 4. use the malicious app and authorize, OS will invoke malicious app using > custom URL scheme > 5. now malicious app has access to the access token > > How should we think about this? > What am I missing? > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Public client cloning Masakazu OHTSUKA
- Re: [OAUTH-WG] Public client cloning Marius Scurtescu
- Re: [OAUTH-WG] Public client cloning Filip Skokan
- Re: [OAUTH-WG] Public client cloning Masakazu OHTSUKA
- Re: [OAUTH-WG] Public client cloning Nat Sakimura
- Re: [OAUTH-WG] Public client cloning Masakazu OHTSUKA
- Re: [OAUTH-WG] Public client cloning Justin Richer