Upgrade to Pro — share decks privately, control downloads, hide ads and more …

App Integrity Attestations for OAuth - OAuth Security Workshop 2022

App Integrity Attestations for OAuth - OAuth Security Workshop 2022

Currently, the security of native apps in OAuth is contingent upon registering the app's callback URL with the operating system, preferably as an app-claimed HTTPS URL. While this provides some level of assurance of the app's identity, it is by no means foolproof.

Authenticating whether a particular instance of a public client in OAuth is a legitimate instance remains a challenge.

This session will explore the possibility of using Apple and Android’s “app attestation” APIs as a form of OAuth client authentication. These APIs are able to leverage on-device private keys and a certificate chain to provide an additional level of confidence that the app making an HTTP request is the same code that was shipped in the app stores.

Aaron Parecki

May 06, 2022
Tweet

More Decks by Aaron Parecki

Other Decks in Technology

Transcript

  1. Aaron Parecki • @aaronpk
    OAuth Security Workshop • May 2022
    App Integrity Attestations
    as OAuth Client Authentication

    View Slide

  2. Public Clients
    Confidential Clients
    Application running on a server


    Has the ability to keep strings secret


    since code is running in a trusted environment
    The application can't be configured with secrets


    JavaScript/Single-Page apps: "view source"


    Native apps: decompile and extract strings

    View Slide

  3. PKCE

    View Slide

  4. View Slide

  5. POST /token


    client_id=XXXXX


    &authorization_code=XXXXX


    !

    View Slide

  6. POST /token


    client_id=XXXXX


    &client_secret=XXXXX


    &authorization_code=XXXXX


    ?

    View Slide

  7. POST /token


    client_id=XXXXX


    &code_verifier=XXXX


    &authorization_code=XXXXX


    :-)

    View Slide

  8. PKCE was recommended for mobile
    apps, which can’t use a secret

    View Slide

  9. Is PKCE is a replacement


    for a client secret?

    View Slide

  10. Interception
    /redirect?code=XXXXX
    😈
    Injection
    /redirect?code=XXXXX
    😈

    View Slide

  11. Mobile apps can’t be


    deployed with a client secret

    View Slide

  12. example://redirect?


    code=AUTHORIZATION_CODE_HERE&


    state=1234zyx
    https://app.example.com?


    code=AUTHORIZATION_CODE_HERE&


    state=1234zyx
    Custom URL Scheme
    App-Claimed URL Pattern
    Redirect URLs in Mobile Apps

    View Slide

  13. Neither of these is perfect

    View Slide

  14. POST https://api.authorization-server.com/token


    grant_type=authorization_code&


    code=AUTH_CODE_HERE&


    redirect_uri=REDIRECT_URI&


    client_id=CLIENT_ID&


    code_verifier=VERIFIER_STRING
    Nothing here authenticates the app.

    It’s possible to impersonate any native app with its client_id.
    Authorization Code Exchange (with PKCE)

    View Slide

  15. Redirect URL registration

    + app-claimed URL patterns
    More or less protects against authorization
    code interception by malicious apps
    Does nothing to protect against app impersonation

    View Slide

  16. Why is app impersonation
    a problem?

    View Slide

  17. It may or may not be a
    problem for you

    View Slide

  18. Some systems give additional privileges
    to apps based on their client_id
    • bypass the consent screen


    • access private API methods


    • higher rate limits

    View Slide

  19. Where else is app impersonation
    a problem?

    View Slide

  20. High score leaderboards
    Player 1 9000
    Player 4 7800
    Player 2 4495
    Player 8 2100
    Player 5 700

    View Slide

  21. POST https://api.game-server.example/score


    display_name=Hacker&


    score=99999999
    Mobile game reports new high score

    View Slide

  22. Does OAuth solve this?

    View Slide

  23. Not really!

    View Slide

  24. POST https://api.game-server.example/score


    Authorization: Bearer XXXXXXXXXXXX


    score=99999999
    Mobile game reports new high score with an access token

    View Slide

  25. App Integrity

    View Slide

  26. “Is this request to the server being made by
    a legitimate instance of my application?”

    View Slide

  27. …create a hardware-
    based, cryptographic
    key that uses Apple
    servers to certify that the
    key belongs to a valid
    instance of your app.
    https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  28. Apple App Attestation
    https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  29. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  30. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  31. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  32. https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server

    View Slide

  33. https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

    View Slide

  34. https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server

    View Slide

  35. https://developer.android.com/google/play/integrity

    View Slide

  36. Google Play Integrity
    https://developer.android.com/google/play/integrity

    View Slide

  37. https://developer.android.com/google/play/integrity

    View Slide

  38. Google Play Integrity
    https://developer.android.com/google/play/integrity

    View Slide

  39. https://developer.android.com/google/play/integrity

    View Slide

  40. https://developer.android.com/google/play/integrity
    https://playintegrity.googleapis.com/v1/PACKAGE_NAME:decodeIntegrityToken -d \


    '{ "integrity_token": "INTEGRITY_TOKEN" }’


    {


    requestDetails: requestDetails: {


    requestPackageName: "com.package.name"


    nonce: "aGVsbG8gd29scmQgdGhlcmU"


    timestampMillis: 1617893780


    }


    appIntegrity: {


    appRecognitionVerdict: "PLAY_RECOGNIZED"


    packageName: "com.package.name"


    certificateSha256Digest: ["6a6a1474b5cbbb2b1aa57e0bc3"]


    versionCode: 42


    }


    deviceIntegrity: { deviceRecognitionVerdict: ["MEETS_DEVICE_INTEGRITY"] }


    accountDetails: { licensingVerdict: "LICENSED" }


    }

    View Slide

  41. Version Support
    DCAppAttestService
    iOS 14

    2020
    Google Play Integrity API

    (Replaces SafetyNet)
    Unknown

    Launched in 2021

    View Slide

  42. How do we apply this to OAuth?

    View Slide

  43. View Slide

  44. View Slide

  45. Should assertion happen at:
    • Install time (dynamic client registration)


    • On every authentication (at the token endpoint)


    • At every high-value API call (resource server)

    View Slide

  46. iOS Questions
    • Apple suggests associating a private key with a user account


    • To use this as part of the login flow, when should this key get
    associated with a user?


    • Server stores key before the user logs in?

    View Slide

  47. Both Platforms
    • A server-generated nonce is required before generating the assertion


    • What should the nonce be?


    • A separate pre-flight request the app makes before the
    authorization code flow starts?


    • Require PAR and include an additional parameter in the PAR
    response?

    View Slide

  48. Unconference session?

    View Slide

  49. Thanks!


    @aaronpk


    aaronpk.com

    View Slide