21G/ Mobile App Impersonation Attacks & Mediations

From IIW

Mobile App Impersonation


Thursday 21G

Convener: George Fletcher

Notes-taker(s): George Fletcher


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps


We discussed the issue of OpenID Connect and OAuth public clients being easy to impersonate and the implications thereof. While most mobile apps using these protocols use custom schemes to give control back to the app after the user authenticates via the “system browser” the better choice is iOS Universal Links or Android App Links. However, there is still an issue with Android App Links in that they don’t completely resolve the “impersonation” problem.

We talked about other solutions like app attestation + device attestation + dynamic client registration and how that could completely block impersonation attempts and provide companies with high confidence that they can identify their 1st party apps.

It was also raised that there is very little data as to whether this is an ongoing problem for mobile apps and solving it is worth the cost to developers or companies. No one attending had any data nor do I believe anyone has even looked for app impersonation in their logs:)

The session was recorded but that should not live forever.

Session cut off abruptly. I suspect because 1 of the 2 hosts left. That was unexpected. Sorry for cutting off TJ.

Retrieved from "https://iiw.idcommons.net/index.php?title=21G/_Mobile_App_Impersonation_Attacks_%26_Mediations&oldid=23459"