Re: [OAUTH-WG] Public client cloning

Justin Richer <> Fri, 13 September 2019 19:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D25DB120111 for <>; Fri, 13 Sep 2019 12:13:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dTmrNu0fiqRQ for <>; Fri, 13 Sep 2019 12:13:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DF72B1200FA for <>; Fri, 13 Sep 2019 12:13:04 -0700 (PDT)
Received: from (W92EXEDGE3.EXCHANGE.MIT.EDU []) by (8.14.7/8.12.4) with ESMTP id x8DJDD9b011013; Fri, 13 Sep 2019 15:13:24 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1293.2; Fri, 13 Sep 2019 15:12:41 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1365.1; Fri, 13 Sep 2019 15:12:48 -0400
Received: from ([]) by ([]) with mapi id 15.00.1365.000; Fri, 13 Sep 2019 15:12:48 -0400
From: Justin Richer <>
To: Masakazu OHTSUKA <>
CC: Marius Scurtescu <>, "" <>
Thread-Topic: [OAUTH-WG] Public client cloning
Thread-Index: AQHVZ/j4JiICU9vqDEmbu/R19TzDAKcla9wAgAAit4CABLL9gA==
Date: Fri, 13 Sep 2019 19:12:47 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_CC052670A4A04AD69D7FDDB7096E7128mitedu_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [OAUTH-WG] Public client cloning
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 Sep 2019 19:13:07 -0000

If the phone is compromised, it doesn’t matter if the client is public or confidential. In the latter case, an attacker could exfiltrate or capture the client’s own credentials and use them maliciously.

— Justin

On Sep 10, 2019, at 3:27 PM, Masakazu OHTSUKA <<>> wrote:

I see.

Then is this understandable to think from the Authorization Server's point of view ...

If phone being compromised is a threat that the Client cares,
AS might be interested in NOT supporting public Clients,
and forcing the Client to have a server side, do client authentication, and have some way to hold a session between the native app and it's server side.

Because if phone is compromised, when AS supports public Clients and access_token leaks, it's kind of AS's fault (well depending on the terms...),
but if whatever the means that the phone app and it's server side keeps a session leaks, it's NOT the AS's fault.

On Tue, Sep 10, 2019 at 8:23 PM Marius Scurtescu <<>> wrote:
If the phone is compromised, original app replaced by malicious app, then RFC8252 will not help. The assumption is that the phone is not compromised.

On Tue, Sep 10, 2019 at 9:58 AM Masakazu OHTSUKA <<>> wrote:

I've read rfc8252 and have questions about native apps, that I couldn't find answers on Internet.

Imagine an attacker doing:
1. original app and authorization server conforms to rfc8252 4.1.  Authorization Flow for Native Apps Using the Browser
2. clone the original app, name it malicious app and install on the target phone
3. remove the original app from the target phone
4. use the malicious app and authorize, OS will invoke malicious app using custom URL scheme
5. now malicious app has access to the access token

How should we think about this?
What am I missing?

OAuth mailing list<>
OAuth mailing list<>