Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuthManager.plist location/format and security implications #36

Open
hauntedhost opened this issue Jan 9, 2017 · 1 comment
Open

OAuthManager.plist location/format and security implications #36

hauntedhost opened this issue Jan 9, 2017 · 1 comment

Comments

@hauntedhost
Copy link

hauntedhost commented Jan 9, 2017
edited
Loading

A few things relating to #16 and #34.

  1. I'd love to submit a PR updating iOS setup instructions with an example using OAuthManager.plist, instead of hardcoding secrets in JavaScript. (My motivation here is a possibly flawed assumption that this is more secure. [2])

    • Would this file go in ios/<project>/OAuthManager.plist?
    • Any hints on proper formatting? I tried converting
    {
  "facebook": {
    "client_id": "fb123",
    "client_secret": "fb-secret"
  },
  "google": {
    "callback_url": "com.myapp.qa:/google",
    "client_id": "google123"
  }
}

    to:

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>facebook</key>
  <dict>
    <key>client_id</key>
    <string>fb123</string>
    <key>client_secret</key>
    <string>fb-secret</string>
  </dict>
  <key>google</key>
  <dict>
    <key>callback_url</key>
    <string>com.myapp.qa:/google</string>
    <key>client_id</key>
    <string>google123</string>
  </dict>
</dict>
</plist>

    And then removing authManager.configure(authConfig), but no luck so far.

  2. I'm new to native app development, but my understanding is that plist files are actually not in any way secure. 😞 And further, even compiled secrets can be reverse engineered. e.g. see http://stackoverflow.com/a/14865695/679702 and also https://www.youtube.com/watch?v=fLnR-zyQWzU (9 minute video). Could you address this?

  3. I'm developing a cross-platform app so will also need to get this working on Android side as well. Would be happy to help implement this same behavior on Android, any suggestions for how to get started?

Thanks!
@auser
Copy link
Contributor

auser commented Jan 10, 2017

Thanks for the long issue. I think this is a great FAQ doc starting point too.

  1. Yes, it needs to be a part of the project in XCode, so make sure you drag it into the project. Otherwise, it doesn't quite matter exactly where you put it, just as long as XCode knows about it. You still need to configure the authManager, just don't have to pass it any config ({} should suffice).

  2. It's not necessarily more secure. I think anything can be reverse engineered, it's just how difficult do you want to make it for your attackers. The most secure method would be to not include the secret and have a backend that holds the client secret. Despite that, it's easier to reverse JS over compiled code, so without a back-end, using the plist is the most secure way we have right now to include the secret in the app.

  3. Not sure about Android yet, i suspect there is a way though. I seem to recall a library that handles this in the user preferences, but I cannot recall the name this second.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@auser @hauntedhost