[OAUTH-WG] Public client cloning
Masakazu OHTSUKA <o.masakazu@gmail.com> Tue, 10 September 2019 15:13 UTC
Return-Path: <o.masakazu@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEEAC1208E2 for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2019 08:13:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZIeSPd3yMtZo for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2019 08:13:29 -0700 (PDT)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30CE4120289 for <oauth@ietf.org>; Tue, 10 Sep 2019 08:13:29 -0700 (PDT)
Received: by mail-io1-xd2b.google.com with SMTP id n197so38323838iod.9 for <oauth@ietf.org>; Tue, 10 Sep 2019 08:13:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=/FGyJsFMcIY1qkFvLu8zxXh9KND6zDpvGRSmm01F3n8=; b=PDyLT6kdRVPTkTDU51T16BZKASe6Xf7zwBEU4CmLX8qSAgnQVOE2fT6820ZUfDE6BI a4wWiWjaX2DKcLdFgrqbq3oO0QECPfecNenbd/+9Fa0DL8BGdsvzvSlhvfZwfqQ3QJz1 88VNxRRqfByAsXAx/FEW6Hon+EbbiuojbjJ8zBvkRpGObAIcpnMa7TVCCAnKzJXX96OI /Bnm6U/dMcTjyZGZctEFgfW1EPbK9gwFBIi8/IFl0sWZjlHhn3Q4UGkjUGvlKUYaPwtI D4FsBtLG+iOXC9M9FgniCGEqKDjmkHZ5skkMIljTUXy2UdrFp90TVbeOWUcs0hqRnSUW 4VGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=/FGyJsFMcIY1qkFvLu8zxXh9KND6zDpvGRSmm01F3n8=; b=Vz7Do0qLV9oaroR0ctLapTYtBXtAHhz1Il4Kz1P45jqxD6W92+2J3UfcuyQfbDh6Yy 6RdmeK5sZR0bKYR7pe79N96D3OlqTBMjgBteY7y+mNlG8IZ/AJckjYrpGiG6Mdqki2DE PuBCJM7uuzIrfPvitixWuvWChdioY/xmI9demBTpt1rH0O1dEhPo29M5Bsh1bV8GcIq3 TPG2CR9hqyTBcYlrsX77eK0dnN5+a7BDeU4TWpDH4GKJMrX1cU2xScPczYYBLPQbsHW9 sjCVqjbi2EGn51dNAVQoCTJvKwVqdu0ZTQDVks4tkCjyz8zKjcaesMB+0Wk19gJ2m2Fn Rmxw==
X-Gm-Message-State: APjAAAWip1nGFC3nw+/cvjVN1+7DaCJ0c6dZBNXJuvYsoBZovKMhJDud lBfdYN/7gqUan7cyd9mJ20c36+kVq/5HOJSbV2FmvPXO9fs=
X-Google-Smtp-Source: APXvYqz1EcvU681OFlBzGaGJt15hrGTLbR3j+QM3yQa3kyLaVupOiqPe7c8wsEKIyvJMja83ZUEvSbQ6p91gx7Do8m0=
X-Received: by 2002:a02:94e5:: with SMTP id x92mr30987916jah.11.1568128407785; Tue, 10 Sep 2019 08:13:27 -0700 (PDT)
MIME-Version: 1.0
From: Masakazu OHTSUKA <o.masakazu@gmail.com>
Date: Tue, 10 Sep 2019 18:13:15 +0300
Message-ID: <CAP=REHFHeJT=w4ZCmHYJaL4QFQvntWqPTRaXVCH-fz4FciHh5A@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b55a0a0592345869"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_ZXW1TnnBAmrEJINsPyGmYoc8YI>
Subject: [OAUTH-WG] Public client cloning
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2019 16:58:14 -0000
Hi, I've read rfc8252 and have questions about native apps, that I couldn't find answers on Internet. Imagine an attacker doing: 1. original app and authorization server conforms to rfc8252 4.1. Authorization Flow for Native Apps Using the Browser 2. clone the original app, name it malicious app and install on the target phone 3. remove the original app from the target phone 4. use the malicious app and authorize, OS will invoke malicious app using custom URL scheme 5. now malicious app has access to the access token How should we think about this? What am I missing?
- [OAUTH-WG] Public client cloning Masakazu OHTSUKA
- Re: [OAUTH-WG] Public client cloning Marius Scurtescu
- Re: [OAUTH-WG] Public client cloning Filip Skokan
- Re: [OAUTH-WG] Public client cloning Masakazu OHTSUKA
- Re: [OAUTH-WG] Public client cloning Nat Sakimura
- Re: [OAUTH-WG] Public client cloning Masakazu OHTSUKA
- Re: [OAUTH-WG] Public client cloning Justin Richer