flutter_web_auth icon indicating copy to clipboard operation
flutter_web_auth copied to clipboard

Published 20 hours ago verified publisher icon LinusU

Potential Security Issue?

Open TJ-coding opened this issue 3 years ago • 1 comments

In order to communicate the response from the oauth2 server received by the browser to an Android app, you seem to be using an intent-filter. However, Google seems to advise you not to do this and consider it as a security hazard.

Caution: To ensure that your app is secure, always use an explicit intent when starting a Service and do not declare intent filters for your services. Using an implicit intent to start a service is a security hazard because you can't be certain what service will respond to the intent, and the user can't see which service starts. https://developer.android.com/guide/components/intents-filters#Types

I assume the reason for this is because any other app could be configured to respond to the same 'callbackUrlScheme', and potentially steal our secrets sent over this scheme.

I could not really understand what was being done in the source code, but the fact you ask people to setup intent-filter gave me the feeling that an implicit intent was being used rather than an explicit intent. I apologize in advance if explicit intent is being used, however please could you confirm it so that I know for sure. Thank you.

TJ-coding avatar Mar 15 '22 00:03 TJ-coding

I'm pretty sure there is no way around intent filters for the OAuth use case.

Here's how I understand what's happening:

  1. App A wants to do OAuth
  2. A creates a url that defines the OAuth stuff (where to login, scopes, flow type, ...). This url also contains a "redirectUrl"; when the OAuth flow finishes, the result will be appended to that redirectUrl
  3. A tells the OS: Please open this url for me
  4. Android selects some app B that is registered to handle the given url. This is most likely a browser but could also be some authenticator app
  5. The user successfully logs in using B
  6. B constructs a new url by appending the result (e.g., an access token for implicit flows) to the "redirectUrl" defined by A when launching all this fun
  7. B then tells the OS: Please open this url for me
  8. Since A was registered for the redirectUrl, the OS launches A again with the redirectUri
  9. A now has the result and can do neat stuff with it

Note what happens in 3. and 7.: There is no direct calling of any components, just the operating system opening some app that promises to be able to deal with the given URL. That is what intent filters are for!

komaxx avatar Sep 07 '22 11:09 komaxx

If there is any other way to implement OAuth on Android I'm happy to check that out, but currently I believe that this is the only way to do it...

LinusU avatar Nov 01 '22 08:11 LinusU