28 August 2018
Securing OAuth 2.0 for Native Apps
Jonathon Brookfield and Fraser Winterborn
OAuth 2.0 is commonly encountered as a means for a user to authorise third-party websites to access to their account at web-based service providers, such as email providers or social networks. In addition to this, the OAuth 2.0 standard also describes methods to authorise an application running on a user’s mobile device to access these services. In this talk we will explore the additional security requirements and challenges that this poses and review the mitigations which must be considered for both application developers and service providers.
This talk is based on BlackBerry’s real-world experience of developing and securing applications using OAuth and is aimed at anyone building or breaking mobile apps that use OAuth 2.0. It aims to examine the OAuth 2.0 for Native Apps standard in detail and describe its components, configurations and modes of operation and highlight the key differences and considerations between web-based and native authentication. Common pitfalls will be examined, examples of how flawed implementations can be exploited by attackers will be demonstrated and the mitigations that can be used to prevent these attacks will then be explored.
Talk amongst yoursleves!
Go to bar. Get drink. Talk.
We’re always happy for more talks, so if you’ve implemented Meltdown on your smartwatch, want to walk us through the highlights of a CTF, or have some insight into upcoming privacy regulations, we’re interested!
Drop a message to firstname.lastname@example.org with a title, synopsis and rough length, and don’t worry if you haven’t spoken before.