Re: [OAUTH-WG] Android App Links (AKA Universal Links)

Joseph Heenan <> Tue, 03 November 2020 19:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 72DB93A0100 for <>; Tue, 3 Nov 2020 11:09:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yE5WzGnF6Swv for <>; Tue, 3 Nov 2020 11:09:21 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CEB4D3A0D3A for <>; Tue, 3 Nov 2020 11:09:08 -0800 (PST)
Received: by with SMTP id d142so356910wmd.4 for <>; Tue, 03 Nov 2020 11:09:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Y6IjfSSCGbTA+euPQFy/p5TCIU1Fb8btHrHfN3mhuLk=; b=0zG/m9vvbAGKnWwS8aUOcbbaYcUjUAgQO52uCXu3bJpOPVsnhto5TQgkg+KAZ92lFq cNusqg7uPIh6A4l11CqcKPda2Y+A7Ty2fD0lK9VmBXtRaq8zimhmzowpW8FTn8qi3qhN md6pFFXkNXNwGq3hyhYzsGMzWmDS3+CpwQ3ylFzFBU6NBM2mAlf8aNH2LIGwuVOPmYLd 0JcvwZdElFbZ7O1nIi9MlOt1ShyrYLxkjMAjYQYGil2nc94OgagFFI+7BEdjjY2B6cyk dvyOpzroife0w1iUxdh0HZwZ3B5114wbZBVJS4OPgTbzwzp9RLFgphLfN933mZcbHOXD jklg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Y6IjfSSCGbTA+euPQFy/p5TCIU1Fb8btHrHfN3mhuLk=; b=ncXPuIn+MPRxG90iIW9IDbk2HbcvFW1t2Ac6patFzTzPBwL//I/F2vPXR/FtujHywp enAcVopERe6TGrwE/9I23SsyR9GZgbvg+ZXz3CpCuti5Hhtp3VSus/1yGBGRKOP4b1Nv Wrl+sEkPd39m+FceO5BS43aeCdJPJwP9ngFFozCwhdlU0tsB9KkpKP6lfxS5q4JRybrg nIer2Duu6a8XpOcXtQ3+VLFCXLnjCaXz/1liHaPaFTxnf+5J/7xKzzRitzsGe7b6UtRM +R7SR6sHoYHXGvxZPCXqFCN5KKiHAHOoqtaMvNj7fG3JWsEuPemRgh3an8A5oGI60S0j 1wKQ==
X-Gm-Message-State: AOAM533nfFvY014GR+K3lYnRpdGc/qCKy/e5AU0icgfQsoWfruESBHX3 2ghnCWZ0WsD344odD1iGwuQRmg==
X-Google-Smtp-Source: ABdhPJzYBgckhefTGYqV+N0DBroN8ZxeQoSBMKvx7URb8FgR0snqqjnTpGn9LD3AhYVuJaCRdNAhmQ==
X-Received: by 2002:a1c:9d94:: with SMTP id g142mr694974wme.66.1604430546050; Tue, 03 Nov 2020 11:09:06 -0800 (PST)
Received: from ( []) by with ESMTPSA id z5sm27310274wrw.87.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Nov 2020 11:09:05 -0800 (PST)
From: Joseph Heenan <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2366112A-8B23-42F3-B891-2A22A73F908C"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Tue, 03 Nov 2020 19:09:04 +0000
In-Reply-To: <>
Cc: oauth <>
To: Dick Hardt <>
References: <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [OAUTH-WG] Android App Links (AKA Universal Links)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Nov 2020 19:09:23 -0000

Hi Dick

I didn’t attend the call so don’t know the background of this and the exact situation, but the general problem is mostly where the Authorization Server’s app is *not* installed. In that case Android falls back to much weaker mechanisms that allow other apps to get a look in. App links also aren’t consistently supported across all commonly used android browsers which causes further problems.

In general to do app2app oauth redirections securely on Android it’s necessary for both apps to fetch the /.well-known/assetlinks.json for the url they want to redirect to, and verify that the intent the app intends to launch to handle the url is signed using the expected certificate. Web2app flows are trickier, on both iOS and on Android. There were lengthy discussions on at least the Android case at OAuth Security Workshop this year (recordings available).


> On 20 Oct 2020, at 00:09, Dick Hardt <> wrote:
> Hey Vittorio
> (cc'ing OAuth list as this was brought up in the office hours today)
> <>
> An app is the default handler and the developer has verified ownership of the HTTPS URL. While a user can override the app being the default handler in the system settings -- I don't see how a malicious app can be the default setting.
> What am I missing?
> /Dick
> ᐧ
> _______________________________________________
> OAuth mailing list