Re: [OAUTH-WG] Android App Links (AKA Universal Links)

Joseph Heenan <> Wed, 04 November 2020 12:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DA5D43A1091 for <>; Wed, 4 Nov 2020 04:29:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id E161EhkkK1xA for <>; Wed, 4 Nov 2020 04:29:45 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9AB163A1086 for <>; Wed, 4 Nov 2020 04:29:45 -0800 (PST)
Received: by with SMTP id d142so2154825wmd.4 for <>; Wed, 04 Nov 2020 04:29:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=snzPMuzoJdxf9I280WIaegM1xW0e7QoR3H74Df94978=; b=G4K4Xsz3uVu4ao7knbAALCEGh0JyoyRGRmaXF/D0p045+e2hofDhMtGR/MBcbfc4mA Dli6fdQ2KY+tEpCidrNsIPL9waEAoBGWUN57T/LoP6cwf3GsZQZsZB96NiMHoLcDi1tD GvsBg8QFChUjhmEWHz1l3JoiajmGNki8OJ2yIOXOO/reSccDsd/2tQNsiO8GiMSF6m0x HPh3Yg8FoWNKXH9/+OU3DWP/NpYJj3e12Ev2Sb/2ajM5lsEw9e/vEnp2GBTgenWQWilg Ep1+Ww607SJfqGr1O8k5cfaYzGzRaK2bPs1O+Io+SaZaujnRZy+hcpqiL6Yw6j04JnMI T5aQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=snzPMuzoJdxf9I280WIaegM1xW0e7QoR3H74Df94978=; b=pHkEoc3EViFKAj5XevlxfwUTe4muYmX7Z/fbdJO6b9xGDezAWl/aVqPpgLCZtQ9yQ3 RMG7smibXAQ1Mb7TB/rX2Oyqwaer5a3eCrJqIfyxZyvVk8oaIFHnxKJ8TioxJPDCkJzH n0EIzVd9lvPPGPVC1wjheiKznCF2bNbab/4cTTAF6INwQAHPjoxrtKIvbJeLhJMIO9Pn MyvtdCQUnvPJQrF5CJ+oyzl874o3GUHKNSDhE1+dh121L013wbK7/ZQDkciNuF/nFxja H8/5rG+mzHob+lMcrRaISmWwnbPxXwkJ+MGmK2OpUG9OeIGMyAEoOmOhQcZe0VeY1fqk 6GJQ==
X-Gm-Message-State: AOAM531uQEwyDJSuEmWf4O1eUo+aStTfJwYCW9wZkNNypXQsq1WdNEVZ U5ukYKZ2O1R1fKH72+YKti2mUj1lOBDbbMr+
X-Google-Smtp-Source: ABdhPJwBWk85hs8oP6Fk/oO5Jgu6sh+6opxK+QxCsivjazz1YG4kSxIT+fyM7Qc7q4iBTkvMKK0drA==
X-Received: by 2002:a7b:cbc3:: with SMTP id n3mr4422145wmi.68.1604492983883; Wed, 04 Nov 2020 04:29:43 -0800 (PST)
Received: from ( []) by with ESMTPSA id l16sm2259921wrx.5.2020. for <> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 04 Nov 2020 04:29:43 -0800 (PST)
From: Joseph Heenan <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0E04E49A-5E37-4E7E-9FFB-28D418646B04"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Wed, 04 Nov 2020 12:29:42 +0000
References: <> <> <> <>
To: oauth <>
In-Reply-To: <>
Message-Id: <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [OAUTH-WG] Android App Links (AKA Universal Links)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Nov 2020 12:29:48 -0000

Thanks George :) That’s a shame, I would have liked to listen to the recording.

My email below was thinking of the OSW interactive sessions (we had about 2 hours of technical discussion on some of the issues with implementing app2app in practice particularly on Android), but now I’ve looked I think perhaps the recordings of those weren’t published. I have been working on a blog post with others that delves more into the Android side of things, hopefully we will publish that in the not too distant future.

I did an identiverse session too, which although it starts out quite similar diverges after about 10 minutes, delving less into the detail of security and covering more of the higher level what/why/how:


> On 3 Nov 2020, at 22:12, George Fletcher <> wrote:
> I sent in some notes but I don't have a link for the recording. I don't believe the recordings were being kept much past the end of the conference. I'm pretty sure I heard that the recordings would be removed after N days (I don't remember what N was stated as:)
> Joseph explanation is better than I could have given and matches my understanding as well.
> Thanks,
> George
> On 11/3/20 2:13 PM, Dick Hardt wrote:
>> Thanks Joseph.
>> George Fletcher ran a great session on the topic at the last IIW as well.
>> George: do you have a link?
>> ᐧ
>> On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan <> <> wrote:
>>> Hi Dick
>>> I didn’t attend the call so don’t know the background of this and the
>>> exact situation, but the general problem is mostly where the Authorization
>>> Server’s app is *not* installed. In that case Android falls back to much
>>> weaker mechanisms that allow other apps to get a look in. App links also
>>> aren’t consistently supported across all commonly used android browsers
>>> which causes further problems.
>>> In general to do app2app oauth redirections securely on Android it’s
>>> necessary for both apps to fetch the /.well-known/assetlinks.json for the
>>> url they want to redirect to, and verify that the intent the app intends to
>>> launch to handle the url is signed using the expected certificate. Web2app
>>> flows are trickier, on both iOS and on Android. There were lengthy
>>> discussions on at least the Android case at OAuth Security Workshop this
>>> year (recordings available).
>>> Joseph
>>> On 20 Oct 2020, at 00:09, Dick Hardt <> <> wrote:
>>> Hey Vittorio
>>> (cc'ing OAuth list as this was brought up in the office hours today)
>>> <>
>>> An app is the default handler and the developer has verified ownership of
>>> the HTTPS URL. While a user can override the app being the default handler
>>> in the system settings -- I don't see how a malicious app can be the
>>> default setting.
>>> What am I missing?
>>> /Dick
>>> ᐧ
>>> _______________________________________________
>>> OAuth mailing list
>>> <>
>>> <>