I need to integrate OAuth2 into my own iOS and Android application. I studied OAuth2 and mobile applications and found this documentation - Google APIs - Using OAuth 2.0 for installed applications
The above documentation mainly describes how to use the Goolge OAuth 2.0 endpoint in mobile applications.
This is what the document says -
- When registering an application, you indicate that the application is an installed application. This results in a different value for the redirect_uri parameter.
- Client_id and client_secret obtained during registration are embedded in the source code of your application. In this context, client_secret is not explicitly considered a secret.
- The authorization code can be returned to your application in the browser header line or in
http://localhost in the request line.
Let's say a user has 2 applications installed on their smartphone.
App1 - A legitimate application using the Google OAuth2.0 endpoint
App2 - malicious application
In fact, I'm not sure if the above integration / consumption methodology of the OAuth2.0 endpoint inside the native mobile application is unsafe or I am missing something. Here are my questions -
- The redirect_uri URL can be the URL
http://localhost and can contain any port number. The port number is not part of the initial API configuration and, therefore, can be any valid port number. In addition, client_id (in any case should not be a secret) and client_secret are not really secret, as they are embedded in the source code of the mobile application.
Using the above conditions, the following may not be possible:
- User launches App2
- App2 redirects the user to the Google OAuth2.0 endpoint, however, in the App2 request, it includes the client_id for App1 and includes the local port number on which App2 is listening.
- When a user is redirected and authenticated at the Google OAuth2.0 endpoint, Google tells the user that "App1 (legitimate application) requests access to the Google API / data on behalf of the user", which looks like a phishing attack, because the user can click "yes "thinking that App1 is requesting access.
- Google OAuth2.0 will then issue an authorization code in App2, and App2 will be able to make the next request, including App1 client_id and client_secret, and get access_token and refresh_token and continue to access user data from Google.
- The redirect_uri parameter can also be a-urn: ietf: wg: oauth: 2.0: oob, which means -
This value signals to the Google authorization server that the authorization code should be returned in the browser title bar. This is useful when the client cannot listen on the HTTP port without significant client configuration. Windows applications have this feature.
When this value is used, your application may feel that the page is loaded and the title of the HTML page contains an authorization code. Then your application closes the browser window if you want the user to never see the page containing the authorization code. The mechanism for this varies from platform to platform.
The above means that the authorization code is returned in the title bar of the browser window.
My question is: can App2 also understand that the page loaded and captured the authorization code, and then uses it (before App1) along with client_id and client_secret to get access_token and refresh_token. Is the browser instance global and any application can control it, and the above attack scenario is valid or is the browser instance somehow application specific, so that only App1 can track / track changes?
Did I understand correctly or did I miss something? Are there any mitigating measures to mitigate the aforementioned threats? OR Are the above risks valid, but accepted, given that we are on a mobile OS platform?
What is the safe way to use OAuth2.0 in mobile applications? - Display the authorization code on the browser page and enter the user manually in the application? And in this case, a private browser instance, so that another application canโt control it and get an authorization code before the user types it into a legitimate app?
Any help is appreciated
Thanks and respect,