[OAUTH-WG] embedded UA detection
Giada Sciarretta <giada.sciarretta@fbk.eu> Fri, 11 October 2019 14:45 UTC
Return-Path: <giada.sciarretta@fbk.eu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 276A4120073 for <oauth@ietfa.amsl.com>; Fri, 11 Oct 2019 07:45:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fbk-eu.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uqyuKyBgZkiQ for <oauth@ietfa.amsl.com>; Fri, 11 Oct 2019 07:44:58 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74A9E120052 for <oauth@ietf.org>; Fri, 11 Oct 2019 07:44:58 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id x4so5164792qkx.5 for <oauth@ietf.org>; Fri, 11 Oct 2019 07:44:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fbk-eu.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=ahi6R9Y2FNO4EdUxAoX9yYooCS65HhID9m0X1/owdcU=; b=hKkBIbtpLuLJ3CaaoOxhFtF/69/9ahP/uJgG74mvXf+D0DBLudK5g51SZwriKI89gG DTbZzi5PScD7XspPFJMLuiQYBAL2NldCoRZoZDzBHwD3iXWcpxAHkBcptQtjlVmfWnto VkzeBIFxa1dx9wC/Y6HpS4NsZFkCuT9VuJu/2JI0C7pWl+Z0zWCm9E9zs1VnoA6Gx/VZ BG6IUUpLqK2gLmf9RBF/iJ0MyfuyB8TWD1aif6N94Fsm8GD3B8elvoQrlnVu7fOXFPKS FsUPfP1FOQ2iMVzXOrGmIM5na2v2MJX10/k44B9T+VoDYnIo/sTmAJWSnj6dWIP0yLBh YyZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ahi6R9Y2FNO4EdUxAoX9yYooCS65HhID9m0X1/owdcU=; b=X5ruqfL+oQvnSDnEUMAS6r5baNmqg1l1pYOBVlbIceTeGblaJtD25Pb9l4+e13wk1v o15rah/fvmSBn18lSaT5lcskYMaer/KSl2XCBImefpJ0alJarVNcoZ52dokTWjEo0L5u FC1HfheyzfyMzma6/eVna1moFlwPcu/lv2qhiE8MloyocJD/wui2N+ORYRSlDyxxqEak UEmf1KP2thMAtN0fpr/hSnoLSR8zwn59Np15DNLDOB1efc4WqVgOm1WKmkgXiGIS4q9B z6goCZ0KN4X3D+axyPZINqsNKdZKpQFiMWEsnhYWJ2hgGG231Y1bW4s7BWACoq4bYJ6O 9HpA==
X-Gm-Message-State: APjAAAXYm6wLB5Hzd7JK8xxIqWUjqIODrOICvJttgdAV3H3noRdpRn4/ rsi1670bCR4fb4lok9L8aSZre4wtMpKLEVhypeva5ZfJlBgMkn4bb75S1te8u5+bXViQ5YEbT6J 1RqJyoJL68oowdaQXwg==
X-Google-Smtp-Source: APXvYqxK8lPzRK698ln8OkDafnEwQwo0OhmoD2z99jPEIeC2bU6WRrMDqibaj1gxM410JsRwy/jfEgOiu3i82l1pzUA=
X-Received: by 2002:a05:620a:785:: with SMTP id 5mr16128174qka.114.1570805097022; Fri, 11 Oct 2019 07:44:57 -0700 (PDT)
MIME-Version: 1.0
From: Giada Sciarretta <giada.sciarretta@fbk.eu>
Date: Fri, 11 Oct 2019 16:44:45 +0200
Message-ID: <CAJmALaaecywN+wKZVS7wFjM2omRXPbE_OLegVYqkZcwVGey6Rw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d1e0f40594a38f7c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/o_wQhkhTC16XzvR7Y1OJMgDawC0>
Subject: [OAUTH-WG] embedded UA detection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2019 14:45:02 -0000
Hello,
We are working on a project that involves mobile native applications.
The OAuth for native apps (RFC8252) spec "requires that native apps MUST
NOT use embedded user-agents to perform authorization requests and allows
that authorization endpoints MAY take steps to detect and block
authorization requests in embedded user-agents".
We would like to integrate in our AS the state-of-the-art techniques for
detecting and blocking authorization requests in embedded user-agents. We
are aware of the following techniques (link
<https://stackoverflow.com/questions/31848320/detect-android-webview>):
- doing a string checking on the User agent string value. In the
chromium based-WebView
- in the older versions it adds the “Version/X.X” string into the UA
field. For example: Mozilla/5.0 (Linux; U; Android 2.2.1; en-us;
Nexus One
Build/FRG83) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile
Safari/533.1
- in the newer version it will add, “;wv”. For example: Mozilla/5.0
(Linux; Android 5.1.1; Nexus 5 Build/LMY48B; wv)
AppleWebKit/537.36 (KHTML,
like Gecko) Version/4.0 Chrome/43.0.2357.65 Mobile Safari/537.36
- checking the presence of X-Requested-With HTTP header, the value of
this header will be the application's name that is running the webview.
but we know that these detection methods can be bypassed by an attacker. Do
you have any suggestions in this regard?
Thank you in advance for your response.
Kind regards,
Giada Sciarretta
--
--
Le informazioni contenute nella presente comunicazione sono di natura
privata e come tali sono da considerarsi riservate ed indirizzate
esclusivamente ai destinatari indicati e per le finalità strettamente
legate al relativo contenuto. Se avete ricevuto questo messaggio per
errore, vi preghiamo di eliminarlo e di inviare una comunicazione
all’indirizzo e-mail del mittente.
--
The information transmitted is
intended only for the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you received this in
error, please contact the sender and delete the material.
- [OAUTH-WG] embedded UA detection Giada Sciarretta
- Re: [OAUTH-WG] embedded UA detection Joseph Heenan