Hi, I've read rfc8252 and have questions about native apps, that I couldn't find answers on Internet.
Imagine an attacker doing: 1. original app and authorization server conforms to rfc8252 4.1. Authorization Flow for Native Apps Using the Browser 2. clone the original app, name it malicious app and install on the target phone 3. remove the original app from the target phone 4. use the malicious app and authorize, OS will invoke malicious app using custom URL scheme 5. now malicious app has access to the access token How should we think about this? What am I missing?
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth