OAuth secrets in mobile apps

by

Yes, this is an issue with the OAuth design that we are facing ourselves. We opted to proxy all calls through our own server. OAuth wasn’t entirely flushed out in respect of desktop apps. There is no prefect solution to the issue that I’ve found without changing OAuth.

If you think about it and ask the question why we have secrets, is mostly for provision and disabling apps. If our secret is compromised, then the provider can only really revoke the entire app. Since we have to embed our secret in the desktop app, we are sorta screwed.

The solution is to have a different secret for each desktop app. OAuth doesn’t make this concept easy. One way is have the user go and create an secret on their own and enter the key on their own into your desktop app (some facebook apps did something similar for a long time, having the user go and create facebook to setup their custom quizes and crap). It’s not a great experience for the user.

I’m working on proposal for a delegation system for OAuth. The concept is that using our own secret key we get from our provider, we could issue our own delegated secret to our own desktop clients (one for each desktop app basically) and then during the auth process we send that key over to the top level provider that calls back to us and re-validates with us. That way we can revoke on own secrets we issue to each desktop client. (Borrowing a lot of how this works from SSL). This entire system would be prefect for value-add webservices as well that pass on calls to a third party webservice.

The process could also be done without delegation verification callbacks if the top level provider provides an API to generate and revoke new delegated secrets. Facebook is doing something similar by allowing facebook apps to allow users to create sub-apps.

There are some talks about the issue online:

http://blog.atebits.com/2009/02/fixing-oauth/
http://groups.google.com/group/twitter-development-talk/browse_thread/thread/629b03475a3d78a1/de1071bf4b820c14#de1071bf4b820c14

Twitter and Yammer’s solution is a authentication pin solution:
https://dev.twitter.com/oauth/pin-based
https://www.yammer.com/api_oauth_security_addendum.html

More Related Contents:

  1. What work has been done on cross-platform mobile development? [closed]
  2. Comparison between Corona, Phonegap, Titanium
  3. position: fixed doesn’t work on iPad and iPhone
  4. Lock-down iPhone/iPod/iPad so it can only run one app
  5. Can I avoid the native fullscreen video player with HTML5 on iPhone or android?
  6. Restrict API requests to only my own mobile app
  7. Technology to write iPhone, BlackBerry and Android phone at the same time? [closed]
  8. Do iPhone / Android browsers support CSS @media handheld?
  9. Best practices for iOS applications security
  10. Store orientation to an array – and compare
  11. How to securely store access token and secret in Android?
  12. Disable scrolling in all mobile devices
  13. Alternatives to google maps api [closed]
  14. Fix font size issue on Mobile Safari (iPhone) where text is rendered inconsistently and some fonts are larger than others?
  15. Is it possible, in principle, for an Android device to interface with an iPhone over Bluetooth/GameKit?
  16. scale fit mobile web content using viewport meta tag
  17. Implementing and Testing iOS data protection
  18. How to keep the OAuth consumer secret safe, and how to react when it’s compromised?
  19. Jquery-ui sortable doesn’t work on touch devices based on Android or IOS
  20. iTunes api, lookup by bundle ID?
  21. iPhone WebApps, is there a way to detect how it was loaded? Home Screen vs Safari?
  22. blank white screen after FB login via web app?
  23. RESTful frameworks for Android, iOS…?
  24. J2ME VS Android VS iPhone VS Symbian VS Windows CE [closed]
  25. Write once deploy on Windows Mobile 6, Windows Phone 7, Android and iPhone? [closed]
  26. How to pin the Public key of a certificate on iOS
  27. Mobile Web – Disable long-touch/taphold text selection
  28. How to create custom easing function with Core Animation?
  29. UILongPressGestureRecognizer gets called twice when pressing down
  30. How to recognize swipe in all 4 directions?

Leave a Comment