$30 off During Our Annual Pro Sale. View Details »

App Integrity Attestations for OAuth - OAuth Security Workshop 2022

App Integrity Attestations for OAuth - OAuth Security Workshop 2022

Currently, the security of native apps in OAuth is contingent upon registering the app's callback URL with the operating system, preferably as an app-claimed HTTPS URL. While this provides some level of assurance of the app's identity, it is by no means foolproof.

Authenticating whether a particular instance of a public client in OAuth is a legitimate instance remains a challenge.

This session will explore the possibility of using Apple and Android’s “app attestation” APIs as a form of OAuth client authentication. These APIs are able to leverage on-device private keys and a certificate chain to provide an additional level of confidence that the app making an HTTP request is the same code that was shipped in the app stores.

Aaron Parecki

May 06, 2022

More Decks by Aaron Parecki

Other Decks in Technology


  1. Aaron Parecki • @aaronpk OAuth Security Workshop • May 2022

    App Integrity Attestations as OAuth Client Authentication
  2. Public Clients Confidential Clients Application running on a server Has

    the ability to keep strings secret since code is running in a trusted environment The application can't be configured with secrets JavaScript/Single-Page apps: "view source" Native apps: decompile and extract strings
  3. PKCE

  4. None
  5. POST /token client_id=XXXXX &authorization_code=XXXXX !

  6. POST /token client_id=XXXXX &client_secret=XXXXX &authorization_code=XXXXX ?

  7. POST /token client_id=XXXXX &code_verifier=XXXX &authorization_code=XXXXX :-)

  8. PKCE was recommended for mobile apps, which can’t use a

  9. Is PKCE is a replacement for a client secret?

  10. Interception /redirect?code=XXXXX 😈 Injection /redirect?code=XXXXX 😈

  11. Mobile apps can’t be deployed with a client secret

  12. example://redirect? code=AUTHORIZATION_CODE_HERE& state=1234zyx https://app.example.com? code=AUTHORIZATION_CODE_HERE& state=1234zyx Custom URL Scheme App-Claimed

    URL Pattern Redirect URLs in Mobile Apps
  13. Neither of these is perfect

  14. POST https://api.authorization-server.com/token grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRECT_URI& client_id=CLIENT_ID& code_verifier=VERIFIER_STRING Nothing here authenticates

    the app. It’s possible to impersonate any native app with its client_id. Authorization Code Exchange (with PKCE)
  15. Redirect URL registration 
 + app-claimed URL patterns More or

    less protects against authorization code interception by malicious apps Does nothing to protect against app impersonation
  16. Why is app impersonation a problem?

  17. It may or may not be a problem for you

  18. Some systems give additional privileges to apps based on their

    client_id • bypass the consent screen • access private API methods • higher rate limits
  19. Where else is app impersonation a problem?

  20. High score leaderboards Player 1 9000 Player 4 7800 Player

    2 4495 Player 8 2100 Player 5 700
  21. POST https://api.game-server.example/score display_name=Hacker& score=99999999 Mobile game reports new high score

  22. Does OAuth solve this?

  23. Not really!

  24. POST https://api.game-server.example/score Authorization: Bearer XXXXXXXXXXXX score=99999999 Mobile game reports new

    high score with an access token
  25. App Integrity

  26. “Is this request to the server being made by a

    legitimate instance of my application?”
  27. …create a hardware- based, cryptographic key that uses Apple servers

    to certify that the key belongs to a valid instance of your app. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity
  28. Apple App Attestation https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

  29. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

  30. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

  31. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

  32. https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server

  33. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

  34. https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server

  35. https://developer.android.com/google/play/integrity

  36. Google Play Integrity https://developer.android.com/google/play/integrity

  37. https://developer.android.com/google/play/integrity

  38. Google Play Integrity https://developer.android.com/google/play/integrity

  39. https://developer.android.com/google/play/integrity

  40. https://developer.android.com/google/play/integrity https://playintegrity.googleapis.com/v1/PACKAGE_NAME:decodeIntegrityToken -d \ '{ "integrity_token": "INTEGRITY_TOKEN" }’ { requestDetails:

    requestDetails: { requestPackageName: "com.package.name" nonce: "aGVsbG8gd29scmQgdGhlcmU" timestampMillis: 1617893780 } appIntegrity: { appRecognitionVerdict: "PLAY_RECOGNIZED" packageName: "com.package.name" certificateSha256Digest: ["6a6a1474b5cbbb2b1aa57e0bc3"] versionCode: 42 } deviceIntegrity: { deviceRecognitionVerdict: ["MEETS_DEVICE_INTEGRITY"] } accountDetails: { licensingVerdict: "LICENSED" } }
  41. Version Support DCAppAttestService iOS 14 2020 Google Play Integrity API

    (Replaces SafetyNet) Unknown Launched in 2021
  42. How do we apply this to OAuth?

  43. None
  44. None
  45. Should assertion happen at: • Install time (dynamic client registration)

    • On every authentication (at the token endpoint) • At every high-value API call (resource server)
  46. iOS Questions • Apple suggests associating a private key with

    a user account • To use this as part of the login flow, when should this key get associated with a user? • Server stores key before the user logs in?
  47. Both Platforms • A server-generated nonce is required before generating

    the assertion • What should the nonce be? • A separate pre-flight request the app makes before the authorization code flow starts? • Require PAR and include an additional parameter in the PAR response?
  48. Unconference session?

  49. Thanks! @aaronpk aaronpk.com