Skip to end of metadata
Go to start of metadata

This rule was developed in part by Rachel Xu and Zifei (FeiFei) Han at the October 20-22, 2017 OurCS Workshop (http://www.cs.cmu.edu/ourcs/register.html).
For more information about this statement, see the About the OurCS Workshop page.

 For OAuth, use a secure Android method to deliver access tokens. The method to do with mobile apps and their platforms is not specified in the OAuth 1.0 or OAuth 2.0 standards. Access tokens can be securely delivered if the service provider can identify recipients using a globally unique identifier.

Under Construction

This guideline is under construction. 

 

Noncompliant Code Example

This noncompliant code example shows an application that

TBD

 

 An Intent can securely send an access token to its intended mobile relying party app, using an explicit intent, because the relying party can be uniquely identified through its developer key hash.

Compliant Solution

In this compliant solution the application

TBD

Risk Assessment

 

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DRD27-J

Medium

Probable

Medium

 

 

Automated Detection

 

Related Vulnerabilities

Hyperlink black-font text "the CERT website" below, with URL as follows: https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+<RULE_ID>

In the URL example above, <RULE_ID> should be substituted by this CERT guideline ID (e.g., INT31-C). Then, remove this purple-font paragraph.

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Fill in the table below with at least one entry row, per these instructions, then remove this purple-font section.

CWE-297

 Improper Validation of Certificate with Host Mismatch

Bibliography

[Chen 14]

OAuth Demystified for Mobile Application Developers.  OAuthDemystified.pdf

  [IETF OAuth1.0a]

Internet Engineering Task Force (IETF). OAuth core 1.0 revision a. http://oauth.net/core/1.0a/.

  [IETF OAuth2.0] Internet Engineering Task Force (IETF). The OAuth 2.0 authorization framework. http://tools.ietf.org/html/rfc6749.