Upgrade to Pro — share decks privately, control downloads, hide ads and more …

App Integrity Attestations for OAuth - OAuth Security Workshop 2022

App Integrity Attestations for OAuth - OAuth Security Workshop 2022

Currently, the security of native apps in OAuth is contingent upon registering the app's callback URL with the operating system, preferably as an app-claimed HTTPS URL. While this provides some level of assurance of the app's identity, it is by no means foolproof.

Authenticating whether a particular instance of a public client in OAuth is a legitimate instance remains a challenge.

This session will explore the possibility of using Apple and Android’s “app attestation” APIs as a form of OAuth client authentication. These APIs are able to leverage on-device private keys and a certificate chain to provide an additional level of confidence that the app making an HTTP request is the same code that was shipped in the app stores.

Aaron Parecki

May 06, 2022

More Decks by Aaron Parecki

Other Decks in Technology


  1. Aaron Parecki • @aaronpk OAuth Security Workshop • May 2022

    App Integrity Attestations as OAuth Client Authentication
  2. Public Clients Confidential Clients Application running on a server Has

    the ability to keep strings secret since code is running in a trusted environment The application can't be configured with secrets JavaScript/Single-Page apps: "view source" Native apps: decompile and extract strings
  3. Redirect URL registration 
 + app-claimed URL patterns More or

    less protects against authorization code interception by malicious apps Does nothing to protect against app impersonation
  4. Some systems give additional privileges to apps based on their

    client_id • bypass the consent screen • access private API methods • higher rate limits
  5. “Is this request to the server being made by a

    legitimate instance of my application?”
  6. …create a hardware- based, cryptographic key that uses Apple servers

    to certify that the key belongs to a valid instance of your app. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity
  7. https://developer.android.com/google/play/integrity https://playintegrity.googleapis.com/v1/PACKAGE_NAME:decodeIntegrityToken -d \ '{ "integrity_token": "INTEGRITY_TOKEN" }’ { requestDetails:

    requestDetails: { requestPackageName: "com.package.name" nonce: "aGVsbG8gd29scmQgdGhlcmU" timestampMillis: 1617893780 } appIntegrity: { appRecognitionVerdict: "PLAY_RECOGNIZED" packageName: "com.package.name" certificateSha256Digest: ["6a6a1474b5cbbb2b1aa57e0bc3"] versionCode: 42 } deviceIntegrity: { deviceRecognitionVerdict: ["MEETS_DEVICE_INTEGRITY"] } accountDetails: { licensingVerdict: "LICENSED" } }
  8. Version Support DCAppAttestService iOS 14 2020 Google Play Integrity API

    (Replaces SafetyNet) Unknown Launched in 2021
  9. Should assertion happen at: • Install time (dynamic client registration)

    • On every authentication (at the token endpoint) • At every high-value API call (resource server)
  10. iOS Questions • Apple suggests associating a private key with

    a user account • To use this as part of the login flow, when should this key get associated with a user? • Server stores key before the user logs in?
  11. Both Platforms • A server-generated nonce is required before generating

    the assertion • What should the nonce be? • A separate pre-flight request the app makes before the authorization code flow starts? • Require PAR and include an additional parameter in the PAR response?