$30 off During Our Annual Pro Sale. View Details »

App Integrity Attestations for OAuth - OAuth Security Workshop 2022

Aaron Parecki
May 06, 2022
Technology
0
680

App Integrity Attestations for OAuth - OAuth Security Workshop 2022

Currently, the security of native apps in OAuth is contingent upon registering the app's callback URL with the operating system, preferably as an app-claimed HTTPS URL. While this provides some level of assurance of the app's identity, it is by no means foolproof.

Authenticating whether a particular instance of a public client in OAuth is a legitimate instance remains a challenge.

This session will explore the possibility of using Apple and Android’s “app attestation” APIs as a form of OAuth client authentication. These APIs are able to leverage on-device private keys and a certificate chain to provide an additional level of confidence that the app making an HTTP request is the same code that was shipped in the app stores.

Aaron Parecki

May 06, 2022
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
Targeted Logout - OAuth Security Workshop 2023
aaronpk
0
79
Enterprise-Ready: Going Beyond MVP
aaronpk
0
290
Intro to OAuth - IETF 110
aaronpk
0
160
OAuth 101 - Internet Identity Workshop XXXI
aaronpk
0
570
What's New with OAuth and OpenID Connect - API Days Australia
aaronpk
2
350
How to Think about OAuth Security - Disclosure 2020
aaronpk
1
210
Protecting Single-Page Apps using OAuth
aaronpk
0
400
OAuth 2.1 - OAuth Security Workshop
aaronpk
0
830
The State of OAuth
aaronpk
0
220

Other Decks in Technology

See All in Technology
Podman_update_2023-11
orimanabu
1
270
Honoが良さそう🔥
is_ryo
0
140
Managing "side effect" in Frontend Development
shinyaigeek
3
1.7k
新卒エンジニアでも技術的負債に向き合いたい!
smasato
1
1.6k
CPOが開発する覚悟 〜コンパウンドスタートアップにおける、爆速の新規プロダクト開発スタイル〜
mosa_siru
2
460
DMMオンラインサロン エンジニア採用資料/ for-software-engineers
onlinesalon
0
3.6k
Webアプリ開発者向け パスキー対応の始め方
ritou
3
2.6k
知っておきたいRubyKaigiスポンサーのはじめかた / rubykaigi_uragawa
achamixx
1
250
RDBを使う単体テストの前に 用意しておきたい環境を考え てみたの
bun913
0
390
IAMAccessAnalyzer_Security-JAWS
koheiawa
PRO
1
280
お客様、そこは秘孔です!突かないでください! HTTP/2 Rapid reset の概要と対策
murachiakira
0
130
Kuma UIのこれまでとこれから
poteboy
5
3k

Featured

See All Featured
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
It's Worth the Effort
3n
180
27k
Music & Morning Musume
bryan
38
5.2k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
Visualization
eitanlees
131
13k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Robots, Beer and Maslow
schacon
154
7.7k
Clear Off the Table
cherdarchuk
81
300k
KATA
mclloyd
13
11k
The Pragmatic Product Professional
lauravandoore
23
5.3k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
0
1k
10 Git Anti Patterns You Should be Aware of
lemiorhan
644
57k

Transcript

  1. Aaron Parecki • @aaronpk
    OAuth Security Workshop • May 2022
    App Integrity Attestations
    as OAuth Client Authentication

    View Slide

  2. Public Clients
    Confidential Clients
    Application running on a server


    Has the ability to keep strings secret


    since code is running in a trusted environment
    The application can't be configured with secrets


    JavaScript/Single-Page apps: "view source"


    Native apps: decompile and extract strings

    View Slide

  3. PKCE

    View Slide

  4. View Slide

  5. POST /token


    client_id=XXXXX


    &authorization_code=XXXXX


    !

    View Slide

  6. POST /token


    client_id=XXXXX


    &client_secret=XXXXX


    &authorization_code=XXXXX


    ?

    View Slide

  7. POST /token


    client_id=XXXXX


    &code_verifier=XXXX


    &authorization_code=XXXXX


    :-)

    View Slide

  8. PKCE was recommended for mobile
    apps, which can’t use a secret

    View Slide

  9. Is PKCE is a replacement


    for a client secret?

    View Slide

  10. Interception
    /redirect?code=XXXXX
    😈
    Injection
    /redirect?code=XXXXX
    😈

    View Slide

  11. Mobile apps can’t be


    deployed with a client secret

    View Slide

  12. example://redirect?


    code=AUTHORIZATION_CODE_HERE&


    state=1234zyx
    https://app.example.com?


    code=AUTHORIZATION_CODE_HERE&


    state=1234zyx
    Custom URL Scheme
    App-Claimed URL Pattern
    Redirect URLs in Mobile Apps

    View Slide

  13. Neither of these is perfect

    View Slide

  14. POST https://api.authorization-server.com/token


    grant_type=authorization_code&


    code=AUTH_CODE_HERE&


    redirect_uri=REDIRECT_URI&


    client_id=CLIENT_ID&


    code_verifier=VERIFIER_STRING
    Nothing here authenticates the app.

    It’s possible to impersonate any native app with its client_id.
    Authorization Code Exchange (with PKCE)

    View Slide

  15. Redirect URL registration

    + app-claimed URL patterns
    More or less protects against authorization
    code interception by malicious apps
    Does nothing to protect against app impersonation

    View Slide

  16. Why is app impersonation
    a problem?

    View Slide

  17. It may or may not be a
    problem for you

    View Slide

  18. Some systems give additional privileges
    to apps based on their client_id
    • bypass the consent screen


    • access private API methods


    • higher rate limits

    View Slide

  19. Where else is app impersonation
    a problem?

    View Slide

  20. High score leaderboards
    Player 1 9000
    Player 4 7800
    Player 2 4495
    Player 8 2100
    Player 5 700

    View Slide

  21. POST https://api.game-server.example/score


    display_name=Hacker&


    score=99999999
    Mobile game reports new high score

    View Slide

  22. Does OAuth solve this?

    View Slide

  23. Not really!

    View Slide

  24. POST https://api.game-server.example/score


    Authorization: Bearer XXXXXXXXXXXX


    score=99999999
    Mobile game reports new high score with an access token

    View Slide

  25. App Integrity

    View Slide

  26. “Is this request to the server being made by
    a legitimate instance of my application?”

    View Slide

  27. …create a hardware-
    based, cryptographic
    key that uses Apple
    servers to certify that the
    key belongs to a valid
    instance of your app.
    https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  28. Apple App Attestation
    https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  29. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  30. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  31. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  32. https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server

    View Slide

  33. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  34. https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server

    View Slide

  35. https://developer.android.com/google/play/integrity

    View Slide

  36. Google Play Integrity
    https://developer.android.com/google/play/integrity

    View Slide

  37. https://developer.android.com/google/play/integrity

    View Slide

  38. Google Play Integrity
    https://developer.android.com/google/play/integrity

    View Slide

  39. https://developer.android.com/google/play/integrity

    View Slide

  40. https://developer.android.com/google/play/integrity
    https://playintegrity.googleapis.com/v1/PACKAGE_NAME:decodeIntegrityToken -d \


    '{ "integrity_token": "INTEGRITY_TOKEN" }’


    {


    requestDetails: requestDetails: {


    requestPackageName: "com.package.name"


    nonce: "aGVsbG8gd29scmQgdGhlcmU"


    timestampMillis: 1617893780


    }


    appIntegrity: {


    appRecognitionVerdict: "PLAY_RECOGNIZED"


    packageName: "com.package.name"


    certificateSha256Digest: ["6a6a1474b5cbbb2b1aa57e0bc3"]


    versionCode: 42


    }


    deviceIntegrity: { deviceRecognitionVerdict: ["MEETS_DEVICE_INTEGRITY"] }


    accountDetails: { licensingVerdict: "LICENSED" }


    }

    View Slide

  41. Version Support
    DCAppAttestService
    iOS 14

    2020
    Google Play Integrity API

    (Replaces SafetyNet)
    Unknown

    Launched in 2021

    View Slide

  42. How do we apply this to OAuth?

    View Slide

  43. View Slide

  44. View Slide

  45. Should assertion happen at:
    • Install time (dynamic client registration)


    • On every authentication (at the token endpoint)


    • At every high-value API call (resource server)

    View Slide

  46. iOS Questions
    • Apple suggests associating a private key with a user account


    • To use this as part of the login flow, when should this key get
    associated with a user?


    • Server stores key before the user logs in?

    View Slide

  47. Both Platforms
    • A server-generated nonce is required before generating the assertion


    • What should the nonce be?


    • A separate pre-flight request the app makes before the
    authorization code flow starts?


    • Require PAR and include an additional parameter in the PAR
    response?

    View Slide

  48. Unconference session?

    View Slide

  49. Thanks!


    @aaronpk


    aaronpk.com

    View Slide