khash kiani [email protected]/bh-us-11/kiani/bh_us_11_kiani... · 2012. 4. 7. · 2...
TRANSCRIPT
![Page 2: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/2.jpg)
2
roadmap
‣ OAuth flow‣ malicious sample applications
✴ mobile OAuth google app✴ web-based OAuth facebook app
‣ insecure implementation ✴ flawed session management✴ password management✴ insecure storage of secrets
‣ summary
![Page 3: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/3.jpg)
3
what’s OAuth?
![Page 4: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/4.jpg)
user-centric schemeuser controls authorization
user
AIG Token
FMToken
Twitter Token
Twitter Token
4
![Page 5: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/5.jpg)
actors:resource owner (user)resource consumer (client)resource provider (server)
tokens:consumer credentialsrequest tokenaccess token
5
![Page 6: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/6.jpg)
authorization flow
1. client app authentication 2. get request token: POST oauth/request_token 3. authenticate user: GET oauth/authorize 4. get access token: POST oauth/access_token
6
![Page 7: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/7.jpg)
building malicious OAuth clients(native and web apps)
7
![Page 8: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/8.jpg)
password theft with Google client(a native iOS mobile app)
8
![Page 9: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/9.jpg)
OAuthSampleTouch mobile Google app
‣ download‣ compile‣ run
‣ edit controller
9
![Page 10: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/10.jpg)
modify the UIWebViewDelegate’s:webView:shouldStartLoadWithRequest:navigationType
callback method to intercept the login page prior to sending the post request
10
![Page 11: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/11.jpg)
OAuth process with an embedded view
user authenticates and grants permission
11
![Page 12: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/12.jpg)
output the Google credentials
12
![Page 13: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/13.jpg)
“but it looked so official!”
OAuth provides the user with a false sense of safety in the authentication workflow
13
![Page 14: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/14.jpg)
recommendations(mobile apps)
‣ client application developers: keep authentication outside the app and inside the browser
‣ users: do not trust clients that do not use a trusted neutral application such as safari to manage server auth ‣ protocol designers: stricter policies around authenticating clients to server. better browser API support
14
![Page 15: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/15.jpg)
fortune telling facebook app(a browser-based web application)
a social engineering oauth application to establish user trust
15
![Page 16: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/16.jpg)
lure the victim to use your appdomain apps.facebook.com is trustworthy!
phish
easy!
16
![Page 17: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/17.jpg)
https://apps.facebook.com/redevilfortune/
17
access scope
![Page 18: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/18.jpg)
70% * source: core impact client-side phishing campaign
18
![Page 19: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/19.jpg)
read the inbox
messages
query private user messages
19
![Page 20: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/20.jpg)
link to execute ajax post and carry our CSRF
build the trap to aid exploitation
20
![Page 21: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/21.jpg)
“but it looked so official!”
OAuth provides the user with a false sense of safety in the authentication workflow
21
![Page 22: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/22.jpg)
Dear Facebook,what is the business need for a web
application to read my private messages?
22
![Page 23: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/23.jpg)
Insecure Implementation23
![Page 24: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/24.jpg)
flawed session management
24
![Page 25: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/25.jpg)
Avon selects twitterfeed to publish something
25
![Page 26: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/26.jpg)
- Avon is redirected to twitter’s authorization endpoint - Avon enters his twitter credentials and grants access
26
![Page 27: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/27.jpg)
- Avon is redirected back to complete the feed- Avon signs out of twitterfeed and walks away
27
![Page 28: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/28.jpg)
what about his twitter session?
28
![Page 29: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/29.jpg)
29
![Page 30: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/30.jpg)
risks
‣ unattended session‣ no session timeout‣ user remains logged in
30
![Page 31: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/31.jpg)
what can go wrong?
31
![Page 32: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/32.jpg)
32
![Page 33: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/33.jpg)
33
![Page 34: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/34.jpg)
problem, meet solution
‣ invalidate server session‣ short-lived access token ‣ no auto-processing
34
![Page 35: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/35.jpg)
a better approach
35
![Page 36: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/36.jpg)
can you really change your password?
36
![Page 37: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/37.jpg)
37
![Page 38: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/38.jpg)
38
change password = old password still works!
![Page 39: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/39.jpg)
39
![Page 40: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/40.jpg)
solution
‣ ensure compromised credentials cannot be used‣ revoke tokens upon password changes
- results from facebook access token leakage to 3rd party apps
40
![Page 41: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/41.jpg)
insecure storage of secrets(consumer credentials)
41
![Page 42: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/42.jpg)
1. public class TwitterClient { 2. 3. private static String key = "qSkJuxxxxxxxx76A"; 4. private static String secret = "Bs738xxxxxxxxxxxxxxZe9EhXw";
42
![Page 43: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/43.jpg)
server-side
‣ isolate the credentials‣ protect the integrity
43
![Page 44: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/44.jpg)
native clients
‣ native mobile app‣ desktop apps
44
![Page 45: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/45.jpg)
“... if twitter uses the client secret in installed applications for anything other than gathering statistics, well, they should reconsider.”
“So forget about using the consumer credentials for anything other than somewhat reliable statistics.”
- e. hammer lahav
45
![Page 46: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/46.jpg)
how about these use cases:
‣ fulfill specific business requirements- server must keep track of all clients
‣ prevent phishing attacks
46
![Page 47: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/47.jpg)
popular implementations
(native apps)
1. omit the client credentials entirely 2. embed in the client app itself
47
![Page 48: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/48.jpg)
threat (with embedded client credentials)
‣ compromised credentials
48
![Page 49: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/49.jpg)
open source clients
‣ source code‣ resource bundle
49
![Page 50: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/50.jpg)
the not so secret consumer secrets
50
![Page 51: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/51.jpg)
51
![Page 52: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/52.jpg)
closed source clients
‣ binary extraction on android oauth client:‣ astro file mgr to copy the client app‣ poke around‣ classes.dex‣ “dexdump classes.dex
52
![Page 53: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/53.jpg)
compromised credentials
impact:
‣ key rotation and kill switch‣ not meeting business requirements‣ anonymous publication by competition‣ susceptible to phishing attacks
53
![Page 54: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/54.jpg)
alternative mitigation
‣ a deviated approach with automated provisioning
54
![Page 55: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/55.jpg)
alternate flow(mobile)
‣ authenticate user to client’s web server‣ call home to get device id‣ store device id locally‣ proceed with oauth flow to get request token‣ validate device id to authenticate client‣ proceed with the flow to grant access token
55
![Page 56: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/56.jpg)
56
![Page 57: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/57.jpg)
conclusion - defeating password anti-pattern
- trusting native mobile apps- don’t trust the logo- don’t trust the domain
- session & pswd management
- client authentication- consumer credentials
- implementation, not protocol
57
![Page 58: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/58.jpg)
take-away: use it when it makes sense!
58
![Page 59: khash kiani khash@thinksecmedia.blackhat.com/bh-us-11/Kiani/BH_US_11_Kiani... · 2012. 4. 7. · 2 roadmap ‣ OAuth flow ‣ malicious sample applications mobile OAuth google app](https://reader033.vdocuments.net/reader033/viewer/2022051810/601b0eb890c64c360c795cf4/html5/thumbnails/59.jpg)
please turn in your completed feedback form at the registration desk
THANK YOU!
59