security - 使用 oauth2 客户端凭据防止中间人攻击

Question

现在我正在开发一个微服务系统，使用 Nginx 作为网关，使用 Keycloak 作为授权/认证。移动应用使用 openidconnect 和 grant_type=client_credentials 来获取 token 。
授予类型“client_credentials”需要在请求正文中包含 client_id、client_secret。
如果有人使用 Fiddler 作为中间人进行攻击，他可以知道客户端 ID/ secret ，而不是通过使用它们来获取访问 token 来成为中间人。
那么如何防止这种攻击呢？

我正在使用 https，但我知道 Fiddler 可以解密 https。
请帮我。非常感谢。

Answer 1

打开连接

A mobile app use openidconnect with grant_type=client_credentials to get tokens.

首先，正如其他人已经指出的那样，这不是在移动应用程序中使用的正确授权类型，您可能希望使用 authorization_code 流程。

阅读更多关于 this article :

We will now go through a minimal example of how to obtain an ID token for a user from an OP, using the authorisation code flow. This is the most commonly used flow by traditional web applications.

提取 secret

Grant type 'client_credentials' need client_id, client_secret in request body. If someone use Fiddler to attack as man in the middle, he can know client id/secret, than he can be man-in-the-middle by using them to get access token.

考虑到您决定为您的移动应用实现正确的 OpenID Connect 授权流程，因此不再泄露您的 client_secret，攻击者仍然可以使用 Fidller 中间人攻击您的连接并提取结果Authorization token ，用于在 API 服务器中验证移动应用程序的用户，就像我在文章中展示的那样 Steal that Api Key with a Man in the Middle Attack :

In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.

So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.

虽然本文展示的是窃取 Api key 的攻击，但从请求中窃取任何其他 secret 或数据的原理是相同的。

攻击者还可以借助检测框架在运行时 Hook 到您的移动应用程序代码并从中窃取任何 secret ，此类工具的一个很好的例子是 Frida :

Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.

可能的解决方案

So how to prevent this case of attack?

在一定程度上防止客户端攻击是可能的，但最终您无法看到攻击者何时能够绕过您在移动应用程序 APK 中提供的安全措施，因为当熟练的攻击者知道如何正确使用检测框架，他将研究执行安全决策的代码并使其始终返回一切正常。

因此，您希望转移注意力，让您的 API 服务器能够可靠地知道它确实在与您发布的完全相同的 APK 对话，而不是与被篡改和破坏的 APK 对话，或者请求来自机器人.

移动设备认证

自 DeviceCheck 发布以来适用于 iOS 和 SafetyNet对于 Android，我看到越来越多的开发人员将它们作为证明其移动应用程序的一种形式，但有些人未能理解此解决方案的真正设计目的。

让我们用谷歌自己的话来说 SafetyNet :

9. Using the SafetyNet Attestation API results as the only signal to attack abuse

It may be tempting to think that the SafetyNet Attestation API provides all the necessary signals for protecting an app against abusers, and use it as the only signal for building an anti-abuse system.

The SafetyNet Attestation API can only give signals about the state of a device, not the intent of a user, which is what an anti-abuse system should be designed to detect. Therefore, you might want to consider including other signals, such as access logs and behavioral patterns, to more accurately detect abusive users, and consider not blocking users solely on a failed attestation. Furthermore, there are many other conditions that cause an attestation to fail, such as network connection problems, quota issues, and other transient problems.

In other words, not all users who fail attestation are necessarily abusers, and not all abusers will necessarily fail attestation. By blocking users solely on their attestation results, you might be missing abusive users that don't fail attestations. Furthermore, you might also be blocking legitimate, loyal customers who fail attestations for reasons other than abuse.

我在 this answer 上详细说明了开发人员必须了解的内容问题 Android 等同于 ios devicecheck。

所以最重要的是，就 SafetyNet 而言，它证明移动设备不是您的移动应用程序，但它仍然是一个很好的安全机制。

要证明移动应用确实没有受到危害或滥用，您需要采用移动应用证明解决方案。

移动应用认证

移动应用证明的作用是证明您上传的 APK 没有被破坏的风险或尚未被破坏，从而使您的 API 服务器具有高度的信心，确实与真正的实例通信您的移动应用程序。

我邀请你阅读this answer我给出了另一个问题，该问题更详细地解释了这个概念，同时为您提供了更多背景信息，说明它可能更适合解决您的问题。

因此，如果您将移动应用证明与移动设备证明放在一起，那么您可能已经找到了保护您的移动应用免遭 OAuth 凭据泄露导致滥用的最佳解决方案。

您想加倍努力吗？

在任何对安全问题的回答中，我总是喜欢引用 OWASP 基金会的出色工作，因此它是这样的:

对于移动应用

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide :

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

APIS

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.