PKCE: What Can(Not) Be Protected

This post is about PKCE [RFC7636], a protection mechanism for OAuth and OpenIDConnect designed for public clients to detect the authorization code interception attack.

At the beginning of our research, we wrongly believed that PKCE protects mobile and native apps from the so called „App Impersonation" attacks. Considering our ideas and after a short discussion with the authors of the PKCE specification, we found out that PKCE does not address this issue.

In other words, the protection of PKCE can be bypassed on public clients (mobile and native apps) by using a maliciously acting app.

OAuth Code Flow

In Figure 1, we briefly introduce how the OAuth flow works on mobile apps and show show the reason why we do need PKCE.
In our example the user has two apps installed on the mobile phone: an Honest App and an Evil App. We assume that the Evil App is able to register the same handler as the Honest App and thus intercept messages sent to the Honest App. If you are more interested in this issue, you can find more information here [1].

Figure 1: An example of the "authorization code interception" attack on mobile devices. 

Step 1: A user starts the Honest App and initiates the authentication via OpenID Connect or the authorization via OAuth. Consequentially, the Honest App generates an Auth Request containing the OpenID Connect/OAuth parameters: client_id, state, redirect_uri, scope, authorization_grant, nonce, …. 

Step 2: The Browser is called and the Auth Request is sent to the Authorization Server (usually Facebook, Google, …).

• The Honest App could use a Web View browser. However, the current specification clearly advice to use the operating system's default browser and avoid the usage of Web Views [2]. In addition, Google does not allow the usage of Web View browser since August 2016 [3].

Step 3: We asume that the user is authenticated and he authorizes the access to the requested resources. As a result, the Auth Response containing the code is sent back to the browser.

Step 4: Now, the browser calls the Honest App registered handler. However, the Evil App is registered on this handler too and receives the code.

Step 5: The Evil App sends the stolen code to the Authorization Server and receives the corresponding access_token in step 6. Now, the Evil App can access the authorized ressources.

• Optionally, in step 5 the App can authenticate on the Authorization Server via client_id, client_secret. Since, Apps are public clients they do not have any protection mechanisms regarding the storage of this information. Thus, an attacker can easy get this information and add it to the Evil App.

Proof Key for Code Exchange - PKCE (RFC 7636)

Now, let's see how PKCE does prevent the attack. The basic idea of PKCE is to bind the Auth Request in Step 1 to the code redemption in Step 5. In other words, only the app generated the Auth Request is able to redeem the generated code.

Figure 2: PKCE - RFC 7636 

Step 1: The Auth Request is generated as previosly described. Additionally, two parameters are added:

• The Honest App generates a random string called code_verifier
• The Honest App computes the code_challenge=SHA-256(code_verifier)
• The Honest App specifies the challenge_method=SHA256

Step 2: The Authorization Server receives the Auth Request and binds the code to the received code_challenge and challenge_method.

• Later in Step 5, the Authorzation Server expects to receive the code_verifier. By comparing the SHA-256(code_verifier) value with the recieved code_challenge, the Authorization Server verifies that the sender of the Auth Request ist the same as the sender of the code.

Step 3-4: The code leaks again to the Evil App.

Step 5: Now, Evil App must send the code_verifier together with the code. Unfortunatelly, the App does not have it and is not able to compute it. Thus, it cannot redeem the code.

 PKCE Bypass via App Impersonation

Again, PKCE binds the Auth Request to the coderedemption.

The question rises, if an Evil App can build its own Auth Request with its own code_verifier, code_challenge and challenge_method.The short answer is – yes, it can.

Figure 3: Bypassing PKCE via the App Impersonation attack

Step 1: The Evil App generates an Auth Request. The Auth Request contains the client_id and redirect_uri of the Honest App. Thus, the User and the Authorization Server cannot recognize that the Evil App initiates this request. 

Step 2-4: These steps do not deviate from the previous description in Figure 2.

Step 5: In Step 5 the Evil App sends the code_verifier used for the computation of the code_challenge. Thus, the stolen code can be successfully redeemed and the Evil App receives the access_token and id_token.

OAuth 2.0 for Native Apps

The attack cannot be prevented by PKCE. However, the IETF working group is currently working on a Draft describing recommendations for using OAuth 2.0 for native apps.

References

[1] http://mews.sv.cmu.edu/papers/ccs-14.pdf

[2] https://tools.ietf.org/html/draft-ietf-oauth-native-apps-06#section-8.1

[3] https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html

Authors

Vladislav Mladenov
Christian Mainka (@CheariX)

Related word

1. Top Pentest Tools
2. Nsa Hacker Tools
3. New Hacker Tools
4. Pentest Tools Nmap
5. Hack Rom Tools
6. Hacking Tools For Pc
7. Hacker Tools For Windows
8. Hack Apps
9. Hacker Tools Mac
10. Best Pentesting Tools 2018
11. New Hack Tools
12. Pentest Tools Tcp Port Scanner
13. Wifi Hacker Tools For Windows
14. Pentest Tools Url Fuzzer
15. Hacking Tools For Windows Free Download
16. Hackers Toolbox
17. Hack Tool Apk No Root
18. Pentest Tools Android
19. Hacking Tools 2020
20. What Is Hacking Tools
21. What Are Hacking Tools
22. Hack And Tools
23. Hack Tools
24. Hacker Tools For Ios
25. Hacking Tools For Beginners
26. Hacking Tools For Windows 7
27. Install Pentest Tools Ubuntu
28. Pentest Tools Subdomain
29. How To Install Pentest Tools In Ubuntu
30. Hacks And Tools
31. Pentest Tools Framework
32. Hacker Tools List
33. Top Pentest Tools
34. Pentest Tools For Android
35. Pentest Tools Open Source
36. Beginner Hacker Tools
37. Pentest Tools Nmap
38. Best Hacking Tools 2019
39. Easy Hack Tools
40. Hacker Tools For Windows
41. Hacking Tools For Windows 7
42. Hack Tools For Pc
43. Hacking Tools Software
44. Pentest Tools Download
45. Pentest Recon Tools
46. Hack Tools 2019
47. Hacking Tools And Software
48. What Is Hacking Tools
49. Hack Tool Apk
50. Install Pentest Tools Ubuntu
51. Hacking Tools 2019
52. Pentest Tools Framework
53. Hacking Tools Windows 10
54. Hacking Tools For Beginners
55. Hack And Tools
56. Hacker Tools 2019
57. Pentest Reporting Tools
58. Game Hacking
59. Hack Apps
60. Hacker Tools For Ios
61. Hack Tool Apk
62. Best Hacking Tools 2020
63. Hack Tools Mac
64. Hack Tool Apk
65. Beginner Hacker Tools
66. Pentest Tools Tcp Port Scanner
67. Hacking App
68. Pentest Tools Apk
69. Computer Hacker
70. Growth Hacker Tools
71. Pentest Tools Windows
72. Growth Hacker Tools
73. Pentest Tools Nmap
74. Hack Tools Pc
75. Hacker Tools Hardware
76. World No 1 Hacker Software
77. Best Hacking Tools 2020
78. Pentest Reporting Tools
79. Hack Tools
80. Hacker Security Tools
81. Hack And Tools
82. Pentest Tools For Ubuntu
83. Hack Rom Tools
84. Hackrf Tools
85. Game Hacking
86. Hacker Tools Apk
87. Hack Tools
88. Pentest Tools Windows
89. Hacker Tools Windows
90. Hacking Tools For Kali Linux
91. Hacker Tools Windows
92. Hacking Tools Free Download
93. Hacker Tools Github
94. Hacking Tools Free Download
95. Hacker
96. Hacking Tools Pc
97. Pentest Tools Framework
98. Beginner Hacker Tools
99. Hacking Tools Kit
100. Nsa Hacker Tools
101. Pentest Tools Linux
102. Usb Pentest Tools
103. Pentest Tools Free
104. Hack Tools Pc
105. Hacking Tools Github
106. Hackers Toolbox
107. Hacker Tools For Ios
108. New Hacker Tools
109. Hack Tools For Pc
110. Hacking Tools Windows 10
111. Hacker Tools List
112. Hak5 Tools
113. Hacker Tools Linux
114. Physical Pentest Tools
115. Hacker Tools Mac
116. Hacker Tools
117. Hacker Tools Software
118. Ethical Hacker Tools
119. Best Pentesting Tools 2018
120. Hacker Tools For Pc
121. Hacker Tools Free Download
122. Wifi Hacker Tools For Windows
123. Hacker Search Tools
124. Hacker Tools List
125. Tools For Hacker
126. Best Pentesting Tools 2018
127. Hacking Tools Free Download
128. Hacking Tools 2020
129. Pentest Tools Android
130. Blackhat Hacker Tools
131. Game Hacking
132. Hacker
133. Pentest Box Tools Download
134. Hacking Tools Pc
135. Pentest Reporting Tools
136. Hacker Hardware Tools
137. Tools For Hacker
138. Hacker Tools Free Download
139. Pentest Automation Tools
140. Install Pentest Tools Ubuntu
141. Growth Hacker Tools
142. Hack And Tools
143. Underground Hacker Sites
144. Hackrf Tools
145. Hacking Apps
146. Hacking Apps
147. Hacking Tools For Windows Free Download
148. Hacker Tools Github
149. Pentest Tools Url Fuzzer
150. Hack Tools 2019
151. Hacking Tools For Beginners
152. Hacking Tools Mac