[ACCEPTED]-OAuth secrets in mobile apps-oauth

Accepted answer
Score: 41

Yes, this is an issue with the OAuth design 44 that we are facing ourselves. We opted to 43 proxy all calls through our own server. OAuth 42 wasn't entirely flushed out in respect of 41 desktop apps. There is no prefect solution 40 to the issue that I've found without changing 39 OAuth.

If you think about it and ask the 38 question why we have secrets, is mostly 37 for provision and disabling apps. If our 36 secret is compromised, then the provider 35 can only really revoke the entire app. Since 34 we have to embed our secret in the desktop 33 app, we are sorta screwed.

The solution 32 is to have a different secret for each desktop 31 app. OAuth doesn't make this concept easy. One 30 way is have the user go and create an secret 29 on their own and enter the key on their 28 own into your desktop app (some facebook 27 apps did something similar for a long time, having 26 the user go and create facebook to setup 25 their custom quizes and crap). It's not 24 a great experience for the user.

I'm working 23 on proposal for a delegation system for 22 OAuth. The concept is that using our own 21 secret key we get from our provider, we 20 could issue our own delegated secret to 19 our own desktop clients (one for each desktop 18 app basically) and then during the auth 17 process we send that key over to the top 16 level provider that calls back to us and 15 re-validates with us. That way we can revoke 14 on own secrets we issue to each desktop 13 client. (Borrowing a lot of how this works 12 from SSL). This entire system would be prefect 11 for value-add webservices as well that pass 10 on calls to a third party webservice.

The 9 process could also be done without delegation 8 verification callbacks if the top level 7 provider provides an API to generate and 6 revoke new delegated secrets. Facebook is 5 doing something similar by allowing facebook 4 apps to allow users to create sub-apps.

There 3 are some talks about the issue online:

http://blog.atebits.com/2009/02/fixing-oauth/ http://groups.google.com/group/twitter-development-talk/browse_thread/thread/629b03475a3d78a1/de1071bf4b820c14#de1071bf4b820c14

Twitter 2 and Yammer's solution is a authentication 1 pin solution: https://dev.twitter.com/oauth/pin-based https://www.yammer.com/api_oauth_security_addendum.html

Score: 18

With OAUth 2.0, you can store the secret 14 on the server. Use the server to acquire 13 an access token that you then move to the 12 app and you can make calls from the app 11 to the resource directly.

With OAuth 1.0 10 (Twitter), the secret is required to make 9 API calls. Proxying calls through the server 8 is the only way to ensure the secret is 7 not compromised.

Both require some mechanism 6 that your server component knows it is your 5 client calling it. This tends to be done 4 on installation and using a platform specific 3 mechanism to get an app id of some kind 2 in the call to your server.

(I am the editor 1 of the OAuth 2.0 spec)

Score: 10

One solution could be to hard code the OAuth 15 secret into the code, but not as a plain string. Obfuscate 14 it in some way - split it into segments, shift 13 characters by an offset, rotate it - do 12 any or all of these things. A cracker can 11 analyse your byte code and find strings, but 10 the obfuscation code might be hard to figure 9 out.

It's not a foolproof solution, but a 8 cheap one.

Depending on the value of the 7 exploit, some genius crackers can go to 6 greater lengths to find your secret code. You 5 need to weigh the factors - cost of previously 4 mentioned server side solution, incentive 3 for crackers to spend more efforts on finding 2 your secret code, and the complexity of 1 the obfuscation you can implement.

Score: 6

Do not store the secret inside the application.

You need to have a server that can be accessed 20 by the application over https (obviously) and 19 you store the secret on it.

When someone 18 want to login via your mobile/desktop application, your 17 application will simply forward the request 16 to the server that will then append the 15 secret and send it to the service provider. Your 14 server can then tell your application if 13 it was successful or not.

Then if you need 12 to get any sensitive information from the 11 service (facebook, google, twitter, etc), the 10 application ask your server and your server 9 will give it to the application only if 8 it is correctly connected.

There is not really 7 any option except storing it on a server. Nothing 6 on the client side is secure.


That said, this 5 will only protect you against malicious 4 client but not client against malicious 3 you and not client against other malicious 2 clients (phising)...

OAuth is a much better 1 protocol in browser than on desktop/mobile.

Score: 6

There is a new extension to the Authorization 10 Code Grant Type called Proof Key for Code Exchange (PKCE). With it, you don't 9 need a client secret.

PKCE (RFC 7636) is 8 a technique to secure public clients that 7 don't use a client secret.

It is primarily 6 used by native and mobile apps, but the 5 technique can be applied to any public 4 client as well. It requires additional support 3 by the authorization server, so it is only 2 supported on certain providers.

from https://oauth.net/2/pkce/

For more 1 information, you can read the full RFC 7636 or this short introduction.

Score: 2

Here's something to think about. Google 9 offers two methods of OAuth... for web apps, where 8 you register the domain and generate a unique 7 key, and for installed apps where you use 6 the key "anonymous".

Maybe I glossed over 5 something in the reading, but it seems that 4 sharing your webapp's unique key with an 3 installed app is probably more secure than 2 using "anonymous" in the official installed 1 apps method.

Score: 2

With OAuth 2.0 you can simply use the client 5 side flow to obtain an access token and 4 use then this access token to authenticate 3 all further requests. Then you don't need 2 a secret at all.

A nice description of how 1 to implement this can be found here: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#mobile-apps

Score: 0

I don't have a ton of experience with OAuth 14 - but doesn't every request require not 13 only the user's access token, but an application 12 consumer key and secret as well? So, even 11 if somebody steals a mobile device and tries 10 to pull data off of it, they would need 9 an application key and secret as well to 8 be able to actually do anything.

I always 7 thought the intention behind OAuth was so 6 that every Tom, Dick, and Harry that had 5 a mashup didn't have to store your Twitter 4 credentials in the clear. I think it solves 3 that problem pretty well despite it's limitations. Also, it 2 wasn't really designed with the iPhone in 1 mind.

Score: 0

Facebook doesn't implement OAuth strictly 5 speaking (yet), but they have implemented 4 a way for you not to embed your secret in 3 your iPhone app: https://web.archive.org/web/20091223092924/http://wiki.developers.facebook.com/index.php/Session_Proxy

As for OAuth, yeah, the 2 more I think about it, we are a bit stuffed. Maybe 1 this will fix it.

Score: 0

I agree with Felixyz. OAuth whilst better 32 than Basic Auth, still has a long way to 31 go to be a good solution for mobile apps. I've 30 been playing with using OAuth to authenticate 29 a mobile phone app to a Google App Engine 28 app. The fact that you can't reliably manage 27 the consumer secret on the mobile device 26 means that the default is to use the 'anonymous' access.

The 25 Google App Engine OAuth implementation's 24 browser authorization step takes you to 23 a page where it contains text like: "The 22 site <some-site> is requesting access 21 to your Google Account for the product(s) listed 20 below"

YourApp(yourapp.appspot.com) - not 19 affiliated with Google


It takes <some-site> from 18 the domain/host name used in the callback 17 url that you supply which can be anything 16 on the Android if you use a custom scheme 15 to intercept the callback. So if you use 14 'anonymous' access or your consumer secret 13 is compromised, then anyone could write 12 a consumer that fools the user into giving 11 access to your gae app.

The Google OAuth 10 authorization page also does contain lots 9 of warnings which have 3 levels of severity 8 depending on whether you're using 'anonymous', consumer 7 secret, or public keys.

Pretty scary stuff 6 for the average user who isn't technically 5 savvy. I don't expect to have a high signup 4 completion percentage with that kind of 3 stuff in the way.

This blog post clarifies 2 how consumer secret's don't really work 1 with installed apps. http://hueniverse.com/2009/02/should-twitter-discontinue-their-basic-auth-api/

Score: 0
Score: 0

None of these solutions prevent a determined 11 hacker from sniffing packets sent from their 10 mobile device (or emulator) to view the 9 client secret in the http headers.

One solution 8 could be to have a dynamic secret which 7 is made up of a timestamp encrypted with 6 a private 2-way encryption key & algorithm. The 5 service then decrypts the secret and determines 4 if the time stamp is +/- 5 minutes.

In this 3 way, even if the secret is compromised, the 2 hacker will only be able to use it for a 1 maximum of 5 minutes.

More Related questions