PKCE: What Can(Not) Be Protected

This post is about PKCE [RFC7636], a protection mechanism for OAuth and OpenIDConnect designed for public clients to detect the authorization code interception attack.

At the beginning of our research, we wrongly believed that PKCE protects mobile and native apps from the so called „App Impersonation" attacks. Considering our ideas and after a short discussion with the authors of the PKCE specification, we found out that PKCE does not address this issue.

In other words, the protection of PKCE can be bypassed on public clients (mobile and native apps) by using a maliciously acting app.

OAuth Code Flow

In Figure 1, we briefly introduce how the OAuth flow works on mobile apps and show show the reason why we do need PKCE.
In our example the user has two apps installed on the mobile phone: an Honest App and an Evil App. We assume that the Evil App is able to register the same handler as the Honest App and thus intercept messages sent to the Honest App. If you are more interested in this issue, you can find more information here [1].

Figure 1: An example of the "authorization code interception" attack on mobile devices. 

Step 1: A user starts the Honest App and initiates the authentication via OpenID Connect or the authorization via OAuth. Consequentially, the Honest App generates an Auth Request containing the OpenID Connect/OAuth parameters: client_id, state, redirect_uri, scope, authorization_grant, nonce, …. 

Step 2: The Browser is called and the Auth Request is sent to the Authorization Server (usually Facebook, Google, …).

• The Honest App could use a Web View browser. However, the current specification clearly advice to use the operating system's default browser and avoid the usage of Web Views [2]. In addition, Google does not allow the usage of Web View browser since August 2016 [3].

Step 3: We asume that the user is authenticated and he authorizes the access to the requested resources. As a result, the Auth Response containing the code is sent back to the browser.

Step 4: Now, the browser calls the Honest App registered handler. However, the Evil App is registered on this handler too and receives the code.

Step 5: The Evil App sends the stolen code to the Authorization Server and receives the corresponding access_token in step 6. Now, the Evil App can access the authorized ressources.

• Optionally, in step 5 the App can authenticate on the Authorization Server via client_id, client_secret. Since, Apps are public clients they do not have any protection mechanisms regarding the storage of this information. Thus, an attacker can easy get this information and add it to the Evil App.

Proof Key for Code Exchange - PKCE (RFC 7636)

Now, let's see how PKCE does prevent the attack. The basic idea of PKCE is to bind the Auth Request in Step 1 to the code redemption in Step 5. In other words, only the app generated the Auth Request is able to redeem the generated code.

Figure 2: PKCE - RFC 7636 

Step 1: The Auth Request is generated as previosly described. Additionally, two parameters are added:

• The Honest App generates a random string called code_verifier
• The Honest App computes the code_challenge=SHA-256(code_verifier)
• The Honest App specifies the challenge_method=SHA256

Step 2: The Authorization Server receives the Auth Request and binds the code to the received code_challenge and challenge_method.

• Later in Step 5, the Authorzation Server expects to receive the code_verifier. By comparing the SHA-256(code_verifier) value with the recieved code_challenge, the Authorization Server verifies that the sender of the Auth Request ist the same as the sender of the code.

Step 3-4: The code leaks again to the Evil App.

Step 5: Now, Evil App must send the code_verifier together with the code. Unfortunatelly, the App does not have it and is not able to compute it. Thus, it cannot redeem the code.

 PKCE Bypass via App Impersonation

Again, PKCE binds the Auth Request to the coderedemption.

The question rises, if an Evil App can build its own Auth Request with its own code_verifier, code_challenge and challenge_method.The short answer is – yes, it can.

Figure 3: Bypassing PKCE via the App Impersonation attack

Step 1: The Evil App generates an Auth Request. The Auth Request contains the client_id and redirect_uri of the Honest App. Thus, the User and the Authorization Server cannot recognize that the Evil App initiates this request. 

Step 2-4: These steps do not deviate from the previous description in Figure 2.

Step 5: In Step 5 the Evil App sends the code_verifier used for the computation of the code_challenge. Thus, the stolen code can be successfully redeemed and the Evil App receives the access_token and id_token.

OAuth 2.0 for Native Apps

The attack cannot be prevented by PKCE. However, the IETF working group is currently working on a Draft describing recommendations for using OAuth 2.0 for native apps.

References

[1] http://mews.sv.cmu.edu/papers/ccs-14.pdf

[2] https://tools.ietf.org/html/draft-ietf-oauth-native-apps-06#section-8.1

[3] https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html

Authors

Vladislav Mladenov
Christian Mainka (@CheariX)

Related articles

1. Pentest Tools Tcp Port Scanner
2. Hacker Tools
3. Tools 4 Hack
4. Underground Hacker Sites
5. Easy Hack Tools
6. Hacking Tools Pc
7. Growth Hacker Tools
8. Hacking Tools Windows 10
9. Pentest Tools
10. Pentest Tools For Ubuntu
11. Hacking Tools Name
12. Hacking Tools Free Download
13. Pentest Tools Url Fuzzer
14. Pentest Tools Online
15. Hacking App
16. Hack Tool Apk
17. Hack Tools Github
18. Beginner Hacker Tools
19. Hacker Tools Apk Download
20. Hacker Tools For Mac
21. Hack Tools For Windows
22. Hack Tools For Games
23. Pentest Tools Free
24. Pentest Tools For Windows
25. Hack Website Online Tool
26. Hack Tools Github
27. Physical Pentest Tools
28. Hacker Tools Apk
29. Pentest Tools Free
30. Hacking Tools Windows
31. Pentest Automation Tools
32. Hacking Tools Name
33. Hack Tools For Windows
34. Hack Tools
35. Hacking Apps
36. Pentest Tools List
37. Hack Tools 2019
38. How To Hack
39. Hack Tools For Pc
40. Hacker Tools Linux
41. Termux Hacking Tools 2019
42. Hacker Tools 2020
43. Easy Hack Tools
44. Hacker Hardware Tools
45. Hacker Tools Windows
46. Hacker Hardware Tools
47. Hak5 Tools
48. Pentest Tools Website
49. What Are Hacking Tools
50. Hacker Tools Windows
51. Hacking Tools For Windows Free Download
52. Best Hacking Tools 2020
53. Hack Tools Online
54. Physical Pentest Tools
55. Hacking App
56. Hack Tools For Ubuntu
57. Hack Tools For Games
58. Pentest Tools Linux
59. Hacker Tools Linux
60. Pentest Tools Windows
61. Hacking Apps
62. Hacking Tools Windows
63. Hacking Tools For Pc
64. Pentest Tools Find Subdomains
65. Pentest Tools Nmap
66. Hack App
67. Hacker Tools Hardware
68. Growth Hacker Tools
69. Hacker Tools Mac
70. Hacker Tools Software
71. Best Hacking Tools 2019
72. Pentest Tools Apk
73. Hackrf Tools
74. Pentest Tools Nmap
75. Hack Tool Apk No Root
76. Hacking Tools For Windows 7
77. Easy Hack Tools
78. Hacking Tools For Pc
79. Pentest Reporting Tools
80. Best Pentesting Tools 2018
81. Game Hacking
82. Hacker Tools 2019
83. How To Make Hacking Tools
84. Hacker Techniques Tools And Incident Handling
85. Pentest Tools Android
86. Hacker Tools For Pc
87. Hacker Tools Apk
88. Kik Hack Tools
89. Hack Tools Mac
90. Hacker Tools For Windows
91. Beginner Hacker Tools
92. Easy Hack Tools
93. Hack Rom Tools
94. Hacking Tools For Games
95. Tools For Hacker
96. Hacking Apps
97. Pentest Tools Port Scanner
98. Hacking Tools Hardware
99. Hacker Tools Apk
100. Hacking Tools Windows
101. Hacking Tools Pc
102. Kik Hack Tools
103. Hacking Tools For Windows Free Download
104. What Is Hacking Tools
105. Hackrf Tools
106. Hacking Tools For Windows
107. Hack Tools 2019
108. Ethical Hacker Tools
109. Hacking Tools For Pc
110. Hack Tools Online
111. Nsa Hacker Tools
112. Easy Hack Tools
113. Tools For Hacker
114. Hacking Tools Software
115. Install Pentest Tools Ubuntu
116. Hack And Tools
117. Free Pentest Tools For Windows
118. Hacker Tools Windows
119. Pentest Tools Free
120. Hacking Tools
121. Pentest Tools For Android
122. Termux Hacking Tools 2019
123. Hacking Tools Online
124. Hack Tools Mac
125. Hacker Tools For Mac
126. Hacker Tools For Pc
127. Hacking Tools Free Download
128. Nsa Hack Tools Download
129. Hack Tools 2019
130. Usb Pentest Tools
131. Best Pentesting Tools 2018
132. Growth Hacker Tools
133. Hacking Tools Pc
134. Hacking Tools For Pc
135. How To Hack
136. Hacker Tools Free
137. Hacking Tools Windows
138. Game Hacking
139. Hacker Tools Free
140. Pentest Tools Github
141. Hacker Tools For Windows
142. Pentest Tools Windows
143. Hacker Search Tools
144. Pentest Tools
145. Hacking Tools For Pc
146. Tools 4 Hack
147. Nsa Hack Tools Download
148. How To Hack
149. Bluetooth Hacking Tools Kali
150. Pentest Tools Android
151. Hacker Tools Windows
152. Hacker Tools List
153. Hacking Tools Software
154. Best Hacking Tools 2019
155. Hack Tool Apk
156. Hacker Tools For Windows
157. How To Make Hacking Tools
158. Hack Tools
159. Nsa Hacker Tools
160. Pentest Tools Url Fuzzer
161. Hacker Tools List
162. Pentest Reporting Tools
163. Computer Hacker
164. Pentest Tools Framework
165. Hack Tools Download
166. Black Hat Hacker Tools
167. Hacker Tools Apk Download
168. Hacker
169. Hack Tools Github
170. What Is Hacking Tools
171. Hack Tools For Games
172. Pentest Tools Free