Master Thesis MSTR-2020-83

BibliographyStötzner, Miles: Design of an Android App2App Redirect Flow for the FAPI 2.0 Standard.
University of Stuttgart, Faculty of Computer Science, Electrical Engineering, and Information Technology, Master Thesis No. 83 (2020).
127 pages, english.
Abstract

OAuth 2.0 Authorization Framework (OAuth 2.0) is an authorization framework used to grant third parties access to resources. OpenID Financial-grade API 2.0 (FAPI 2.0) is a profile for OAuth 2.0 with the goal to reach the security requirements of the financial sector. These requirements contain for example the assumption that an access token might leak to an attacker and that some endpoints are misconfigured due to social engineering attacks.

We present a design proposal for a redirect flow for FAPI 2.0 between two Android applications, the client and the auth app. A typical case of usage would be a financial wallet application, the client, that redirects the user to a banking app, the auth app, in order to authorize a financial transaction.

Our main goal is to securely redirect the user between the client and the auth app using today's technologies. We require integrity, confidentiality, source authentication and target authentication when redirecting the user. Roughly speaking, this means that the user is redirected from the correct source app to the correct target app and that no attacker is able to read or write the sent data. The secure redirect is achieved by mutually authenticating the intent receiver and sender as well as by using a result callback. Authentication is based on comparing package signing certificates. The motivation for a secured redirect is to mitigate attacks as soon as possible as a defense-in-depth. The secured redirect can not only be applied to OAuth 2.0 but can be used to secure other scenarios.

Our proposal further defines the registration process for clients and auth apps. Considering this, we present the OAuth Integrity Attestation which ensures that only the correct applications running on an untampered device can register and that generated keys are hardware-backed. The OAuth Integrity Attestation contains e.g. a SafetyNet attestation and key attestations. Furthermore, we define the communication between the auth app and the corresponding backend, the authorization server, for interoperability, and security reasons.

To show the feasibility of our proposal we implemented the advanced profile in the context of a digital wallet app and a banking app. A user is able to link his bank account and to authorize financial transactions. Additionally, we implemented a malicious app that attacks the user redirect.

We discuss the security of our proposal with respect to our attacker model and list identified vulnerabilities. Our attacker model is based on the attacker model defined by FAPI 2.0 and extended by multiple assumptions and attacker capabilities. The additional attacker capabilities include e.g. that the client uses a misconfigured auth app and that the auth app might have some misconfigured endpoints. The motivation for these attacker capabilities are social engineering attacks. We also mitigate known problems with FAPI 1.0 that also apply to FAPI 2.0. One of the identified vulnerabilities is that a physical attacker with knowledge of the device credentials can access the same resources which a client has access to.

Department(s)Universität Stuttgart, Institut für Informationssicherheit und Kryptographie (ISC)
Superviser(s)Küsters, Prof. Ralf; Schmitz, Dr. Guido
Entry dateJune 2, 2021
   Publ. Computer Science