You nailed it .
On Tuesday, June 20, 2023, 2:54 PM, Michael Thomas <mike@xxxxxxxx> wrote:
About 10 years ago I discovered that IETF was working on OAUTH as areplacement for sites to need user credentials to do things on theirusers' behalf, typically for use to post stuff to social media sites atthe time, but also as a convenient general login mechanism. I had anative app I wrote and I didn't like having to store use credentials sothat seemed great. However when I thought about it it seemed there wasnothing to prevent me to still get the login credentials from the userof my app. Native apps, like phone apps, have complete control of the UIunlike a web browser which can be assumed to be a neutral player fromthe user's standpoint. When an app asks you for your login credentialsfor, say, Facebook you have to make a decision whether you trust the appor not. With OAUTH it makes it seem like it's safe regardless whetheryou trust the app or not.It isn't. Since the app has complete control of the UI unlike a browser,it completely controls what the user sees. There is an infinite numberof ways for a native app to game the user to get their credentials whilestill completing the OAUTH transaction on the user's behalf. I broughtthis up to the OAUTH wg at the time and was roundly flamed by theworking group and especially the lead author at the time (who it seemsflamed out later for seemingly unrelated reasons). The end result was alittle line or two blurb in the security considerations and the endresult is, as I predicted, that nobody would care about OAUTH use innative apps and it would become commonplace.Later I heard that the OAUTH wg had created RFC 8252 which at first Ithought was vindication after the hostility I was shown by the wg. I waslooking it up again today though and found out that instead of justbeing an information "don't do this" it is in fact a BCP. The jist isthat native apps should use browsers to do the login. This is tantamountto asking foxes to be nice while guarding the hen house. Or closer tohome, that RFC 3514 and the evil bit should be employed. Native appsintent on stealing your credentials can still steal your credentials nomatter what RFC 8252 says and the user will be none the wiser.What should be the BCP is that OAUTH should *never* be used for nativeapps and that users should *always* be cognizant that an evil app cansteal their credentials just like when I specifically had to store themfor my app to do stuff on their behalf. How on earth did the IESG letthis get through? I mean seriously, this is a complete joke. Askingpeople to not be evil is not security and is certainly not a best commonpractice. This RFC should either be declared historic or rewritten.Mike
