undefined | Better HN

0 pointssjtgraham10y ago0 comments

What's to stop the app (or anyone in the context of a rooted device) replacing the legit Mondo auth page with a shim? Nothing.

0 comments

8 comments · 3 top-level

baby10y ago· 3 in thread

Yup. That's every app's problem though. I can also create a webpage and design a fake "bank login" inside of it to make you enter your credentials there. There is nothing you can do about that other than educating the user.

mixedbit10y ago

Yes, but browsers design goal is to allow educated users to distinguish fake and legitimate sites (URL bar should never be forgeable). With mobile apps, the app can display anything and there is no way for even well educated user to recognize forgeries.

abritishguy10y ago

The aim is therefore to remove the reliance on it being genuine. If you don't have passwords then there is no passwords to steal.

baby10y ago

I think that's Android/iOS responsability.

1 more reply

jhuckestein10y ago· 2 in thread

What does replacing the auth page gain the attacker? At worst the user enters their email address into a phishing page. The important thing is that there isn't a password :)

nemothekid10y ago

>What does replacing the auth page gain the attacker?

If the spoof app has a "Connect with Twitter* (and you don't have the Twitter app installed), and then a webview is opened, the spoof app can replace Twitter's login page with their own, and capture the username and password.

obeattie10y ago

In the proposed implementation above, the _only_ piece of information that a user enters inside the web view is a username. The user must then use the native Mondo app on a previously-authenticated device to complete the OAuth flow. The Mondo app could also require biometric (ie. Touch ID) authentication.

While a malicious application can inject JavaScript to intercept the username, this alone is useless to an attacker.

2 more replies

chatmasta10y ago

Ok, so in that case the malicious app is able to steal your password... but if login requires two factor auth, the password is useless without also having access to SMS (or whichever 2fa solution) on the associated device.

j / k navigate · click thread line to collapse