PKCE: What Can(Not) Be Protected

This post is about PKCE [RFC7636], a protection mechanism for OAuth and OpenIDConnect designed for public clients to detect the authorization code interception attack.

At the beginning of our research, we wrongly believed that PKCE protects mobile and native apps from the so called „App Impersonation" attacks. Considering our ideas and after a short discussion with the authors of the PKCE specification, we found out that PKCE does not address this issue.

In other words, the protection of PKCE can be bypassed on public clients (mobile and native apps) by using a maliciously acting app.

OAuth Code Flow

In Figure 1, we briefly introduce how the OAuth flow works on mobile apps and show show the reason why we do need PKCE.
In our example the user has two apps installed on the mobile phone: an Honest App and an Evil App. We assume that the Evil App is able to register the same handler as the Honest App and thus intercept messages sent to the Honest App. If you are more interested in this issue, you can find more information here [1].

Figure 1: An example of the "authorization code interception" attack on mobile devices. 

Step 1: A user starts the Honest App and initiates the authentication via OpenID Connect or the authorization via OAuth. Consequentially, the Honest App generates an Auth Request containing the OpenID Connect/OAuth parameters: client_id, state, redirect_uri, scope, authorization_grant, nonce, …. 

Step 2: The Browser is called and the Auth Request is sent to the Authorization Server (usually Facebook, Google, …).

• The Honest App could use a Web View browser. However, the current specification clearly advice to use the operating system's default browser and avoid the usage of Web Views [2]. In addition, Google does not allow the usage of Web View browser since August 2016 [3].

Step 3: We asume that the user is authenticated and he authorizes the access to the requested resources. As a result, the Auth Response containing the code is sent back to the browser.

Step 4: Now, the browser calls the Honest App registered handler. However, the Evil App is registered on this handler too and receives the code.

Step 5: The Evil App sends the stolen code to the Authorization Server and receives the corresponding access_token in step 6. Now, the Evil App can access the authorized ressources.

• Optionally, in step 5 the App can authenticate on the Authorization Server via client_id, client_secret. Since, Apps are public clients they do not have any protection mechanisms regarding the storage of this information. Thus, an attacker can easy get this information and add it to the Evil App.

Proof Key for Code Exchange - PKCE (RFC 7636)

Now, let's see how PKCE does prevent the attack. The basic idea of PKCE is to bind the Auth Request in Step 1 to the code redemption in Step 5. In other words, only the app generated the Auth Request is able to redeem the generated code.

Figure 2: PKCE - RFC 7636 

Step 1: The Auth Request is generated as previosly described. Additionally, two parameters are added:

• The Honest App generates a random string called code_verifier
• The Honest App computes the code_challenge=SHA-256(code_verifier)
• The Honest App specifies the challenge_method=SHA256

Step 2: The Authorization Server receives the Auth Request and binds the code to the received code_challenge and challenge_method.

• Later in Step 5, the Authorzation Server expects to receive the code_verifier. By comparing the SHA-256(code_verifier) value with the recieved code_challenge, the Authorization Server verifies that the sender of the Auth Request ist the same as the sender of the code.

Step 3-4: The code leaks again to the Evil App.

Step 5: Now, Evil App must send the code_verifier together with the code. Unfortunatelly, the App does not have it and is not able to compute it. Thus, it cannot redeem the code.

 PKCE Bypass via App Impersonation

Again, PKCE binds the Auth Request to the coderedemption.

The question rises, if an Evil App can build its own Auth Request with its own code_verifier, code_challenge and challenge_method.The short answer is – yes, it can.

Figure 3: Bypassing PKCE via the App Impersonation attack

Step 1: The Evil App generates an Auth Request. The Auth Request contains the client_id and redirect_uri of the Honest App. Thus, the User and the Authorization Server cannot recognize that the Evil App initiates this request. 

Step 2-4: These steps do not deviate from the previous description in Figure 2.

Step 5: In Step 5 the Evil App sends the code_verifier used for the computation of the code_challenge. Thus, the stolen code can be successfully redeemed and the Evil App receives the access_token and id_token.

OAuth 2.0 for Native Apps

The attack cannot be prevented by PKCE. However, the IETF working group is currently working on a Draft describing recommendations for using OAuth 2.0 for native apps.

References

[1] http://mews.sv.cmu.edu/papers/ccs-14.pdf

[2] https://tools.ietf.org/html/draft-ietf-oauth-native-apps-06#section-8.1

[3] https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html

Authors

Vladislav Mladenov
Christian Mainka (@CheariX)

More articles

1. Pentest Tools Framework
2. Hacker Tools Software
3. Hack Rom Tools
4. Hacker Tools Mac
5. Install Pentest Tools Ubuntu
6. Hack Website Online Tool
7. Pentest Tools Subdomain
8. Hacker Tools Online
9. Hacker Tools Hardware
10. Hacker Tools For Ios
11. Hacks And Tools
12. Computer Hacker
13. Pentest Tools Apk
14. Pentest Tools Online
15. Hack App
16. How To Make Hacking Tools
17. Hacking Tools For Pc
18. Hacking Tools For Pc
19. Pentest Reporting Tools
20. Hacking Tools Mac
21. Tools For Hacker
22. Hack And Tools
23. Pentest Tools Download
24. Hacker Tools 2019
25. Tools Used For Hacking
26. Hacker Tools Linux
27. Pentest Tools Online
28. Hacking Tools Windows 10
29. Ethical Hacker Tools
30. Hacking Tools 2019
31. Pentest Tools Website
32. Pentest Tools Open Source
33. Best Pentesting Tools 2018
34. Hacker Tools Linux
35. Tools 4 Hack
36. Pentest Tools Android
37. Pentest Box Tools Download
38. Hack Tools Pc
39. Pentest Reporting Tools
40. Hacker Tools For Mac
41. Pentest Tools Github
42. Hacker Search Tools
43. Top Pentest Tools
44. Hack Website Online Tool
45. Hacking Tools Download
46. Pentest Tools Alternative
47. Pentest Tools Port Scanner
48. Pentest Tools Github
49. Best Pentesting Tools 2018
50. Hacks And Tools
51. Hacking Tools Pc
52. Hacking Tools For Windows
53. Hacker Tools Free Download
54. Hack Tools
55. Hacker Techniques Tools And Incident Handling
56. How To Make Hacking Tools
57. Hacker Security Tools
58. Hack Apps
59. Hacker Tools Linux
60. Pentest Tools Linux
61. Hacking Tools For Kali Linux
62. Hackers Toolbox
63. Hacker Tools Online
64. Pentest Tools Kali Linux
65. Termux Hacking Tools 2019
66. Hacker Tools Apk
67. Pentest Tools Github
68. Tools For Hacker
69. Pentest Automation Tools
70. Hacking Tools
71. Hacker Tools Linux
72. Hacking Tools 2019
73. Hack Tool Apk No Root
74. Hack Tools 2019
75. Hacking Tools Pc
76. Best Pentesting Tools 2018
77. Kik Hack Tools
78. Hacking Tools For Pc
79. Pentest Tools Nmap
80. Hack Tools Github
81. Pentest Box Tools Download
82. Hacker Tools 2019
83. Pentest Tools Online
84. Pentest Reporting Tools
85. Hacking Tools For Windows Free Download
86. Nsa Hack Tools Download
87. Pentest Tools Android
88. Hacker Tools 2019
89. Hacking Tools Free Download
90. Hacker Tools For Ios
91. Hack Tools For Ubuntu
92. How To Make Hacking Tools
93. Hacking Tools
94. Android Hack Tools Github
95. Physical Pentest Tools
96. Wifi Hacker Tools For Windows
97. Pentest Tools Online
98. Hack Tools
99. Pentest Tools Alternative
100. Hacker Tools For Pc
101. Bluetooth Hacking Tools Kali
102. Hacking Tools For Windows
103. Pentest Reporting Tools
104. Hacker Tools For Pc
105. Pentest Tools Alternative
106. Best Hacking Tools 2019
107. Pentest Tools Subdomain
108. Hacker Tools
109. Hack Tools Github
110. Hackrf Tools
111. Pentest Box Tools Download
112. Pentest Tools For Mac
113. Best Hacking Tools 2019
114. Hacking App
115. Ethical Hacker Tools
116. Hack Tools Mac
117. Bluetooth Hacking Tools Kali
118. Hack And Tools
119. Hacking Tools For Beginners
120. Blackhat Hacker Tools
121. Nsa Hack Tools
122. Ethical Hacker Tools
123. Hack Rom Tools
124. Hack Tool Apk
125. Pentest Tools Linux
126. New Hacker Tools
127. Hacker Tools 2020
128. Hacking Tools Hardware
129. World No 1 Hacker Software
130. Hacking Tools For Games
131. How To Make Hacking Tools
132. Hacking Tools For Kali Linux
133. Pentest Tools Kali Linux
134. What Is Hacking Tools
135. Pentest Tools Github
136. Pentest Tools Alternative
137. Hacker Tools 2020
138. Pentest Tools Website
139. Tools 4 Hack
140. Hacker Tools List
141. Hack Tools For Pc
142. Hacking Tools For Games
143. Hacks And Tools
144. Tools 4 Hack
145. Pentest Tools For Windows
146. Android Hack Tools Github
147. Pentest Tools Port Scanner
148. Pentest Tools Nmap
149. Hacking Tools For Windows
150. Hacking Tools Pc
151. Hacking Tools Usb
152. Hack Tools 2019
153. Hacker Tools For Windows
154. Hacker Tools Linux
155. Nsa Hacker Tools
156. Hacker Tools For Pc
157. Pentest Tools Framework
158. Hacker Tools For Pc
159. Pentest Tools Port Scanner
160. Hack Tools Online
161. Pentest Tools Review
162. Pentest Box Tools Download
163. Hacking Tools
164. Hack Tools Online
165. Hack Apps
166. Pentest Tools List
167. Bluetooth Hacking Tools Kali
168. Nsa Hacker Tools
169. Hacker Tools
170. Android Hack Tools Github
171. Hack Tools Github
172. Hacker Tools 2020
173. Pentest Tools Find Subdomains
174. Beginner Hacker Tools
175. What Is Hacking Tools
176. Hacker Tools Windows
177. Pentest Tools For Ubuntu