How DTRelay Fixes Known Security Vulnerabilities In OAuth Protocols
OAuth isn’t perfect when it comes to App Security, but most developers still use it…
Normally during a request, the OAuth token is available in the request, and the only thing that keeps it protected is the SSL. But If you can get past the SSL, then you have access to the token.
We make OAuth apps safer. Using DTRelay, we fix vulnerabilities in the widely used OAuth protocols by never sharing keys, tokens, or other sensitive data with client applications. DTRelay works even when HTTPS is compromised. OAuth tokens are stored in DTRelay and never sent to the client application, therefore, DTRelay can be used as a security layer on top of OAuth to prevent the exposure of the access token during requests.
DTRelay also enables secure scaling over a Content Delivery Network (CDN) while enhancing the speed, security, and scalability of mobile apps and extensions.
Read About Using DTRelay to Build Pure-Static Apps.
All of the problems listed below are easily fixed by DTRelay.
By eliminating the need for client-side tokens and substantially improving the reliability of OAuth transactions, DTRelay can dramatically enhance the security of mobile and web applications, particularly for high-value or VIP users. A unique process called Delegates provides strong authentication while greatly simplifying access to any number of APIs.
Healthcare Apps and HIPAA Vulnerabilities
HIPAA, the Health Insurance Portability and Accountability Act, carries stiff federal penalties for persons or organizations exposing personal health information. In July, 2016, Oregon Health & Science University paid $2.7 million to the U.S. Department of Health and Human Services for “widespread and diverse problems at OHSU.” (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ohsu/index.html). The federal requirements outlined in 45 CFR Part 164 (https://www.law.cornell.edu/cfr/text/45/part-164) detail the requirements for organizational, hardware, and application security…
…But app security is not network security.
Nothing prevents healthcare application developers from using OAuth protocols. In fact, OAuth is heavily used. Motivated hackers can target high-profile individuals using pervasive OAuth protocols over public WIFI to obtain user tokens, which they can then use to gain access to even the most heavily protected servers. DTRelay obfuscates the identifier, and can hide the data being transmitted.
Click here to see examples of DTRelay in action.
Early in 2017, Appthority reported numerous security concerns regarding Uber’s mobile apps (http://info.appthority.com/-q1-2017-mtr-download-uber-security-risks). Although Uber claims to have addressed many of these concerns, the fact remains that Uber’s app continues to depend on OAuth and HTTPS, which have known vulnerabilities. Worse, Appthority reported that 15 third-party apps accessing Uber’s API use hardcoded authentication tokens. These can be used by hackers to spoof an authorized client and potentially misuse Uber’s data. By eliminating the need for client-side tokens and substantially improving the reliability of OAuth transactions.
Google Play and Chrome continue to be plagued by malware and security vulnerabilities. Symantec, Microsoft, Check Point, PhishLabs, and others continue to report problems despite Google’s efforts to protect their assets (http://www.eweek.com/security/google-s-industry-rivals-report-security-issues-on-play-store-chrome). CVE has reported 2,952 vulnerabilities in 60 Google products since 2002 (http://www.cvedetails.com/vendor/1224/Google.html). Over 20 percent of these involve the most egregious categories of access to privileges and access to information. By eliminating the need for client-side tokens and substantially improving the reliability of OAuth transactions, DTRelay can dramatically enhance the security of mobile and web applications, particularly for high-value or VIP users.
In September, 2017, CVE reported (https://www.cvedetails.com/vulnerability-list/vendor_id-14415/Twitter.html) the second of two recent major vulnerabilities in Twitter’s iOS and Android mobile apps which allow man-in-the-middle attackers to obtain OAuth tokens, spoof servers, and obtain sensitive data from Twitter servers. Earlier in 2017, Twitter fixed a bug that allowed hackers to tweet from any account (https://motherboard.vice.com/en_us/article/nejmpd/twitter-bug-allowed-hackers-to-tweet-from-any-account). India Times recently reported vulnerabilities in Twitter’s Studio app that enabled attackers to tweet from other accounts, upload videos on behalf of user, and view private media (https://www.indiatimes.com/technology/news/twitter-exploit-allowed-anyone-to-tweet-from-any-account-without-having-to-know-the-password-323324.html). Twitter is one of the few companies still using the older OAuth1 method to authenticate users. By eliminating the need for consumer tokens and substantially improving the reliability of both OAuth1 and OAuth2 transactions, DTRelay can dramatically enhance the security of Twitter mobile and web applications, particularly for high-value or VIP users. DT Relay’s use of protected parameters also prevents owner_id vulnerabilities.