是否有可能在iOS上使oauth安全? [英] Is it possible to make oauth secure on iOS?
问题描述
是否有可能在iOS上使oauth安全?
Is it possible to make oauth secure on iOS?
我正在调查 OAuth 2.0 ,作为实现iOS应用程序套件的单点登录+授权的一种手段。为了解释我的担忧,我将简化并使用Facebook +第三方应用程序,使用Facebook进行身份验证(假设单词/与朋友约会)。
I am investigating OAuth 2.0 as a means to implement single sign-on + authorization for a "suite" of iOS apps. To explain my concerns, I'll simplify and use Facebook + a 3rd party app that uses Facebook for authentication (let's say Words/"Words with Friends").
For例如,我假设Facebook注册支持方案/协议facebook://并且Words注册以支持words://
For the purpose of example, I'll assume that Facebook registers to support scheme/protocol "facebook://" and that Words registers to support "words://"
我还假设无法在iOS应用程序中保护客户端密钥或协议,因为您可以反编译该应用程序。我提出的任何方法都可以确保默默无闻。
I also make the assumption that it is not possible to secure the "client-secret" or the protocol in an iOS application because you can decompile the application. Any ways that I have come up with to secure this results in security by obscurity.
另一个假设是没有办法阻止两个应用程序注册以处理相同的协议。当两个应用程序都注册相同协议时的行为是不确定的。 (虽然看起来在设备上启动的第一个应用程序在第二个应用程序注册被忽略时被注册)
Another assumption is that there is no way to prevent two applications from registering to handle the same protocol. The behavior when two apps both register for the same protocol is indeterminate. (Although it appears that the first app to launch on the device gets registered while the second apps registration is ignored)
如果我理解Facebook(用户代理)之间的工作流程和iOS设备上的单词(客户端):
If I understand the workflow between Facebook (user-agent) and Words (client) on the iOS device:
- 用户启动单词
- 用户选择登录通过Facebook凭据
- 单词调用openUrl(facebook://),其中包含Word作为应用程序和重定向uri的标识符(即words://) )
- iOS启动Facebook应用程序
- 用户输入凭据,Facebook应用程序验证Facebook授权服务器。
- 提示用户授权单词访问Facebook数据(即单词可以访问我的朋友列表)
- Facebook调用单词提供的回调uri以及访问令牌(即单词:// access_token?token_here )
- 单词使用此标记访问我的朋友列表(即受保护的资源) rce数据)
- User launches Words
- user chooses to logon via Facebook credentials
- Words invokes openUrl("facebook://") which contains, among other things an identifier for Words as an application and a redirect uri (i.e. "words://")
- iOS launches Facebook application
- User enteres credentials, which Facebook application validates against Facebook authorization server.
- User prompted to authorize Words to access Facebook data (i.e. Words can access my friends list)
- Facebook invokes callback uri provided by Words along with access token (i.e. words://access_token?token_here)
- Words uses this token to access my friends list (i.e. protected resource data)
假设上述情况正确,如果我想恶意并访问随机人的朋友列表,我可以创建一个应用程序它还注册处理协议words://并在应用商店中获取它。如果有人安装了我的应用程序和单词并且我的应用程序是成功注册的应用程序(即在单词之前在设备上启动),那么:
Assuming the above is correct, if I want to be malicious and access random people's friends list, I could create an application that also registers to handle the protocol "words://" and get it on the app store. If someone has my app and Words installed and my app is the one that successfully registered (i.e. launched on the device before Words), then:
- 启动单词,选择登录,启动Facebook
- 用户身份验证/授权
- Facebook尝试通过在重定向网址上调用openUrl重定向回Word
- 我的应用程序(不是单词)已启动
- 我的应用程序现在可以访问授权代码,其中(通过反编译获知的秘密)可以交换一个access_token,有权访问你的朋友列表
- Launch Words, choose to logon, launches Facebook
- user authenticates / authorizes
- Facebook attempts to redirect back to Words by invoking openUrl on the redirect url
- My App (not Words) is launched
- My App now has access to the auth code, which (with the secret learned by decompiling) can be exchanged for an access_token, with rights to access your friends list
我希望我的推理有缺陷或我必须(特别是)第三方应用程序的Facebook iOS身份验证是不安全的。
I am hoping that my reasoning is flawed above or I would have to conclude (specifically) that Facebook iOS authentication for 3rd party apps is insecure.
更一般地,是否可以实施OAuth 2.0(授权/隐式授权工作流程)安全地在iOS应用程序上?
推荐答案
Google有com为这个问题提供实验性解决方案,他们称之为 OAuth 2.0 for Installed Applications 。
Google has come up with an experimental solution for this problem that they call OAuth 2.0 for Installed Applications.
Google OAuth 2.0端点支持设备上安装的应用程序......假设这些应用程序无法保密。
The Google OAuth 2.0 endpoint supports applications that are installed on a device...it is assumed that these applications cannot keep secrets.
基本上,共享密钥被视为非秘密。
Essentially, the shared secret is treated as non-secret.
在撰写本文时,大多数OAuth 2.0服务器似乎都不支持这种实验设计。
At the time of this writing, most OAuth 2.0 servers do not seem to support this experimental design.
此设计引入了攻击者可能创建一个新客户端的风险,该客户端将自己表示为授权服务器的应用程序(攻击者需要获取客户端标识符)在您的问题中描述,或遵循建议的一种技术此处)。
This design introduces the risk that an attacker could create a new client that represents itself as your application to the authorization server (the attacker would need to obtain the client identifier as you describe in your question, or by following one of the techniques suggested here).
然而,资源所有者(用户)不太可能授权恶意应用程序采取任何措施,这种风险似乎得到缓解对受保护资源的行动,因为他/她将知道该申请实际上不是您的申请。
However, this risk seems to be mitigated by the fact that the resource owner (the user) would be unlikely to authorize the malicious application to take any action on protected resources, since he/she will know that the application is not, in fact, your application.
这篇关于是否有可能在iOS上使oauth安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
