OAuth, app permissions, and a false sense of security


There is nothing new in this post. I'm just bringing this up now because a lot of people seem to not know the facts. It also has nothing to do with Windows Phone specifically, but rather pretty much every platform. The point of this post is not to spread FUD, but to remind people to not take security for granted.


For those that don't know what OAuth is, it is an open standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials.

These days OAuth is used pretty much everywhere where an external client needs to login to some sort of service. You've used it with Google (I used it to upload the video in this post), Microsoft apps (Skype, Xbox Smartglass, Visual Studio), Twitter, Facebook, and countless others.

You'll know when you're using it because you'll see a button like: "Sign in with X", which will then pop up a login window on your PC or phone.

Over on /r/WindowsPhone (and the internet at large), I've read a number of comments stating that your credentials are safe when using a mobile app that uses OAuth. The theory is that the actual mobile app you're using never actually has access to your credentials because they are just opening up a window directly to the sites login, and the credentials go directly to the site (not ever to the app). The site then sends a token back to the app to say the credentials were valid, and from there the app can use that token with requests (to post a tweet for example). OAuth isn't just about keeping your password away from the app, but that is all that this post is about.

The issue is that this theory is just completely wrong. The big point of failure is that even though the app is showing the Twitter website directly - the actual browser component is still owned/contained by the app. So an app that you may or may not trust, can do pretty much what it wants to that Twitter website.

Below I made a video to demonstrate this. All I did was download a Windows Phone Twitter login sample, and add a tiny bit of code, which allows me to get the username and password that the user types (even though they are typing directly into the browser). The upper text is native XAML, the lower part is the Twitter OAuth browser component.

Yes, in the time it takes to put on your fingerless hacker gloves, it is possible to make a "legit" OAuth login (i.e. it will still work and authenticate you, and is the real Twitter site) that will also steal credentials.

In a real-world application the person would obviously not show the credentials at the top of the screen, they'd silently send those off to a server which will collect all the accounts. I'm not 100% sure why someone would want to steal you account. It's not like we're sending nude selfies to each other, right?

Another issue with this browser-in-app way of doing OAuth is that the user has no idea what the actual URL of the page is. For all they know it could be going to a page that is just made to look the same as the real login page.

How do I keep safe?

This is a bit of a tricky one to give solid advice on. As far as I am aware there are only two "safe" mobile OAuth login options:

- Pin login: Some apps will open up the phones actual browser (outside of the app) and load the OAuth login. You then login, and it gives you a short code. Copy that code and paste it back in the app. This is pretty safe because the browser is not part of the possibly-dodgy app.

- Windows 8 OAuth: Windows 8 introduced an easy way for apps to use OAuth logins. When the app requests it, the OS will show a login over the app. This is a good mix between the browser-in-app method and the pin login, because it has the best of both worlds. The issue is that an app could still create a fake popup panel pretending to be the Windows 8 one.

Of course, the issue with both of the above is that they are completely dependent on the platform and app. It also depends whether the login service even supports pin-auth.

So the real advice here is to just keep aware of what you are doing, and what you are downloading. If you're downloading a Twitter app, don't even consider it if it doesn't have many ratings (meaning it hasn't had many guinea pigs). Even if it does have lots of ratings, take a few minutes to tap on the developers name and see what else they have made. Are they well known in the community? Do they have a seemingly-legitimate online presence (as oppose to someone you can't find anything about)?

You're basically trying to find out that the developer would be held accountable for wrong-doings and not just disappear into the night.

With Windows Phone specifically, most serious development efforts (and their developers) for the main services (Twitter, Facebook, Instagram, etc.) have been covered in depth by WPCentral. So if you have an urge to post grainy images of your food (and don't want to use the official app), why are you even looking in the phone marketplace? Go on WPCentral, search, and do some reading.

All this being said, I've never heard of a single wide-spread case of this happening on Windows Phone (I'm not sure if it has happened on other platforms).

App Capabilities

Credentials aren't the only thing that people have an affinity for stealing though. All the content on your little smartphone? Yeah, people want that.

There are a couple of ways that people can steal your stuff. The easiest way is for an attacker to simply ask nicely for it, and then let you enjoy a cute little game while it copies. What am I going on about? App permissions and capabilities!

You see, when you install an app on your phone from an official store/marketplace, it will prompt you for certain permissions that the app has requested. Clicking yes will then give that app access to those parts of the OS, or to that functionality in the OS.

To see a full list of permissions that an app needs on Windows Phone, scroll down to the bottom of the details section in the store and look at Requires (this applies when updating an app too, as seen in the image below).On WP8.1 it is slightly different. Open the app in the store, slide left/right twice to get to details, then scroll to the bottom.

People always freak out about apps requiring their location. While I don't want to downplay that, location should be the least of your concern. Even without access to your GPS your location can be approximated anyway. So let's look at a few others (these are Windows Phone specific, but apply everywhere):

ID_CAP_ISV_CAMERA – A lot of applications have valid reasons to use your camera, but most people assume that the app will only use the camera when you know about it. The issue is that having this capability means that any time the app is open, it can be streaming a live video of you to some dodgy dude in his basement. Let's say you download a tic-tac-toe game, and in the description it tells you that leaderboards allow you to take a custom profile photo. Along with allowing the app to do that, you're also allowing it to record you playing tic-tac-toe naked in bed.

ID_CAP_MEDIALIB_PHOTO – Some applications, like Twitter, provide an interface to select a photo from your phone and upload it. Tic-tac-toe could ask for the permission so that you can select a custom profile photo from images in your camera library. The issue comes in that, just like the camera above, the app can really do what it wants. While you're happily listening to Celine Deon while playing, it could be uploading all your personal photos.

ID_CAP_MICROPHONE – This is pretty self-explanatory. But basically, that tic-tac-toe game could also be recording your terrible singing while playing the game, and then upload it somewhere.

There are tons of others (opens in new tab), but these were a few important ones.

For a simpler list of what each permission is, there is a guide on the Windows Phone site (opens in new tab).

How do I keep my content safe?

Firstly, it is worth noting that almost all developers probably have their capabilities there for a valid reason. Not everyone is out to get you. I'm making a mobile racing game and am planning on using the half-click "focus" camera button as the accelerator, so will need to ask for camera permission, even though I never use the actual camera.

Sometimes developers also just put a capability there by mistake. I've done it accidentally before, and have seen lots of others do it too.There are some really silly requirements by some addons too. Amongst others, Google AdMob tells you to add ID_CAP_MEDIALIB_PHOTO to your app. I don't have a clue why they feel they need access to your photos to serve up some adverts. But I can tell you that it is safe to not put that capability in - AdMob still works fine.

If you aren't sure why tic-tac-toe needs access to your microphone, reach out to the dev and ask - BEFORE INSTALLING IT. Generally developers will be pretty easy to get hold of, and I've never had someone reply to me angrily when I ask what their capabilities were for.

Finally, on Windows Phone, apps are more limited in what they can request. This means slightly less functionality in a few apps, but also more security. I've tried to download Android games that have asked for access to my SMS's. That's when you hit the "Cancel" button fast.

Stay frosty

You are never really safe while typing your username and password anywhere. If it isn't people hi-jacking your WiFi, then it's people making dodgy apps to steal your accounts. Or if they're not trying to steal passwords, they're trying to upload your sketchy photo library. Even with an honest developer - give them a bag of money and they might consider doing something dodgy.

BUT, this isn't the movies, and naughty developers seem to be few and far between.

The greatest security measure you can take is to simply be both smart and aware of what you're doing. Stay frosty, people.

Matt "RogueCode" Cavanagh is a well known Windows Phone MVP and Nokia Developer Champion developer. You can follow him on Twitter @RogueCode or visit his developer blog.

WC Staff
  • Caterpillar smoking hookah: Whoooo are you?
  • He is a Microsoft MVP for Windows Phone development, and a Nokia Dev Champion for Windows Phone.
  • Yes, the author's name is Matt Cavanaugh and his social security number is comprised of 9 digits. He also has a drivers license and occasionally eats food and even drinks. But who o o o o are you?
  • You can find me on the Twitters here: https://twitter.com/roguecode P.s. I don't have a social security number ;)
  • Thanks for the heads up.
  • This answered quite a few of my questions about stuff like this. It's why I don't trust apps with OneDrive access. I never liked how I couldn't see the URL, and now that doesn't matter. Great article!!!
  • Even using the Windows 8.1 Authenticator, it doesn't show the URL and therefore the user can't be sure that it's going to the real site as opposed to a phishing site. The only truly secure way to do this was how iOS originally did it, which was not possible on WP before apps supported URI launching. Basically you open the OAuth page in the browser rather than within your app. Then you set the URL that the network redirects to to be the URI that launches your app. This way the user can verify the website's URL and SSL status, and you don't lose any functionality. This even works on desktop: Chrome, Firefox and IE will all launch back into your app correctly. RogueCode, I'd be interested in your thoughts on this?
  • With 2 step verification, the developer would need to know your secret to properly accept,your code, or really just make a phony two step code input, buy how would a developer even know who uses two step and who doesn't? Plus I'm pretty sure Microsoft people wouldn't publish such an app, they do go trough apps when you want to submit them. You could still use app passwords instead of real password + verification code, and you can easily revoke that password anytime trough the account settings. Even if someone knows your app password, it's useless in any other app.
  • We're talking about the average user here, and making the process as simple as possible while still remaining secure.
  • Yeah, this is mentioned below too. This is how it was intended to be used when they planned it IMO, but I guess it it just adds that extra bit of effort. And it probably isn't worth the extra effort when people have no choice but to just accept any method you choose anyway.
  • I wonder if a simple library would help with this method. Could be something I'll look into as I'm currently building an app that uses OAuth.
  • What a brilliant article.. Explained everything very nicely.. Kudos to the author/developer!!
  • Thanks :)
  • I've hard reset my phone, turned it off, locked it in a steel safe which is buried in concrete and wrapped the house in aluminum foil. I still don't feel safe. ;-)
  • Can we get some more Roguecode?
  • Affirmative.
  • Thank you as always to WPCentral team for posting need to know stuff for WP users.
  • Great article.
  • If you have your store set to update your apps automatically, can a developer add new permissions without you ever seeing or agreeing to them?
  • As far as I am aware, if an app changes permissions it goes into the "needs attention" section of the store. BUT, I am not 100% sure, and this might only be true for the location permission - hence why I didn't bring this up. I'm going to try get a solid answer on this.
  • The "needs attention" only go for the location permission, I have seen apps that change permissions but in none of them pops the attention
  • Partially correct. It only goes into "Needs Attention" state if the permission change would normally prompt for you to explicitly allow something (such as changing permission to allow access to location services). I do not believe that adding access to things like the accelerometer or gyroscope would force an update to "Needs Attention", even though the proof of concept use of a gyroscope as a very rudimentary microphone has been demonstrated.
  • This is true. When Skype updated the other day it asked for more permissions.
  • Informative..!!
  • Brilliant article. Would love some more guest pieces like this.
  • I absolutely agree with this. Brilliant. 
  • Great article, thanks for the recap.
  • Great read, thanks.
  • What about an uninstall. Is it possible for any of those capabilities to be left in tack yet just have the icon deleted during an uninstall? A fake uninstall if your will to continue to utilize your phone abilities as a zombied system?
  • The current answer, is that it has never been done with an app from the store. Sideloading stuff on an interop-unlocked device can probably open up some scary possibilities - but I've never seen or heard something like what you're talking about.
  • And what about data sense that says uninstalled application use 40 MB ,2 MB,6 MB. I have a list in my data sense.
  • Usually it's just backup files in case you want to reinstall the app.
  • If you pay attention, they are showed in the places of uninstalled apps. So, if you have uninstalled an app that take 40 MB, before Data Sense update its log, you notice only an app named "uninstalled app"
  • How to see uninstalled app in my phone. Now i find in my data sense show onther uninstalled application use 100 MB data.if you know how to stop please tell me these are screen shot of my screen Shared files from OneDrive http://1drv.ms/1q0Tja3
  • What's in place specifically during an uninstall on Windows Phone that ensures that the elevated privileges to resources by an application have been removed, not just deactivated?
  • Also, do you know of an application that will show what installed applications have access to what resources on your phone? With the ability to terminate that connection?
  • Signed in just to say I enjoyed the article. More like this! Informative.
  • I've always asked my self about that prompt (as a programmer), at last now i know some more. Thanks!
  • Good stuff thanks
  • Thanks for the heads-up, RogueCode. One comment about your signature, though. I remember getting, when I was freshman in college almost 30 years ago (28 actually), one of my best performance during an early morning mid-term math exam because I was still slighty drunk from the previous night's party. No stress, no pressure, just a bit of adrenaline and calculus went fine. At least that's what may happen... when you're still young that is.
  • Thanks a lot RogueCode for valuable info. Plz if possibly make a regular blog about security and privacy aspects at least once in a month.
  • Excellent article, learned alot of new stuff :) and bookmarked
  • Thanks so much for writing this and I hope this also helps those who complain that MS needs to open the OS up more. Balance is needed when users want that level of power.
  • Hear, hear! I don't understand the nitty gritty of half of what you said, but ever since the days of Passport, I've asked, Couldn't a bad guy make a webpage that looks just like this?! I wish more users were savvy to the dangers.
  • Great article. Have to say I don't install half the store apps because of permissions. Amazed anyone does. I really think Microsoft need to improve warnings about contact and media access. That would change things.
  • Wait a minute? You mean that 'Show Me Your Bum' app I downloaded, then took a load of pics of my bum with and gave it my credit card details may not be legit?
    That's it! All my bum pics are going on iCloud now.
  • Cool, you found my proof-of-concept app! BTW, you better get that mole checked out.
  • I'm more worried about the photo with the cactus and eels.
  • Great article in deed! Thanks for the very informative information!
  • Every web service over x number of users should require 2nd factor authentication.  Add to that, we should be starting to educate users at every level how to properly use it.
  • Couldn't you get around this security issue by setting the return address to use some custom protocol which your app registers for. Then you could launch an actual browser for authentication purposes. Obviously more work, but might address the issue.
  • You can't set a custom protocol in the Twitter OAuth dev page unfortunately, but I guess you could direct to your own site then forward it to your protocol. But pin auth would really be preferable.
  • It was merely the ramblings of a dev who just finished a week of annoying bug fixes before a release this weekend. I don't imagine we will have a solution to this until we get something like implied credentials passed in via the OS or allow apps to expose API's to other apps and use that for communication. I mean, your hack is just javascript injection which wouldn't be all that hard to do on a desktop site either.
  • Even for apps that play nice and don't steal your credentials, there is another great issue Microsoft and other cloud providers should address. These days most apps back up to Onedrive and ask for access to it. The problem is that when you give an app access to your Onedrive, you give it access to anything stored there, your pictures, documents and even files other apps have uploaded. There is an URGENT NEED for an option to give access to an app only to its specific folder where it can read and modify files, not to all of your personal cloud space.
  • This article. Everyone should read it. I'm sharing with my friends right now. Brilliant, really.
  • nice post. kudos. I personally hate using FB or twitter to sign in. not because of security per se, but because a lot of these stupid apps wants rights to post etc in addition to authentication. whenever I see that I give them the middle finger unless that is their one purpose.
  • @Matt any news about "developer side" app security against hacking/cloning...? Are appx still unencrypted :( ?
  • @RogueCode  This is really a informative and brilliant article. Thanks for your time explaining it. What I want to know, if there exist firewall products for windows phone? Yes, not everyone likes the popups with the question if you really permit the connection etc. But if it's optional, every one can define it for themselves if they want the extra security. What we need is also a "Resource Hub" on the phone where I can grant  and revoke access to the resources for every program.  It's not clear where I can do it after the installation of an app. Sometimes there are options and sometimes not. And after 6 months I want still know, which app has access to my camera, gps or mic. Now I can't remember exactly which access I granted 6 months before..
  • hey guys i need a specially experienced hacker for one of my ex roomate who is also threatening to hack into my social life just coz he can...... hes a super tech geek n ive seen him do it before so i gotta be 1 step ahead of him in this kinda shit u know, so please contact me if u are one or even know someone...... !!! oh n please no hate breed among u on this issue, appreciate it
  • I love this article! And the camera focus button for an accelerator..... WICKED!
  • What a article....just keep us informed the stuffs like this....thanks for the post..
  • Nice, thanks for the information.
  • Hahahaha! I actually took me about 1 year to start trusting my credentials to Apps using OAuth and now... I'll keep being careful. If I get a token and then change the password are all tokens created before the password change invalid? Actually I enjoyed this article a lot even thought I'm in a hurry. I hope to read you again around here.
  • More information on ads and permissions:
  • Fantastic article. It proves why platform devs (E.g. the WP product group) have to be crazy diligent regarding security knowing that there is always out there who'll do nefarious things if you don't. BTW, does the store make devs sign their apps? Does it matter anymore?
  • Will using multifactor authentication with your Microsoft account help?
  • Very informative and brilliant article!
  • Thanks for a great article. I'm going to read it soon and have shared it to my friends on Facebook.
  • OAuth is more of a convinience both to developers and the users. The developers of the app don't need to setup a system to keep thier users passwords safe. The users don't need to remember another username/password combination, and at least they know that their passwords are stored to the systems of a company that has the money to protect them the best they can. In any case if an app requires a password, most of the users will give one they already use somewhere else, so the app would get the password any way.... If you want to be more secure enable two factor authentication, most of the OAuth providers have the option. So, even if someone gets your password, they would not be able to use it. About the OneDrive, I would agry giving access to an untrusted app is a problem. MS should fix it somewhow. Perhaps acutomatically creating a folder for the app's data.
  • I would disagree about it being a convenience to developers. Windows Phone has an API specifically for storing encrypted passwords and data locally on the device, which means it would be much faster to just store the users credentials. But most services that allow username/password authentication via their API will return some form of token (in the same way OAuth does) that does not expire. So the developer can just store the token and no credentials. Note: I'm not saying this is good, just that OAuth doesn't make things easier for a developer.
  • Will an app which has been granted say microphone or video capture permission be able to access the camera or microphone even when the app is closed (or running in the background)??
  • No, those API's are restricted when running in the background. Note that location and photo library access is still possible in the background.
  • I think Microsoft can pretty much know you are doing this when they review your app before submit and that's why it would be difficult to see this happening on Windows Phone
  • Unfortunately, even if they do check, a dev could just introduce some logic to make it only do dodgy things after a certain amount of time. So it would be fine when going through cert, but changes in a week.
  • Thanks for the information!
  • I'm staying away from oauth in my apps, instead relying on user's email for authentication.
    1. User enters email address in app. This is sent to my backend.
    2. Backend sends email to users email address, with a single-use PIN.
    3. User enters pin in app, which sends it to backend.
    4. Backend returns a unique authorization token.
    5. App uses token in all communication w backend. This is still vulnerable to man-in-the-middle attack, but so is pretty much everything else.
  • It seems like Microsoft could create a "permissions" section in the privacy settings which would list all of the rights that you have allowed to apps, and allow you to toggle them on or off individually, or revoke them (at he risk of causing the app to not work properly).
  • This was exactly my concern when I first had to give my MS credentials to a PDF app for uploads to OneDrive. The fake webpage I mean, because you can't see the URL. We've all seen how easy it is to copy a website with all those PayPal and eBay scams. I'm really afraid this gets accepted (out already looks like it) until we get the first big wave of hacked Facebook accounts.
  • Interesting article. It just doesn't explain one thing. Since a lot of apps ask for specific rights on Location, Pictures, Microphone, Videos, SMS, Phone calls etc. why don't devs and platforms make those rights "selectable"? I may like Tic-Tac Toe but have no need to put my picture in the profile. I may need to use a Map but no need at all to share my position to my contacts (so it doesn't need to know who my contacts are). I don't understand the need to have apps often made by people we don't know, intruding into your device without you having any control on them except the right to install or uninstall it. Cortana is another example. The function has a few functions i need (quiet hours for example) but i don't need her to know even when i sit on the toilet bowl, my location etc. Why can't i have "granularity" on what i use and what i deactivate? Android has a small app that they don't like people to use to do this, even though they removed it from their devices. Microsoft doesn't anything like that.    
  • So true !!
  • Developer find the reason for Facebook beta app getting crash continuously I ve installed and uninstalled several times and I have done a hard reset too but the problem still persists