Re: [OAUTH-WG] Public client cloning

Filip Skokan <panva.ip@gmail.com> Tue, 10 September 2019 17:37 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1955D120074 for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2019 10:37:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EA2YCU0JrCT9 for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2019 10:37:55 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70053120041 for <oauth@ietf.org>; Tue, 10 Sep 2019 10:37:55 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id h7so20529676wrw.8 for <oauth@ietf.org>; Tue, 10 Sep 2019 10:37:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fOlMjvpB3OTG5PRMdSbtZuB7V+kJIOSoZxuAFQfO7fA=; b=fXCu8gDFn2V+mdiRvoeaDL6zxqsFITmtOusxA97PAETn84VMGhCpxvHO1BXX4hTQsS nbPGuxflnUcGXxMiOo9R4tG5SbRGeRh3KqKb3IQd23Thy/9aWK/ErOOHpw/V0qKsiOOv 40V9mUjFVVPj2Yzx6FDSIkanw5RR6wgkaqAEG8I2UstAm0zyIis9tRGufrjRepLzUwph RLgKmL2NO6viOa8qpp3poscuGeu/QGr+DXkiiGGmur5WjeauloQhAdx2kYFPLyotvDOA SGhtyst6FcwhlZD+oAV84hFrz81dHZfe3RVjHCiO8Qiu4CJPHzyfATi+iYftSfLlHXkE DbfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fOlMjvpB3OTG5PRMdSbtZuB7V+kJIOSoZxuAFQfO7fA=; b=oH10TyLi2PJ9EPFykfljobeacy3rh0+rRBNDvFZP+5ewBqh4JcbTVDZ6gXWBkoYQiR +0bvgwxoa5Wh2sMxabgos/qKfn3uxQLkSF4efj79DZfQCDhvYqliz6pvoV1SdbjJMDnz 2Z8UpMzM9TCEG4bElHchTijAD5WeilIekCrgkLAUSEIWBKMEoZQvEKziCk4P3Oi7HhPp yUgg1J5FXkwjYSS6Wl9BBkVXRLkFXkGTK+0uiDGr4oPaNdtwsrepaMAtaX2Qyj02oAkf zipnVhe62FMiSpnE8hPIbn2t08wmMWg2F10zIT5NgYZ2Jp16uyj3MRr7hjJ+jjybAHDh sCZA==
X-Gm-Message-State: APjAAAXD7wSW3ebJanu0wjfejhNGf80ondT+vYdaJjAPldmmBYQi06Kx R3qG7BHJQ6vFRU/LkrVsMw==
X-Google-Smtp-Source: APXvYqzgI+tEzXmQePHvXvwnviMzwAlySEh/kDpjxluyR7Kc0aikxW40IPsg5RjMkPIWAAiX8A1mFg==
X-Received: by 2002:adf:dd02:: with SMTP id a2mr27952541wrm.15.1568137073908; Tue, 10 Sep 2019 10:37:53 -0700 (PDT)
Received: from [192.168.0.178] (ip-78-45-222-80.net.upcbroadband.cz. [78.45.222.80]) by smtp.gmail.com with ESMTPSA id e30sm34414214wra.48.2019.09.10.10.37.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Sep 2019 10:37:53 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-7D5A729F-2FA7-4B8B-92A8-2458067E3774
Mime-Version: 1.0 (1.0)
From: Filip Skokan <panva.ip@gmail.com>
X-Mailer: iPhone Mail (16G77)
In-Reply-To: <CABpvcNufpaTRk3BnjJs26b5d9k_8+hd5ZEdFjsmtViTokJiXVg@mail.gmail.com>
Date: Tue, 10 Sep 2019 19:37:50 +0200
Cc: Masakazu OHTSUKA <o.masakazu@gmail.com>, oauth@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <0D47C91A-8D03-463C-9750-419797E4C53E@gmail.com>
References: <CAP=REHFHeJT=w4ZCmHYJaL4QFQvntWqPTRaXVCH-fz4FciHh5A@mail.gmail.com> <CABpvcNufpaTRk3BnjJs26b5d9k_8+hd5ZEdFjsmtViTokJiXVg@mail.gmail.com>
To: Marius Scurtescu <marius.scurtescu=40coinbase.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LpxZdE0Qytcu6UlOuvNK5YGQZJA>
Subject: Re: [OAUTH-WG] Public client cloning
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2019 17:37:57 -0000

A claimed HTTPS URI would tho, right?

Odesláno z iPhonu

10. 9. 2019 v 19:22, Marius Scurtescu <marius.scurtescu=40coinbase.com@dmarc.ietf.org>:

> If the phone is compromised, original app replaced by malicious app, then RFC8252 will not help. The assumption is that the phone is not compromised.
> 
>> On Tue, Sep 10, 2019 at 9:58 AM Masakazu OHTSUKA <o.masakazu@gmail.com> wrote:
>> Hi,
>> 
>> I've read rfc8252 and have questions about native apps, that I couldn't find answers on Internet.
>> 
>> Imagine an attacker doing:
>> 1. original app and authorization server conforms to rfc8252 4.1.  Authorization Flow for Native Apps Using the Browser
>> 2. clone the original app, name it malicious app and install on the target phone
>> 3. remove the original app from the target phone
>> 4. use the malicious app and authorize, OS will invoke malicious app using custom URL scheme
>> 5. now malicious app has access to the access token
>> 
>> How should we think about this?
>> What am I missing?
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth