Skip to main content
Information Security

Return to Answer

replaced http://security.stackexchange.com/ with https://security.stackexchange.com/
Source Link
Community Bot
Community Bot
  • 1

How can I guarantee that requests from sources claiming to be this client application can be trusted?

You can't.

To quote another SO answeranswer:

The thing is though, in mobile, the application is already trusted, once the user has installed the application he has chosen to trust it [...] Ultimately I don't think that it's possible to completely protect users from an application once they've decided to trust it by installing it.

What's to stop them client making authentication requests to that endpoint with the client id?

Nothing.

You can only focus on protecting your users' username/password, for instance:

  • don't store them inside your app.
  • educate your users with clear explanations on where to get your official apps and why they should not trust any other app asking for they credentials.

A little explanation:

In order to access resources, an app needs to obtain an access token (and eventually an optional refresh token).

To obtain the access token a first request including the username and the password has to be sent to the endpoint. Note: the client_id and client_secret are only mandatory for confidential clients or for any client that was issued client credentials.

So the malicious app can't access any resource until it obtains the username and password, otherwise it won't be able to obtain an access token. Even if it uses the identity of your official app.

How can I guarantee that requests from sources claiming to be this client application can be trusted?

You can't.

To quote another SO answer:

The thing is though, in mobile, the application is already trusted, once the user has installed the application he has chosen to trust it [...] Ultimately I don't think that it's possible to completely protect users from an application once they've decided to trust it by installing it.

What's to stop them client making authentication requests to that endpoint with the client id?

Nothing.

You can only focus on protecting your users' username/password, for instance:

  • don't store them inside your app.
  • educate your users with clear explanations on where to get your official apps and why they should not trust any other app asking for they credentials.

A little explanation:

In order to access resources, an app needs to obtain an access token (and eventually an optional refresh token).

To obtain the access token a first request including the username and the password has to be sent to the endpoint. Note: the client_id and client_secret are only mandatory for confidential clients or for any client that was issued client credentials.

So the malicious app can't access any resource until it obtains the username and password, otherwise it won't be able to obtain an access token. Even if it uses the identity of your official app.

How can I guarantee that requests from sources claiming to be this client application can be trusted?

You can't.

To quote another SO answer:

The thing is though, in mobile, the application is already trusted, once the user has installed the application he has chosen to trust it [...] Ultimately I don't think that it's possible to completely protect users from an application once they've decided to trust it by installing it.

What's to stop them client making authentication requests to that endpoint with the client id?

Nothing.

You can only focus on protecting your users' username/password, for instance:

  • don't store them inside your app.
  • educate your users with clear explanations on where to get your official apps and why they should not trust any other app asking for they credentials.

A little explanation:

In order to access resources, an app needs to obtain an access token (and eventually an optional refresh token).

To obtain the access token a first request including the username and the password has to be sent to the endpoint. Note: the client_id and client_secret are only mandatory for confidential clients or for any client that was issued client credentials.

So the malicious app can't access any resource until it obtains the username and password, otherwise it won't be able to obtain an access token. Even if it uses the identity of your official app.

reordered the explanations and answered more directly the questions asked
Source Link
thomas.g
thomas.g
  • 149
  • 2

How can I guarantee that requests from sources claiming to be this client application can be trusted?

You can't.

To quote another SO answer:

The thing is though, in mobile, the application is already trusted, once the user has installed the application he has chosen to trust it [...] Ultimately I don't think that it's possible to completely protect users from an application once they've decided to trust it by installing it.

What's to stop them client making authentication requests to that endpoint with the client id?

Nothing.

You can only focus on protecting your users' username/password, for instance:

  • don't store them inside your app.
  • educate your users with clear explanations on where to get your official apps and why they should not trust any other app asking for they credentials.

A little explanation:

In order to access resources, an app needs to obtain an access token (and eventually an optional refresh token).

To obtain the access token a first request including the username and the password has to be sent to the endpoint. Note: the client_id and client_secret are only mandatory for confidential clients or for any client that was issued client credentials.

So the malicious app can't access any resource until it obtains the username and password, otherwise it won't be able to obtain an access token. Even if it uses the identity of your official app.

So you have to protect your users' username/password, for instance:

  • don't store them inside your app.
  • educate your users with clear explanations on where to get your official apps and why they should not trust any other app asking for they credentials.

Also keep this answer in mind:

The thing is though, in mobile, the application is already trusted, once the user has installed the application he has chosen to trust it [...] Ultimately I don't think that it's possible to completely protect users from an application once they've decided to trust it by installing it.

In order to access resources, an app needs to obtain an access token (and eventually an optional refresh token).

To obtain the access token a first request including the username and the password has to be sent to the endpoint. Note: the client_id and client_secret are only mandatory for confidential clients or for any client that was issued client credentials.

So the malicious app can't access any resource until it obtains the username and password, otherwise it won't be able to obtain an access token. Even if it uses the identity of your official app.

So you have to protect your users' username/password, for instance:

  • don't store them inside your app.
  • educate your users with clear explanations on where to get your official apps and why they should not trust any other app asking for they credentials.

Also keep this answer in mind:

The thing is though, in mobile, the application is already trusted, once the user has installed the application he has chosen to trust it [...] Ultimately I don't think that it's possible to completely protect users from an application once they've decided to trust it by installing it.

How can I guarantee that requests from sources claiming to be this client application can be trusted?

You can't.

To quote another SO answer:

The thing is though, in mobile, the application is already trusted, once the user has installed the application he has chosen to trust it [...] Ultimately I don't think that it's possible to completely protect users from an application once they've decided to trust it by installing it.

What's to stop them client making authentication requests to that endpoint with the client id?

Nothing.

You can only focus on protecting your users' username/password, for instance:

  • don't store them inside your app.
  • educate your users with clear explanations on where to get your official apps and why they should not trust any other app asking for they credentials.

A little explanation:

In order to access resources, an app needs to obtain an access token (and eventually an optional refresh token).

To obtain the access token a first request including the username and the password has to be sent to the endpoint. Note: the client_id and client_secret are only mandatory for confidential clients or for any client that was issued client credentials.

So the malicious app can't access any resource until it obtains the username and password, otherwise it won't be able to obtain an access token. Even if it uses the identity of your official app.

Source Link
thomas.g
thomas.g
  • 149
  • 2

In order to access resources, an app needs to obtain an access token (and eventually an optional refresh token).

To obtain the access token a first request including the username and the password has to be sent to the endpoint. Note: the client_id and client_secret are only mandatory for confidential clients or for any client that was issued client credentials.

So the malicious app can't access any resource until it obtains the username and password, otherwise it won't be able to obtain an access token. Even if it uses the identity of your official app.

So you have to protect your users' username/password, for instance:

  • don't store them inside your app.
  • educate your users with clear explanations on where to get your official apps and why they should not trust any other app asking for they credentials.

Also keep this answer in mind:

The thing is though, in mobile, the application is already trusted, once the user has installed the application he has chosen to trust it [...] Ultimately I don't think that it's possible to completely protect users from an application once they've decided to trust it by installing it.