PKCE solves a subset of this, but not the general case. It doesn't solve the FB example in the paper where the FB token is passed between apps locally. It is a clear win for the OAuth code flow for example though.
On Thursday, June 18, 2015 7:31 AM, Nat Sakimura <sakim...@gmail.com> wrote: Hi OAuthers: XARA (Cross App Resource Access) paper was gaining interest here in Japan today because of the Register article[1]. I went over the attack description in the full paper [2]. The paper presents four kinds of vulnerabilities. - Password Stealing (Keychain) - Container Cracking (BundleID check bug on the part of Apple App Store) - IPC Interception (a. WebSocket non-authentication, and b. local oauth redirect) - Scheme Hijacking Of those, 3.b and 4 are relevant to us, and we kind of knew them all the way through. These are the target attack that PKCE specifically wants to address, and does address, I believe. [1] http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/[2] https://sites.google.com/site/xaraflaws/ -- Nat Sakimura (=nat)Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth