Re: [OAUTH-WG] Android App Links (AKA Universal Links)

George Fletcher <gffletch@aol.com> Wed, 04 November 2020 14:55 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EE553A11CF for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2020 06:55:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.345
X-Spam-Level:
X-Spam-Status: No, score=-2.345 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.247, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xik_jPKSZFUs for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2020 06:55:12 -0800 (PST)
Received: from sonic312-23.consmr.mail.ne1.yahoo.com (sonic312-23.consmr.mail.ne1.yahoo.com [66.163.191.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 055973A0B3E for <oauth@ietf.org>; Wed, 4 Nov 2020 06:55:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1604501709; bh=0hBF2OW9nfw61whxNi2keVfiVSS0nVz3y/9FTArUzQs=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=i3rN/XMRC2Sf4h2YO0UrJLaxeFM0pID3yFhc5g/h0tbyPQSVkec2Tcp8fVQs56K0jdAPdeo6gWKE2xoZ25Jn0im3wZea1Xun+RxE0Xasb4c19BMh6eEK5HjjdCeZbiDmMbt3WcAdpSLl5UCc3sHLbbmfUBPp0z2QhaKxJs3+7LUHuWuCjOXs0O27A5rAkiwXmUektBNKA3AhSRaNXus+mUKkXDgeHfvGV8hTpkdKf47qkx/qzDUHsDvyMkufT4lYO9uMnmfxQXCkKWDMURdzAFoFlr6/PL2eMEwk/Xdtb6GUmOH+Kdo6gOe+LDBTr4nVIA3rCL7y1RGyRDo9KjWoVQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1604501709; bh=3VmwtNxACHxcXHp3YUJq/hO2o/tIRQntoduEdwKm9ZH=; h=Subject:To:From:Date; b=AViuzxOVCRniLRd/rw2x1zwhUI/YreyjXNclb0z0aD/ncpkExIdt1fnJUlR1K/VWCuRmTxxuY0JxtxljZhC4btGYc3ADc/jU/J1NfJjEl/9qXn/MSXYeURAEsuKVrvsNQEQyBFgha3hUj5Zo6TaWbs3bDvsZ4qkaByVfpr5B4KNSKhILG5tIEmkJ5dif/njCnX/grDpuxX+UQ5T9RHoyHAHwEfA/3YoxWPGeB0/Rry1g+G0+f1FNroJ7DAIFyKIQHmWQjvb4AUm//loKViW1Gg8oV7ct0nftj2EArE/Dd+6l29PXuynvWxd3fkcDglABltgrruBvRDo1Hxz1Eql1xA==
X-YMail-OSG: pUpGg.IVM1mSjcYTN4AM.1QngRFTegHvw8VojBCna4RcddmToDQeX8duiboTsa5 NxmLoXWGBmOx5uIVqdDojy7hqjoKHbJlojXkY7N_NdDZwOlaJ5dPxAN3.0oGss64QH_TLTcqDTHN 9YZcczSKcsSlPyCgHeXFasAjUyET89iREVoNvYg5x6V6iWm80N4xoMkMDILgmKa9c4ERVehtLDe0 NhaL2QPRoSzyzF9qKP4oisn9BoPXXOyvlJrymwcRcrvQS0hykOu7Iv5A4oSVebCH8h6xaw9TIMYH X42iT7UxoXjzD5HtlJ8jbwKZNB8wrVu.Xu0BjhEvePGDaaJwMUtZtZEbe_HaJSl3tCw5mSJWv15t WgX6SG231ISacWJv.o6e1DYPrksorKTAcV0kplqpSY9e9MWRu9vVUD8BKoX2W_kh8ezocijV5XRW fEgDriMIw4yQtHdWeT0B5M3ynCcPr6LnjT_2eZsYNvAgzgZtbMGM5JJBEH9xnSZtiGhAMwp8UttY H0lJD9b.vg4L8Is4IKmUsZZyqw9gDh3T491q4f4eZnJH_9GaNNeXH3o0t713IlxUGquhtIZ9VjJw KUaxUQ.J0grmH8Tkva2yYgODJBnFh0YFaBftniAngIKxeWWYKt6Vb1Gzr2QzWHXxNkMMt0QS7Nx8 XW8VaLjHkiFPtsaUfhVlbPE5JKvFqKmmOzzn_twSJn3cnGuVglgCw6s.XNYpMqQIFDLNubQPd.mg GYA2.njtkHjGK04vwDfkVyEY2CNu1bsWhCwePDSBb46nfFDw6olwS70owiY3yC3KMdJq4NRcbk2H dXFs3eijmDOT6eHadTak5CKlz3ih.rR7sQnTZh1ak5O._yBGC.k6ObsZUCS4q2VDk6VioJRBFHdO LIPvDWMfwRfxXj_i4CtEttj7yK0NyYG.YmH55yTTS2venDY7sMjlBDwxgbwdXcQzua0VrjtQctXr _6cwNm6w3U07CcJ3UdpXhATYpGAwSdTaZp6MDe1eBIKJnOHSYbDebNmamDde3NQmaNTCLGmkPmA8 Jl7wPkXWPwJ9e7caeNkjt9jZnDYvgG58DFXXoEC7RL2D3jDLJI9xZpydyYNQSnkPayjXjFAy24qC s1a3iynhdWyslvZqhJlYNxZIPFa2zKYw4_jKdncN7_kQnPYb547glJ8nw762waDCip9XMI15NWOn OLF7YsvZsCqRP0y32w94itx617xzARi.eBl1GwMCrReZbeIAgD76.PpQdmydkqDBYSNIzKQPja0Q biOfJqch.7lfAXpqwfJQudrmgMJiDRyxMfuaJMDxtDVBN__eG_kkGOEg8dl5btLAIdgTEwIj.aFa rforPDBSTrIXwNEI20sF0SLOP7VtUvndUMsoUvhOqODSTXCzsYUOFednh.Ip6hbvwEvaPlX2p_SH RNqpLLIH2Y4XnmtSPMWRrMCVRfm3Ab6fF3GARo5ZjQW48cQcZo70CpDJ9PJEXu5NCFfuQkGstQBn PqV_1j3J_4zVNBA0VExmfGfAcnSZxw0EY3xeUFTtxI13wnHSXOznC0Y.2y5APAf87m5.NNwIJ4X5 I99x1SNZgemz0ks4LVYgcvXu7uY1Cmrkqhh5xCOKlCtjeZlfzvZtmX4uxl9RDUwsfzXmbgl.lcZV Vb8r2bHijejO1zwojWUra3Gdqd65eLEjYdfOzGngiv8rMsq25p31805YDjfl5NSR229Xl6VyTF1C oaQoZcSvqEM8T3ZX2VZ3f153XMyegG04qOoZdzX9Ngat1QdCy.c2yXFAwosgSWGztqciQ6.k4V70 KCKm4rN50DWld3asqljbmfu6l5jk95hWXGX2Kz5HlAXAi4r2rEfjzrgpDlwDj665B1fzPf9I0wQl gK8XoapsEhUvS6OdnExiPcy1LM_nEIFyRHkhyDkU388o.yvzI_yo8uj.SwxAQkEX9NAo6TE.OyRl c3tN3NV6tcYvXBRnAzN8937mF1QoAkY9vIx0XfGI5eGbrI6AmdAUyN8jF3SxpppgCFOZLsRO9oxN cZ_covW_ja3P44.0Ol_NiMHvwLbLkbKmp48z7t4KleZthaA9D6rlplkzCGZsETxf1bEAQgBkSao8 xw.cI32ezgMBnx0XyCJJ_6n2fsRHFZPcNaAnOppNjyVjfnBM5EPwNCvSnddJpMrBsmZ.hGT2ANEn KF6klBuCmmEOJ56cs1Bp5Sif2zq9h5BvK76wm4i1CyEQ4PHM0W2Ctn4nwTr.s0TEyXCSqMBWZp15 O.nR4FzYGL4BDM7wBLI4GaBRhr5QpLLGb7noz8z2VhFvAJ1BZ0Fk0gPUn_5cEVxKrUWaniVeeMU1 8zj8EMNmVkX1DpWqpQNplI7CM3J.beplpOVqDKxY6NvhWTb3mnQ7nYUjKPN.qbR7sBHKwm8uh3ks YCjdb5mSGmaCYusnR..yDx06LQ0mNYipCLqb7.JeCiJ6N0VrF.mwxcYKY31WeXio1rJhTV3NdzDE 19WUgjBrUBspoGu6h8.0Sjk3Q7znwdWhg2rF2DMI_NVoF8CfbGskLhfOjeZmQKnGj0.b4veBHvdH kOK9KHyxs7bfGfgeUv060e.SgyDgGOI9KLBnLtjizZstNSUMXuiDQ9g--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Wed, 4 Nov 2020 14:55:09 +0000
Received: by smtp411.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 6469a37451147b72d4890447cdaebef9; Wed, 04 Nov 2020 14:45:01 +0000 (UTC)
To: Joseph Heenan <joseph@authlete.com>, oauth <oauth@ietf.org>
References: <CAD9ie-tixMTAbPOtzPUjZdM7oa6_Rw2Gfbup2NQHUHJMu9LBTg@mail.gmail.com> <65B3EF09-25F4-4F3E-96DD-05FA60F044D0@authlete.com> <CAD9ie-vFguzxNzgZKae2Qjq_POrEVyznLXyKmg6MyG+xV4LfVA@mail.gmail.com> <49d1a3ce-619e-abe7-5c4f-7c2fec8c8889@aol.com> <A46D3FFB-2B4E-41BE-9519-A26512A5D8A0@authlete.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <d6bb1af3-bbde-8bae-2450-63ba151b78a8@aol.com>
Date: Wed, 4 Nov 2020 09:44:59 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <A46D3FFB-2B4E-41BE-9519-A26512A5D8A0@authlete.com>
Content-Type: multipart/alternative; boundary="------------69303C135213BECB591B3F41"
Content-Language: en-US
X-Mailer: WebService/1.1.16944 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol Apache-HttpAsyncClient/4.1.4 (Java/11.0.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cN0uYaEd5uOLEprCwc-0wJjKJfs>
Subject: Re: [OAUTH-WG] Android App Links (AKA Universal Links)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2020 14:55:14 -0000

The focus of the IIW session was "Mobile App Impersonation" and what can 
be done about it. Obviously moving to Universal Links (iOS) and App 
Links (Android) is an important first step but not sufficient on Android 
as you point out. Other areas of exploration are around dynamic client 
registration (forces the app impersonator to call a specific endpoint 
which can increase the ability to detect the impersonation). Also 
possibly combining device attestation and app attestation into the mix 
could provide a mechanism to ensure only the intended apps can get 
access. However, this is a fair amount of work for developers to prevent 
app impersonation. There is a big question regarding ROI of closing this 
attack vector:)

I'm especially interested in whether anyone has even looked at their 
logs and tried to detect app impersonation of their public clients. Feel 
free to message me privately if you don't want to share with the group :)

Thanks,
George

On 11/4/20 7:29 AM, Joseph Heenan wrote:
> Thanks George :) That’s a shame, I would have liked to listen to the recording.
>
> My email below was thinking of the OSW interactive sessions (we had about 2 hours of technical discussion on some of the issues with implementing app2app in practice particularly on Android), but now I’ve looked I think perhaps the recordings of those weren’t published. I have been working on a blog post with others that delves more into the Android side of things, hopefully we will publish that in the not too distant future.
>
> I did an identiverse session too, which although it starts out quite similar diverges after about 10 minutes, delving less into the detail of security and covering more of the higher level what/why/how: https://identiverse.gallery.video/detail/video/6186099813001/
>
> Joseph
>
>> On 3 Nov 2020, at 22:12, George Fletcher <gffletch@aol.com> wrote:
>>
>> I sent in some notes but I don't have a link for the recording. I don't believe the recordings were being kept much past the end of the conference. I'm pretty sure I heard that the recordings would be removed after N days (I don't remember what N was stated as:)
>>
>> Joseph explanation is better than I could have given and matches my understanding as well.
>>
>> Thanks,
>> George
>>
>> On 11/3/20 2:13 PM, Dick Hardt wrote:
>>> Thanks Joseph.
>>>
>>> George Fletcher ran a great session on the topic at the last IIW as well.
>>>
>>> George: do you have a link?
>>>
>>> ᐧ
>>>
>>> On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan <joseph@authlete.com> <mailto:joseph@authlete.com> wrote:
>>>
>>>> Hi Dick
>>>>
>>>> I didn’t attend the call so don’t know the background of this and the
>>>> exact situation, but the general problem is mostly where the Authorization
>>>> Server’s app is *not* installed. In that case Android falls back to much
>>>> weaker mechanisms that allow other apps to get a look in. App links also
>>>> aren’t consistently supported across all commonly used android browsers
>>>> which causes further problems.
>>>>
>>>> In general to do app2app oauth redirections securely on Android it’s
>>>> necessary for both apps to fetch the /.well-known/assetlinks.json for the
>>>> url they want to redirect to, and verify that the intent the app intends to
>>>> launch to handle the url is signed using the expected certificate. Web2app
>>>> flows are trickier, on both iOS and on Android. There were lengthy
>>>> discussions on at least the Android case at OAuth Security Workshop this
>>>> year (recordings available).
>>>>
>>>> Joseph
>>>>
>>>>
>>>> On 20 Oct 2020, at 00:09, Dick Hardt <dick.hardt@gmail.com> <mailto:dick.hardt@gmail.com> wrote:
>>>>
>>>> Hey Vittorio
>>>>
>>>> (cc'ing OAuth list as this was brought up in the office hours today)
>>>>
>>>> https://developer.android.com/training/app-links <https://developer.android.com/training/app-links>
>>>>
>>>> An app is the default handler and the developer has verified ownership of
>>>> the HTTPS URL. While a user can override the app being the default handler
>>>> in the system settings -- I don't see how a malicious app can be the
>>>> default setting.
>>>>
>>>> What am I missing?
>>>>
>>>> /Dick
>>>> ᐧ
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>>
>>>>
>>>>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth