OAuth, app permissions, and a false sense of security

Disclaimer

At that place is nothing new in this mail. I'm just bringing this up now because a lot of people seem to non know the facts. It as well has nothing to practise with Windows Phone specifically, but rather pretty much every platform. The indicate of this mail is not to spread FUD, but to remind people to not have security for granted.

OAuth

For those that don't know what OAuth is, it is an open up standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource possessor. It specifies a process for resource owners to authorize third-political party access to their server resources without sharing their credentials.

These days OAuth is used pretty much everywhere where an external client needs to login to some sort of service. Yous've used it with Google (I used information technology to upload the video in this postal service), Microsoft apps (Skype, Xbox Smartglass, Visual Studio), Twitter, Facebook, and endless others.

You'll know when you're using it because you'll see a button like: "Sign in with X", which will and then popular upwardly a login window on your PC or telephone.

Over on /r/WindowsPhone (and the internet at large), I've read a number of comments stating that your credentials are safe when using a mobile app that uses OAuth. The theory is that the bodily mobile app you're using never actually has access to your credentials because they are just opening up a window directly to the sites login, and the credentials go directly to the site (not ever to the app). The site then sends a token back to the app to say the credentials were valid, and from there the app tin use that token with requests (to mail service a tweet for example). OAuth isn't simply about keeping your password away from the app, merely that is all that this postal service is nearly.

The event is that this theory is merely completely wrong. The large point of failure is that fifty-fifty though the app is showing the Twitter website directly - the actual browser component is yet owned/contained by the app. So an app that you may or may not trust, can do pretty much what it wants to that Twitter website.

Below I fabricated a video to demonstrate this. All I did was download a Windows Phone Twitter login sample, and add a tiny bit of code, which allows me to get the username and password that the user types (even though they are typing directly into the browser). The upper text is native XAML, the lower part is the Twitter OAuth browser component.

Yes, in the time it takes to put on your fingerless hacker gloves, it is possible to make a "legit" OAuth login (i.e. it will yet piece of work and authenticate you, and is the real Twitter site) that volition as well steal credentials.

In a real-world application the person would manifestly non show the credentials at the top of the screen, they'd silently send those off to a server which will collect all the accounts. I'm non 100% sure why someone would want to steal you account. It's not similar we're sending nude selfies to each other, right?

Another result with this browser-in-app manner of doing OAuth is that the user has no idea what the actual URL of the page is. For all they know information technology could exist going to a page that is just made to look the aforementioned as the real login page.

How exercise I keep rubber?

This is a bit of a catchy one to requite solid advice on. As far equally I am enlightened there are just two "safe" mobile OAuth login options:

- Pivot login: Some apps volition open upwardly the phones actual browser (exterior of the app) and load the OAuth login. Yous and then login, and information technology gives you a short code. Copy that code and paste information technology back in the app. This is pretty safe because the browser is not part of the possibly-dodgy app.

- Windows 8 OAuth: Windows viii introduced an easy way for apps to apply OAuth logins. When the app requests information technology, the Bone will prove a login over the app. This is a good mix between the browser-in-app method and the pin login, because it has the all-time of both worlds. The issue is that an app could yet create a fake popup panel pretending to be the Windows 8 one.

Of course, the issue with both of the higher up is that they are completely dependent on the platform and app. It also depends whether the login service even supports pin-auth.

So the real advice hither is to just keep aware of what you lot are doing, and what you lot are downloading. If you're downloading a Twitter app, don't fifty-fifty consider it if it doesn't take many ratings (significant it hasn't had many guinea pigs). Even if it does have lots of ratings, take a few minutes to tap on the developers name and run into what else they have made. Are they well known in the community? Do they have a seemingly-legitimate online presence (as oppose to someone y'all can't discover anything about)?

Y'all're basically trying to find out that the developer would exist held answerable for wrong-doings and non just disappear into the night.

With Windows Phone specifically, most serious development efforts (and their developers) for the main services (Twitter, Facebook, Instagram, etc.) have been covered in depth by WPCentral. Then if you take an urge to post grainy images of your food (and don't want to use the official app), why are you even looking in the telephone marketplace? Become on WPCentral, search, and do some reading.

All this being said, I've never heard of a unmarried wide-spread case of this happening on Windows Phone (I'g not certain if it has happened on other platforms).

App Capabilities

Credentials aren't the simply thing that people have an analogousness for stealing though. All the content on your little smartphone? Aye, people want that.

There are a couple of ways that people tin steal your stuff. The easiest way is for an assailant to simply ask nicely for it, so allow you savour a cute little game while information technology copies. What am I going on about? App permissions and capabilities!

Yous see, when you install an app on your phone from an official store/marketplace, it will prompt you for certain permissions that the app has requested. Clicking yes will then requite that app access to those parts of the Bone, or to that functionality in the Os.

To come across a full list of permissions that an app needs on Windows Phone, scroll down to the bottom of the details section in the shop and look at Requires (this applies when updating an app besides, equally seen in the prototype below).On WP8.ane information technology is slightly unlike. Open the app in the store, slide left/right twice to become to details, then scroll to the lesser.

People always freak out about apps requiring their location. While I don't want to downplay that, location should be the least of your concern. Even without access to your GPS your location can exist approximated anyway. So let's await at a few others (these are Windows Phone specific, but apply everywhere):

ID_CAP_ISV_CAMERA – A lot of applications have valid reasons to employ your camera, merely nigh people assume that the app will just use the photographic camera when you know about it. The event is that having this capability means that any time the app is open, it can be streaming a live video of you to some dodgy dude in his basement. Let'south say you download a tic-tac-toe game, and in the description it tells you that leaderboards let yous to take a custom profile photo. Along with allowing the app to do that, you're also allowing it to record yous playing tic-tac-toe naked in bed.

ID_CAP_MEDIALIB_PHOTO – Some applications, like Twitter, provide an interface to select a photo from your phone and upload it. Tic-tac-toe could inquire for the permission then that you can select a custom contour photo from images in your camera library. The issue comes in that, only like the camera above, the app tin actually do what information technology wants. While you're happily listening to Celine Deon while playing, it could exist uploading all your personal photos.

ID_CAP_MICROPHONE – This is pretty self-explanatory. But basically, that tic-tac-toe game could also be recording your terrible singing while playing the game, and and then upload it somewhere.

In that location are tons of others, but these were a few important ones.

For a simpler list of what each permission is, there is a guide on the Windows Phone site.

How practice I keep my content safe?

Firstly, it is worth noting that nearly all developers probably have their capabilities there for a valid reason. Not everyone is out to become you. I'grand making a mobile racing game and am planning on using the one-half-click "focus" camera button as the accelerator, so volition need to ask for camera permission, even though I never use the bodily camera.

Sometimes developers too just put a capability at that place past mistake. I've done information technology accidentally before, and have seen lots of others do it besides.At that place are some actually silly requirements by some addons too. Amongst others, Google AdMob tells yous to add together ID_CAP_MEDIALIB_PHOTO to your app. I don't have a clue why they feel they need access to your photos to serve up some adverts. But I can tell you that it is safe to non put that capability in - AdMob still works fine.

If you aren't certain why tic-tac-toe needs access to your microphone, achieve out to the dev and ask - BEFORE INSTALLING IT. Generally developers volition be pretty easy to get hold of, and I've never had someone reply to me angrily when I ask what their capabilities were for.

Finally, on Windows Phone, apps are more limited in what they tin request. This means slightly less functionality in a few apps, only besides more than security. I've tried to download Android games that have asked for access to my SMS's. That'south when you striking the "Cancel" button fast.

Stay frosty

You lot are never really prophylactic while typing your username and password anywhere. If it isn't people hi-jacking your WiFi, then it's people making dodgy apps to steal your accounts. Or if they're not trying to steal passwords, they're trying to upload your sketchy photo library. Even with an honest developer - give them a bag of money and they might consider doing something dodgy.

BUT, this isn't the movies, and naughty developers seem to be few and far between.

The greatest security measure yous can have is to simply be both smart and aware of what you lot're doing. Stay frosty, people.

Matt "RogueCode" Cavanagh is a well known Windows Phone MVP and Nokia Developer Champion developer. You can follow him on Twitter @RogueCode or visit his developer blog.

Nosotros may earn a committee for purchases using our links. Learn more.

Xbox Insiders Update

This huge Xbox 'Quick Resume' update will give gamers more control

Microsoft is adding a new feature to Xbox consoles, allowing y'all to permanently shop up to two games in a Quick Resume state at all times. The feature is heading out outset to Xbox Insiders in the Blastoff testing band before hitting the general public.