Is it possible a malicious app to steal user app private key via deep links?

[0xc22b]

Hi,

I'm worried about the scenario below and would like to get your help. I'm not sure it's possible and how to prevent it.

• A user installs a malicious app and click sign in from it.
• The malicious app sends an auth request to an authenticator app with an app domain name it wants to steal the app private key. Also the malicious app declares support opening a link of the app domain name via deep links.
• The user doesn't notice/aware differences in logo and name on sign in page and proceed further.
• The authenticator app redirects an auth response to the app domain name. As a genuine app is not installed, there is a popup for user to choose how to open the link between a web browser app and the malicious app. As user's not aware, they choose the malicious app.
• The malicious app who also has a corresponding transit key can decrypt the auth response and get user's app private key and user's app data.

This scenario wouldn't happen on web authentication because only on mobile, any apps can declare support opening any links. So always redirect to the app domain name is not guarantee that only the genuine app will get the auth response.

In the other hand, if it's not a malicious app and a user really knows about it, I guess, this is a feature. It's user's data so it's user's choice. They can allow any apps to access their any app private keys and their data.

I don't know if we can prevent it while allowing between-app communication. I can't find any other ways.

Any thoughts would be appreciated. Thank you very much.

[Filmaluco]

Hi @witwitchayakarn,
sadly the scenario you described is indeed possible.
Since Circles is new we had to make sure we had retro-compatibility with all existing apps otherwise we would not be supporting any app at all, this (sadly) can create vulnerabilities that can be exploited. But those always existed, in a rooted phone even web authentication is not safe, a malicious authenticator can also be created...

There's also the argument that it can be seen as a feature, non-official Android apps for popular web-apps can start emerge for instance. In the scenario you described there's at least 2 instances where the user can stop and make sure what is doing is safe and he/she is comfortable with that decision, and while we can make sure we disclaim this information more visibly, it can happen.

In our grant we suggested "Become a third-party Android app store" to avoid malicious apps, we also would like to have a way for users to register their official app packages in their manifests but its something we need to discuss with the community. If you want to address this or other concerns maybe you can a look at https://github.com/blockstack/ux/issues/961 and helps us creating the most secure solution.

"I don't know if we can prevent it while allowing between-app communication."

Yes we can, and intend to allow more secure ways when using the Android-SDK. But those will not have retro-compatibility and for that reason are in future goals.

[0xc22b]

Hi @Filmaluco,

Thanks a lot for the reply. It's very unfortunate, indeed.
I'll close this issue and keep watching this repo and those two repos you mentioned.
If I can be of any help, please let me know. Thank you again. 🙏