Upgrade to Pro — share decks privately, control downloads, hide ads and more …

App Integrity Attestations for OAuth - OAuth Security Workshop 2022

Aaron Parecki
May 06, 2022
Technology
0
510

App Integrity Attestations for OAuth - OAuth Security Workshop 2022

Currently, the security of native apps in OAuth is contingent upon registering the app's callback URL with the operating system, preferably as an app-claimed HTTPS URL. While this provides some level of assurance of the app's identity, it is by no means foolproof.

Authenticating whether a particular instance of a public client in OAuth is a legitimate instance remains a challenge.

This session will explore the possibility of using Apple and Android’s “app attestation” APIs as a form of OAuth client authentication. These APIs are able to leverage on-device private keys and a certificate chain to provide an additional level of confidence that the app making an HTTP request is the same code that was shipped in the app stores.

Aaron Parecki

May 06, 2022
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
Intro to OAuth - IETF 110
aaronpk
0
140
OAuth 101 - Internet Identity Workshop XXXI
aaronpk
0
510
What's New with OAuth and OpenID Connect - API Days Australia
aaronpk
2
300
How to Think about OAuth Security - Disclosure 2020
aaronpk
1
180
Protecting Single-Page Apps using OAuth
aaronpk
0
380
OAuth 2.1 - OAuth Security Workshop
aaronpk
0
740
The State of OAuth
aaronpk
0
200
OAuth 2.0 Client Intermediary Metadata - IETF 107
aaronpk
0
98
How to Hack OAuth - Goto Chicago 2020
aaronpk
0
280

Other Decks in Technology

See All in Technology
Turbinando Microsserviços com Distributed Cache
jordihofc
0
200
Tech Dojo Introduction Of Monitoring
norimuraz
0
270
AI in Action
charmichokshi
0
150
SWEBOK V3からV4への改訂に見るソフトウェアエンジニアリングの発展とソフトウェア保守・進化
washizaki
0
270
サービスレベル管理とは?〜計測すべき指標と活用について/What is Service Level Management
newrelic2023
0
290
AWS CDKにテストは必要?試行錯誤したスクラム開発事例を紹介!/CdkConJp2023
mhrtech
2
880
サーバーレスサービスの特徴と アプリケーションの考え方 / Characteristics of serverless services and Concept of application
_kensh
0
120
TrivyでAWSセキュリティをシフトレフトしよう
bitkey
PRO
1
490
Semantic Kernel LT
takashi1029
1
300
複数AWSアカウントに リソース構築する時 どうしてますか?
honma12345
0
400
Nx CloudでCIを爆速にした話
puku0x
0
330
高さ比べじゃない、キャリアは歩んできた道
dzeyelid
0
190

Featured

See All Featured
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
15
1.2k
Build your cross-platform service in a week with App Engine
jlugia
222
17k
How to name files
jennybc
51
79k
Thoughts on Productivity
jonyablonski
52
2.9k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
Side Projects
sachag
450
38k
Six Lessons from altMBA
skipperchong
16
2.5k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
29k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.5k
The Cult of Friendly URLs
andyhume
70
5.2k
Building Better People: How to give real-time feedback that sticks.
wjessup
346
18k

Transcript

  1. Aaron Parecki • @aaronpk
    OAuth Security Workshop • May 2022
    App Integrity Attestations
    as OAuth Client Authentication

    View Slide

  2. Public Clients
    Confidential Clients
    Application running on a server


    Has the ability to keep strings secret


    since code is running in a trusted environment
    The application can't be configured with secrets


    JavaScript/Single-Page apps: "view source"


    Native apps: decompile and extract strings

    View Slide

  3. PKCE

    View Slide

  4. View Slide

  5. POST /token


    client_id=XXXXX


    &authorization_code=XXXXX


    !

    View Slide

  6. POST /token


    client_id=XXXXX


    &client_secret=XXXXX


    &authorization_code=XXXXX


    ?

    View Slide

  7. POST /token


    client_id=XXXXX


    &code_verifier=XXXX


    &authorization_code=XXXXX


    :-)

    View Slide

  8. PKCE was recommended for mobile
    apps, which can’t use a secret

    View Slide

  9. Is PKCE is a replacement


    for a client secret?

    View Slide

  10. Interception
    /redirect?code=XXXXX
    😈
    Injection
    /redirect?code=XXXXX
    😈

    View Slide

  11. Mobile apps can’t be


    deployed with a client secret

    View Slide

  12. example://redirect?


    code=AUTHORIZATION_CODE_HERE&


    state=1234zyx
    https://app.example.com?


    code=AUTHORIZATION_CODE_HERE&


    state=1234zyx
    Custom URL Scheme
    App-Claimed URL Pattern
    Redirect URLs in Mobile Apps

    View Slide

  13. Neither of these is perfect

    View Slide

  14. POST https://api.authorization-server.com/token


    grant_type=authorization_code&


    code=AUTH_CODE_HERE&


    redirect_uri=REDIRECT_URI&


    client_id=CLIENT_ID&


    code_verifier=VERIFIER_STRING
    Nothing here authenticates the app.

    It’s possible to impersonate any native app with its client_id.
    Authorization Code Exchange (with PKCE)

    View Slide

  15. Redirect URL registration

    + app-claimed URL patterns
    More or less protects against authorization
    code interception by malicious apps
    Does nothing to protect against app impersonation

    View Slide

  16. Why is app impersonation
    a problem?

    View Slide

  17. It may or may not be a
    problem for you

    View Slide

  18. Some systems give additional privileges
    to apps based on their client_id
    • bypass the consent screen


    • access private API methods


    • higher rate limits

    View Slide

  19. Where else is app impersonation
    a problem?

    View Slide

  20. High score leaderboards
    Player 1 9000
    Player 4 7800
    Player 2 4495
    Player 8 2100
    Player 5 700

    View Slide

  21. POST https://api.game-server.example/score


    display_name=Hacker&


    score=99999999
    Mobile game reports new high score

    View Slide

  22. Does OAuth solve this?

    View Slide

  23. Not really!

    View Slide

  24. POST https://api.game-server.example/score


    Authorization: Bearer XXXXXXXXXXXX


    score=99999999
    Mobile game reports new high score with an access token

    View Slide

  25. App Integrity

    View Slide

  26. “Is this request to the server being made by
    a legitimate instance of my application?”

    View Slide

  27. …create a hardware-
    based, cryptographic
    key that uses Apple
    servers to certify that the
    key belongs to a valid
    instance of your app.
    https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  28. Apple App Attestation
    https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  29. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  30. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  31. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  32. https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server

    View Slide

  33. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  34. https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server

    View Slide

  35. https://developer.android.com/google/play/integrity

    View Slide

  36. Google Play Integrity
    https://developer.android.com/google/play/integrity

    View Slide

  37. https://developer.android.com/google/play/integrity

    View Slide

  38. Google Play Integrity
    https://developer.android.com/google/play/integrity

    View Slide

  39. https://developer.android.com/google/play/integrity

    View Slide

  40. https://developer.android.com/google/play/integrity
    https://playintegrity.googleapis.com/v1/PACKAGE_NAME:decodeIntegrityToken -d \


    '{ "integrity_token": "INTEGRITY_TOKEN" }’


    {


    requestDetails: requestDetails: {


    requestPackageName: "com.package.name"


    nonce: "aGVsbG8gd29scmQgdGhlcmU"


    timestampMillis: 1617893780


    }


    appIntegrity: {


    appRecognitionVerdict: "PLAY_RECOGNIZED"


    packageName: "com.package.name"


    certificateSha256Digest: ["6a6a1474b5cbbb2b1aa57e0bc3"]


    versionCode: 42


    }


    deviceIntegrity: { deviceRecognitionVerdict: ["MEETS_DEVICE_INTEGRITY"] }


    accountDetails: { licensingVerdict: "LICENSED" }


    }

    View Slide

  41. Version Support
    DCAppAttestService
    iOS 14

    2020
    Google Play Integrity API

    (Replaces SafetyNet)
    Unknown

    Launched in 2021

    View Slide

  42. How do we apply this to OAuth?

    View Slide

  43. View Slide

  44. View Slide

  45. Should assertion happen at:
    • Install time (dynamic client registration)


    • On every authentication (at the token endpoint)


    • At every high-value API call (resource server)

    View Slide

  46. iOS Questions
    • Apple suggests associating a private key with a user account


    • To use this as part of the login flow, when should this key get
    associated with a user?


    • Server stores key before the user logs in?

    View Slide

  47. Both Platforms
    • A server-generated nonce is required before generating the assertion


    • What should the nonce be?


    • A separate pre-flight request the app makes before the
    authorization code flow starts?


    • Require PAR and include an additional parameter in the PAR
    response?

    View Slide

  48. Unconference session?

    View Slide

  49. Thanks!


    @aaronpk


    aaronpk.com

    View Slide