2015-07-31#

How native applications can link[1]#

A separate (but complementary) feature coming to both Android M and iOS 9 is an improvement on how native applications can link between themselves, and their associated web servers. Both Android's App links and Apple's Universal Links allow application developers to claim an association with a particular web domain. Once claimed, any http(s) addresses to that domain will be interpreted by the OS as belonging to that application and not the default system browser. Similar to the previous custom URL schemes used for inter-app messaging, the new linking mechanism promises to close the security issue associated with custom URLs, namely how it was possible for other applications to squat on the URLs of a given app, and so gain access to the data shared by those URLs. By requiring that an app developer, in order to lay claim to a particular domain, be able to demonstrate ownership of that domain by placing a specific file on that domain, the new link mechanisms will shut out the hackers.

The Native Applications (NAPPS) WG in the OIDF is in the process of discussing the impact of these new mobile OS features on the emerging NAPPS spec. Apple's Universal Linking and Android's App Links both appear to provide a meaningful security enhancement and so it may make sense for NAPPS to stipulate their use. ... Again, in the context of a native application getting the user authenticated against an OAuth AS, the new linking mechanisms promise to provide additional assurance that the tokens are being issued to a valid application, and not some malicious application that was able to get itself installed and squatting on the valid custom scheme URLs. (The Proof Key for Code Exchange by OAuth Public Clients (PKCE) mechanism was motivated by the same risk, though PKCE allows the AS to ensure only that the tokens were returned to the particular application that requested them, which could be a bad app).

More Information#

There might be more information for this subject on one of the following: ...nobody


Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-3) was last changed on 04-Aug-2015 17:10 by jim