This website contains complementary material related to the project "An Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps".
OAuth 2.0 (hereafter OAuth) and OpenID Connect (hereafter OIDC) are among the most popular open standards for access delegation and SSO Login, respectively. The OAuth Working Group released “OAuth 2.0 for Native Apps”, the best current practice for native apps that suggests the use of the external browser and the authentication code flow with the PKCE support. More recently, the OpenID Foundation has made an effort to support developers by releasing AppAuth, a client SDK implementing the security and usability best practice. In this paper, we focus on the integration of OAuth and OIDC solutions offered by third-party Identity Management (IdM) providers in mobile native applications. We have checked the compatibility of the aforementioned best practice with the top IdM Providers using OAuth 2.0 and OIDC (based on the ones listed in the OAuth websites and the Alexa ranking). Our analysis reveals that:
As a consequence, by leveraging these “wrong” IdM mechanisms many mobile Apps are implemented in an insecure way. The situation is even worse in complex scenarios—which are more and more frequent with the advent of the API economy—where a single App interacts with many IdM Providers. Indeed, if this is the case, many SDKs must be imported in the App code, each of them with different documentation to follow. In addition, in this kind of scenarios, AppAuth cannot be easily adopted as well, because the available documentation is tailored to interact with a single IdM Provider. Therefore, App developers should develop their own methods: this can be an error-prone and time-consuming process especially for inexperienced developers.
To this end, in this paper, we propose a novel approach that guides developers through integration of third-party IdM providers within their native apps. It consists of an Android Studio Plugin (i) providing a user-friendly GUI to properly configure the application (ii) enforcing the usage of the best practice for native apps by integrating AppAuth and automatically generating the suitable code to handle it properly, and (iii) supporting the integration of multiple IdM Providers. The effectiveness of the proposed approach was verified by integrating several IdM Providers, such as OKTA, Auth0, Microsoft, and Google.
given that a paper that provides more details about our solution is currently under review, we will provide further material just after the completion of the review process.
Thanks for your consideration