欺骗Facebook应用ID [英] Spoofing facebook app ID

问题描述

遵循 https://stackoverflow.com/a/12912616/5154090 :缓解措施是什么?

Following up on the design outlined in Design for Facebook authentication in an iOS app that also accesses a secured web service, and specifically the concern listed in https://stackoverflow.com/a/12912616/5154090: what would be the mitigation?

具体来说，我有一个Web服务器，它公开了REST API，该API被移动应用程序使用.我希望用户使用Facebook向服务器(通过应用程序)进行身份验证.

Specifically, I have a web server that exposes a REST API which is consumed by a mobile app. I'd like users to authenticate to the server (via the app) using Facebook.

现在，一个显而易见的常见流程是该应用将用户重定向到Facebook，然后用户将使用其凭据登录.然后，该应用将获取令牌，并将其发送到服务器，然后服务器将使用图形API验证令牌.

Now, an apparently common flow is for the app to redirect the user to Facebook, where they will login with their credentials. The app will then get a token which it will send to the server, and the server will validate the token using the graph API.

但是服务器如何确保令牌确实来自应用程序?具体来说，如何防止恶意应用程序供应商重新使用我的应用程序ID?毕竟，应用程序ID被硬编码到应用程序中，因此可以被恶意应用程序提取和使用.如果用户使用Facebook登录到该恶意应用程序，则恶意供应商可以获得使用我的应用程序ID的令牌，并可以冒充我的服务的用户.

But how can the server make sure that the token really came from the app? Specifically, what's to prevent a malicious app vendor from re-using my app ID? After all, the app ID is hardcoded into the app and can therefore be extracted and used by a malicious app. If users log into that malicious app with Facebook, then the malicious vendor can get tokens with my app ID and can impersonate users of my service.

如何防止这种情况发生?

How can one protect against this?

推荐答案

为碰巧想到此问题的其他人总结-确实没有防止欺骗客户ID的方法.这是阻止开发人员在本机应用程序中使用OAuth隐式流的原因之一，正如Andre D在 https://stackoverflow中指出的那样. com/a/17439317/5154090 :

To summarize for anyone else who happens to contemplate this - there is indeed no way to prevent the client ID from being spoofed. This is one reason that developers are discouraged from using the OAuth implicit flow in native apps as pointed out by Andre D in https://stackoverflow.com/a/17439317/5154090:

不将隐式流与本机应用程序一起使用 推荐.

the use of the Implicit Flow with native apps is NOT RECOMMENDED.

(请参阅 https://tools .ietf.org/html/draft-ietf-oauth-native-apps-09#section-8.5 ).

在实践中，如果有人发动了这种攻击，则用户将下载App A(恶意应用程序)，然后将被要求授权App B代表他们采取行动.据我所知，这通常是发生攻击的唯一迹象.

In practice, if anyone mounts this attack, then the user will download App A (a malicious app) and will then be asked to authorize App B to make actions on their behalf. As far as I can tell, this is generally the only indication that an attack is taking place.

这篇关于欺骗Facebook应用ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！