This question is about trying to understand the security risks involved in implementing oauth (ex: for google latitude) on a mobile platform like Android. Assumption here is that we have an Android application that has the consumer key/secret embedded in the code.
Assuming a consumer secret has been compromised, and a hacker has gotten a hold of it, what are the consequences of this ? Am I correct in stating that a compromised consumer secret as such has no effect on the user's security, or any data stored at the OAuth enabled provider that the user was interacting with. The data itself is not compromised and cannot be retrieved by the hacker. The hacker would need to get a hold of a valid user access token, and that's a lot harder to get. Am I also correct in stating the following : * The hacker can setup/publish an application that imitates my app. * The hacker can attract users that will go through the OAuth flow, retrieving an access token via the hackers OAuth dance (using the compromised consumer key/secret). * The user might think he's dealing with my app, as he will see a familiar name (consumer key) during the authorization process. * When a consumer issues a request via the hacker, the hacker can easily intercept the access token, and combined with the consumer secret can now sign requests on my behalf to gain access to my resources. This being the case, users might begin noticing this, causing the following to occur : * users may inform the service provider (ex: Google) about the malicious app * the service provider can then revoke the consumer key/secret * my app (containing the consumer secret) would need to be updated, as otherwise all my clients would not be able to authorize my app do to requests on their behalf. Although it would be possible to delegate a lot of the OAuth interactions via an intermediate webserver (doing the OAuth dance and sending the access token to the user), one would have to proxy all service interactions also, as the consumer key/secret is required for signing each request. Is this the only way to keep the consumer key/ secret outside of the mobile app, and stored in a more secure place on the intermediate webserver ? Are there alternatives for this proxy-ing ? Is it possible to store the consumer secret at the intermediate webserver, and have some kind of mechanism that the Android application (published in the market and properly signed), can do a secure request to the intermediate webserver to fetch the consumer secret and store it internally in the app ? Can a mechanism be implemented that the intermediate webserver "knows" that this is an official android app that is requesting to fetch the consumer secret, and that the intermediate webserver it will only handout the consumer secret to that particular android app ? -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
