IETF Logo Mail Archive

Re: [OAUTH-WG] Public client cloning

Masakazu OHTSUKA <o.masakazu@gmail.com> Tue, 10 September 2019 19:27 UTC

Return-Path: <o.masakazu@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB50120273 for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2019 12:27:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QKmqgvzUk0rn for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2019 12:27:19 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97830120096 for <oauth@ietf.org>; Tue, 10 Sep 2019 12:27:19 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id r4so40221665iop.4 for <oauth@ietf.org>; Tue, 10 Sep 2019 12:27:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fDZa/fi9dccpzvBRpW/BOUi+ZkmYUv+cwUZDVsTM10g=; b=AXtTNDX0gyjQLj9/l5tBTA0IS2uOPXcKTWb1gHIZCMn4fShy9ny9NpFvPrj+A28Hs9 gFnGfbNytOEIGMHv1SVTpdUAaRDTIdukhESxeSMv0wjN2NF7Pe4eKlAgFxODmhLgd6Hy IARB2qP3P0I08IzKmyjP9pr55coaRsT2mZbjI6pkO1VGVIHgnxc4s0YgiAr3PI9TGmC1 ob+8BLMrilODoh7HA1H37VwkzdAMqXwASEBsqJadbg6/4VhncHTGibZ4SQOfaZ8+w5i/ DcQMx5+Jpj8YeRxkcxx1GmQOvZZ9vwvPgp2HwRCuVkDAUFPtHGPKeYtyMXtovSycqUGe yJNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fDZa/fi9dccpzvBRpW/BOUi+ZkmYUv+cwUZDVsTM10g=; b=OMTiP3PTyOo3UpV8MGXX6XPWK1Kh/wScWj/hrw8YNoiG8fcwBz+78a9Etngt9oU6nV u0iOqsmq07Th4LEnBi71NKyNPx4OtU6IVC235uUCmc19wra8gPfQ9vrxuwX7TmI9/fpp S4jkOEFTbt0p7xWUWx2fW+yCslA/UE1zmIKU64+cxkLgrV4GgiuJeXnjFzc2zsg+AsKU SY6wLLr7Si+a/A1kpTYAUrNzD/lmmEnqS9RdcpWBF9BG3Ewvt9+/eJKePTjqtsiQ3tZ4 wz8dvNHdhysHlMbXPn2DyjRDfL+1HqPN3YxWrRldlWjFcfeBoSL96/JLbQrV9oLoFia0 Rs3g==
X-Gm-Message-State: APjAAAVOVYvGjLp4ck1FM2kzeAJBsHAk2pPly88/hkgWFyCNmguIGyit qwrzSOBTJfehNKSoLc6IP7040KIdEAnRtGmuZhIDy73n
X-Google-Smtp-Source: APXvYqzmZHrGI5FWFjmhAdT8NNsAkhTXBb/abDMoQzDvDIBIc5HdaSkCL73HalbhywCkLPjEFcYJHC0EwHig0uQWNM8=
X-Received: by 2002:a5d:9153:: with SMTP id y19mr13899209ioq.109.1568143638832; Tue, 10 Sep 2019 12:27:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAP=REHFHeJT=w4ZCmHYJaL4QFQvntWqPTRaXVCH-fz4FciHh5A@mail.gmail.com> <CABpvcNufpaTRk3BnjJs26b5d9k_8+hd5ZEdFjsmtViTokJiXVg@mail.gmail.com>
In-Reply-To: <CABpvcNufpaTRk3BnjJs26b5d9k_8+hd5ZEdFjsmtViTokJiXVg@mail.gmail.com>
From: Masakazu OHTSUKA <o.masakazu@gmail.com>
Date: Tue, 10 Sep 2019 22:27:07 +0300
Message-ID: <CAP=REHEN4JVB5xSAj6YZZNeoygPEWueyOXrbU=xuosVU5Z359Q@mail.gmail.com>
To: Marius Scurtescu <marius.scurtescu@coinbase.com>
Cc: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008ca8d3059237e496"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GOfO-NPyhHK4XtYwMIq2YFtbDrE>
Subject: Re: [OAUTH-WG] Public client cloning
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2019 19:27:22 -0000

I see.

Then is this understandable to think from the Authorization Server's point
of view ...

If phone being compromised is a threat that the Client cares,
AS might be interested in NOT supporting public Clients,
and forcing the Client to have a server side, do client authentication, and
have some way to hold a session between the native app and it's server side.

Because if phone is compromised, when AS supports public Clients and
access_token leaks, it's kind of AS's fault (well depending on the
terms...),
but if whatever the means that the phone app and it's server side keeps a
session leaks, it's NOT the AS's fault.


On Tue, Sep 10, 2019 at 8:23 PM Marius Scurtescu <
marius.scurtescu@coinbase.com> wrote:

> If the phone is compromised, original app replaced by malicious app, then
> RFC8252 will not help. The assumption is that the phone is not compromised.
>
> On Tue, Sep 10, 2019 at 9:58 AM Masakazu OHTSUKA <o.masakazu@gmail.com>
> wrote:
>
>> Hi,
>>
>> I've read rfc8252 and have questions about native apps, that I couldn't
>> find answers on Internet.
>>
>> Imagine an attacker doing:
>> 1. original app and authorization server conforms to rfc8252 4.1.
>> Authorization Flow for Native Apps Using the Browser
>> 2. clone the original app, name it malicious app and install on the
>> target phone
>> 3. remove the original app from the target phone
>> 4. use the malicious app and authorize, OS will invoke malicious app
>> using custom URL scheme
>> 5. now malicious app has access to the access token
>>
>> How should we think about this?
>> What am I missing?
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

v2.23.0 | Report a Bug | By Email