Githawk: Question about OAuth2 security
Hi, I have a question about the OAuth2 security on this app. It seems really useful and I have been trying to integrate the iPad into my workflow, but I have some concerns about the security that none of the README files seem to address.
I see in the source code that the OAuth2 auth tokens are gotten from environment variables here: https://github.com/GitHawkApp/GitHawk/blob/master/Classes/Systems/Secrets.swift
It also appears like the app gotten from the App Store uses OAuth2 authentication which has a client id and a client secret. Based on the above code and the fact that OAuth2 in GitHub requires the client secret to be able to go through the web based authentication workflow, it seems to me like the client application is using the client secret.
Is this safe and secure? My knowledge about security has always been that if the key is located anywhere on the client, no matter where it is, that it's compromised. The first answer in this stackoverflow post (https://stackoverflow.com/questions/17427707/whats-the-right-oauth-2-0-flow-for-a-mobile-app) seems to confirm that having the client secret anywhere embedded within the application is a big no no as someone can jailbreak their iPhone, download the app from the store, and then either run strings on the binary if it's embedded in the code or look at wherever environment variables are set (which I still have not found). Since I'm curious to learn how to program my new iPad, I looked pretty extensively to find a way to inject secure environment variables in the app and I don't see any indication it exists, but I know next to nothing about iOS development.
So is the client secret secure? The reason why I ask is because, looking at GitHub's API, it looks like you can use the client secret to authenticate as the app you registered on GitHub (https://developer.github.com/v3/#oauth2-keysecret). I haven't checked, but I assume that means if the client secret leaks, it could be used to access all of the private repositories from any person who installed the app.
Is the client secret used by the OAuth2 in this app secure and how is it made available to the app so that it can be used to generate an access token used for authentication?
jsternberg
All 3 comments
The only way that your account would be compromised is if your session token was exposed. The only thing someone can do with the app secret is register their own sessions as the app. That still requires going through the web flow to authenticate.
We’re following standard means of auth. Unless I’m missing something, there’s no way your account can be compromised simply by using GitHawk.
Also make sure your account uses 2fac!
Sent with GitHawk
rnystrom
on 5 Apr 2018
Thanks for the response. I tried it out this morning by registering my own OAuth2 application, authenticating myself, and then trying to use the client secret to access my own repositories and, to my relief, I could not access a private repository with the client secret.
Sorry about that. The GitHub developer documentation has a lot of words in it saying not to expose the client secret, but never says what happens if the client secret is exposed so I automatically assumed the worst.
jsternberg
on 5 Apr 2018
Thanks for questioning it, @jsternberg!
Sent with GitHawk
BasThomas
on 5 Apr 2018
Related issues
jessesquires
·
3Comments
rnystrom
·
3Comments
rnystrom
·
3Comments
rnystrom
·
3Comments
weyert
·
3Comments
Most helpful comment
Thanks for the response. I tried it out this morning by registering my own OAuth2 application, authenticating myself, and then trying to use the client secret to access my own repositories and, to my relief, I could not access a private repository with the client secret.
Sorry about that. The GitHub developer documentation has a lot of words in it saying not to expose the client secret, but never says what happens if the client secret is exposed so I automatically assumed the worst.