Re: [OAUTH-WG] Android App Links (AKA Universal Links)

Tim Cappalli <Tim.Cappalli@microsoft.com> Tue, 03 November 2020 19:17 UTC

Return-Path: <Tim.Cappalli@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22FAB3A0E81 for <oauth@ietfa.amsl.com>; Tue, 3 Nov 2020 11:17:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.466
X-Spam-Level:
X-Spam-Status: No, score=-0.466 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, LH_URI_DOM_IN_PATH=1.533, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cTN4xpYK6Z1M for <oauth@ietfa.amsl.com>; Tue, 3 Nov 2020 11:17:05 -0800 (PST)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650098.outbound.protection.outlook.com [40.107.65.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 777E43A0E5B for <oauth@ietf.org>; Tue, 3 Nov 2020 11:17:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UmzOPqjZUTHiQiWrXoMlVA8PsqL/Ulh0xH/DPuO5nBQYerHNaYI+rtQQd9mKI5Mnx57W6Oa3CXPF0JZLwVnJfepanjrom2O+2dF3cKbl3BWIAcl/uHNP+lDLCe09J7+0JtDghr044O4VMuGAwuBK87SmV8F0z8lvJM/n/Uu/8SQfBD2fhL0ovlB3QRKnsCj2INsn9uIW6DiJwP7Wk9w9Yl2UbfFaGGSJm/sArHUPf07eGKxFV1cEOJU7GNCYtrOf23VdimPxcOMCSd7s3hJ5rsxGr7NVc1EMYRo+p2L0sQCziTtbDFUaNXUJJQthvJyGOCdCuibxHmi1hceZuQAlzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YKHCQdWg/3saX6FVGcpTMqENoLV4pCBJXhyX0jhbfwE=; b=FGfs39PhgTYYF5sByWyfu/qZKgIy42PZB8purIVg7QIuE8zXVXsw7KCAs9cXg6dixk/Uq/Y2YJPU1O9a6bdEIxUwotj5tbw1iVjrB6YL6JA3Q/TZnWef/+Dv71OIVukz/1FYUp8CFrx7kisNOVJjymMknB+LR2/8UwEcXcE1HFhBQR0Ht2xGUogWLxPy0mTKImtbzRsS9bJ15LXJn5b/Kbauy9l0uyBB9m8nfOArhw7bH598SbegxXRXBB1o6xfMsoYds5oaqqRXy3etYou4eyHF1b4l45AIY6RIJ7HbtuFSY9YCkrZ01WrDhS5qpFwZpcelwO1zvRb/laJOft/MIg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YKHCQdWg/3saX6FVGcpTMqENoLV4pCBJXhyX0jhbfwE=; b=WIo5yWu/QPQis4NvG41MLclscP5rd6oyUgnPp5i86/3jqaJYm0+PdF6c0CdRWD76QW1HwrwLOVcBNoFA1VtBuBxoBGrWb4n++tQYpWORPDwHPjboYWGwXATuF0qraN+CUOAEHE4KLilxK3oVAvL868Kfa/u5Ke5ABB0rd7sxqzI=
Received: from (2603:10b6:208:39::11) by MN2PR00MB0702.namprd00.prod.outlook.com (2603:10b6:208:1d5::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3575.0; Tue, 3 Nov 2020 19:17:03 +0000
Received: from MN2PR00MB0623.namprd00.prod.outlook.com ([fe80::7c1b:4b71:3ddd:b5c5]) by MN2PR00MB0623.namprd00.prod.outlook.com ([fe80::7c1b:4b71:3ddd:b5c5%7]) with mapi id 15.20.3582.000; Tue, 3 Nov 2020 19:17:03 +0000
From: Tim Cappalli <Tim.Cappalli@microsoft.com>
To: dick.hardt <dick.hardt@gmail.com>, Joseph Heenan <joseph@authlete.com>, George Fletcher <gffletch@aol.com>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Android App Links (AKA Universal Links)
Thread-Index: AQHWpm0OwTBvOIoC706ztYCtV/v35Km23L0AgAABOACAAACjgA==
Date: Tue, 3 Nov 2020 19:17:03 +0000
Message-ID: <MN2PR00MB062386FAA9778F909EE8330B95111@MN2PR00MB0623.namprd00.prod.outlook.com>
References: <CAD9ie-tixMTAbPOtzPUjZdM7oa6_Rw2Gfbup2NQHUHJMu9LBTg@mail.gmail.com> <65B3EF09-25F4-4F3E-96DD-05FA60F044D0@authlete.com>, <CAD9ie-vFguzxNzgZKae2Qjq_POrEVyznLXyKmg6MyG+xV4LfVA@mail.gmail.com>
In-Reply-To: <CAD9ie-vFguzxNzgZKae2Qjq_POrEVyznLXyKmg6MyG+xV4LfVA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [100.0.202.137]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 8c08f4b1-4d74-4f54-7cbf-08d8802d0c01
x-ms-traffictypediagnostic: MN2PR00MB0702:
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: <MN2PR00MB07029DA5B4CDED2C7515438595111@MN2PR00MB0702.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2657;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +3FJoojgsYw5h3WJ4vAd7YSe0tFK5p4cUvYsigpAzR9lXy6d578jqDD8mPcW1HT23gXTB3a4elijBFMcB8wOe+cwICecH37EXU8WXElREsDzXUgZTzE2q865ql2QyfjZmp9aw8F6iY8J4xbDlgt4WqhVur3qktNrJPxBOcKBonAwQIu6J4zU9jB51ReyMYe/ygq/f12BzEG3CYHMzz1e3yccvLvJKhfAAiNosdQKXfpiCFwFwh75GKWvgKFPz8I78hhUSxlVdbyA1unLEdSUImltBDOlYx870whWDJczbUu2BpCRtLpBpXjHXLf0hCkRZ1LQ7DwBDj7ZR++qIJdQJZxNnwrriBeB7bCOU256S3ovD7BkMIaAbX9w8m8c/rj3i7ysjgQi3SLR181pVxwbHKPBM6/0kLRXMBQnuKWVoQ8sxvejP2ffJCHWZVdXMn6Hdvxht41X6Nq4MTqYCpDfbA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0623.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(376002)(39860400002)(396003)(136003)(8990500004)(33656002)(66946007)(8676002)(86362001)(4326008)(52536014)(9686003)(76116006)(53546011)(6506007)(66476007)(55016002)(71200400001)(316002)(478600001)(186003)(66556008)(5660300002)(8936002)(66446008)(82960400001)(166002)(83380400001)(966005)(2906002)(10290500003)(7696005)(110136005)(64756008)(26005)(82950400001)(99710200001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: cKgIvHoe7sPxeqokiP8GuOB+P8gEPRd2GvZBiyghixW4XUH36PfFaNItT4KP62jvuNLDvdJUei37T3kE80ssVOshrEqvTWn+h9M6GWBKbCj5NKgnQtLRofqVm97ecDWcmrm8/EBIyJ1eoH1IWNgdXIELJ9QlJ7CGSE4MwGzvYjwhSTr9L5MFflXQflFJQi3LHAzHFXvBULnRkqy0NVvphBYn8VSBgyxiinKREkTHjpGSN7MuiDLIdLfYXspFvhLNR/+eKiWwA+qMNO5V5xEGxCeZhurEbX1W1UMdnL7tqLgH4G6hv6B2pjO+rsQJ6X3xR01V3dDt5ZSJaBrEORHXQqNzJP3VIoafPnju5mKtmpethFW8FPlgncFrdoCLzd2ncbb2N56kgNP79H4k9SG8j23E5xT8SlxXSASwQMlLRIfZnak4+j+1mE5P/tWbAjZo8qPZcWY1ckMh2j3GjwvGGNT+jmcwg5wPWt3F9sGm2Lvv/NfyCRI6JN6huc6QtUKootHjLj1AZMmeOhCJqCjImPJoIcfF7bcYihWNmA1hMHjM0OrGtn3eOytkEZv4rCSFE8QuUlZScpBSpAQbdPVosw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB062386FAA9778F909EE8330B95111MN2PR00MB0623namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR00MB0623.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8c08f4b1-4d74-4f54-7cbf-08d8802d0c01
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Nov 2020 19:17:03.4431 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zymgUjHDuKYM6buCNmxRs9eJAZAHGLCHz8R8Y+FT5jG59fWPGi0RMxAQBM5zO1juBet174EVx+UzPeK/46mDkg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0702
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jJ7GCJyRuo59PzDMP326lNzSAKM>
Subject: Re: [OAUTH-WG] Android App Links (AKA Universal Links)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 19:17:07 -0000

Here’s the OSW recording on app2app.

https://www.youtube.com/watch?v=vktyY5CXwjg


From: OAuth <oauth-bounces@ietf.org>
Date: Tuesday, November 3, 2020 at 14:14
To: Joseph Heenan <joseph@authlete.com>om>, George Fletcher <gffletch@aol.com>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Android App Links (AKA Universal Links)
Thanks Joseph.

George Fletcher ran a great session on the topic at the last IIW as well.

George: do you have a link?

[https://mailfoogae.appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=26f11e54-06bb-45f0-ba83-5ff627ed5579]ᐧ

On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan <joseph@authlete.com<mailto:joseph@authlete.com>> wrote:
Hi Dick

I didn’t attend the call so don’t know the background of this and the exact situation, but the general problem is mostly where the Authorization Server’s app is *not* installed. In that case Android falls back to much weaker mechanisms that allow other apps to get a look in. App links also aren’t consistently supported across all commonly used android browsers which causes further problems.

In general to do app2app oauth redirections securely on Android it’s necessary for both apps to fetch the /.well-known/assetlinks.json for the url they want to redirect to, and verify that the intent the app intends to launch to handle the url is signed using the expected certificate. Web2app flows are trickier, on both iOS and on Android. There were lengthy discussions on at least the Android case at OAuth Security Workshop this year (recordings available).

Joseph



On 20 Oct 2020, at 00:09, Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:

Hey Vittorio

(cc'ing OAuth list as this was brought up in the office hours today)

https://developer.android.com/training/app-links<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.android.com%2Ftraining%2Fapp-links&data=04%7C01%7Ctim.cappalli%40microsoft.com%7Cd2d6114cfb3e4a723ce308d8802ca8fe%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400276604670109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=VANYGXEB4M5i%2F9nDW%2Bzhg69QSJXd5RA%2BwzJneO1Az8o%3D&reserved=0>

An app is the default handler and the developer has verified ownership of the HTTPS URL. While a user can override the app being the default handler in the system settings -- I don't see how a malicious app can be the default setting.

What am I missing?

/Dick
[https://mailfoogae.appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=753a4eae-4c54-40f0-a603-09ea6cdfe434]ᐧ
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Ctim.cappalli%40microsoft.com%7Cd2d6114cfb3e4a723ce308d8802ca8fe%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400276604670109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0YxdQMCgnLMULQQayUjGwhCGd2fqP4y9cFSCK1jY9xk%3D&reserved=0>