We make OAuth apps safer. Using DTRelay, we fix vulnerabilities in the widely used OAuth protocols by never sharing keys, tokens, or other sensitive data with client applications. DTRelay works even when HTTPS is compromised. OAuth tokens are stored in DTRelay and never sent to the client application, therefore, DTRelay can be used as a security layer on top of OAuth to prevent the exposure of the access token during requests.

DTRelay also enables secure scaling over a Content Delivery Network (CDN) while enhancing the speed, security, and scalability of mobile apps and extensions.

All of the problems listed below are easily fixed by DTRelay.

By eliminating the need for client-side tokens and substantially improving the reliability of OAuth transactions, DTRelay can dramatically enhance the security of mobile and web applications, particularly for high-value or VIP users. A unique process called Delegates provides strong authentication while greatly simplifying access to any number of APIs.

Healthcare Apps and HIPAA Vulnerabilities

HIPAA, the Health Insurance Portability and Accountability Act, carries stiff federal penalties for persons or organizations exposing personal health information. In July, 2016, Oregon Health & Science University paid $2.7 million to the U.S. Department of Health and Human Services for “widespread and diverse problems at OHSU.” (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ohsu/index.html). The federal requirements outlined in 45 CFR Part 164 (https://www.law.cornell.edu/cfr/text/45/part-164) detail the requirements for organizational, hardware, and application security…

…But app security is not network security.

Google’s Vulnerabilities

Google Play and Chrome continue to be plagued by malware and security vulnerabilities. Symantec, Microsoft, Check Point, PhishLabs, and others continue to report problems despite Google’s efforts to protect their assets (http://www.eweek.com/security/google-s-industry-rivals-report-security-issues-on-play-store-chrome). CVE has reported 2,952 vulnerabilities in 60 Google products since 2002 (http://www.cvedetails.com/vendor/1224/Google.html). Over 20 percent of these involve the most egregious categories of access to privileges and access to information. By eliminating the need for client-side tokens and substantially improving the reliability of OAuth transactions, DTRelay can dramatically enhance the security of mobile and web applications, particularly for high-value or VIP users.

Twitter’s Vulnerabilities

In September, 2017, CVE reported (https://www.cvedetails.com/vulnerability-list/vendor_id-14415/Twitter.html) the second of two recent major vulnerabilities in Twitter’s iOS and Android mobile apps which allow man-in-the-middle attackers to obtain OAuth tokens, spoof servers, and obtain sensitive data from Twitter servers. Earlier in 2017, Twitter fixed a bug that allowed hackers to tweet from any account (https://motherboard.vice.com/en_us/article/nejmpd/twitter-bug-allowed-hackers-to-tweet-from-any-account). India Times recently reported vulnerabilities in Twitter’s Studio app that enabled attackers to tweet from other accounts, upload videos on behalf of user, and view private media (https://www.indiatimes.com/technology/news/twitter-exploit-allowed-anyone-to-tweet-from-any-account-without-having-to-know-the-password-323324.html). Twitter is one of the few companies still using the older OAuth1 method to authenticate users. By eliminating the need for consumer tokens and substantially improving the reliability of both OAuth1 and OAuth2 transactions, DTRelay can dramatically enhance the security of Twitter mobile and web applications, particularly for high-value or VIP users. DT Relay’s use of protected parameters also prevents owner_id vulnerabilities.