As I work more on #activitydesk, I’m learning a lot more about the inner plumbings of security and the Web - mainly around user credentials. It’s starting to make a lot more sense how people get their creds snatched. Section 8.12 of OAuth 2.0 for Native Apps strongly discourages developers from using “embedded Web agents” (Web views within your applications) due to a user’s inability to verify and trust that the site that they’ve visited is actually that one and not a phishing attempt.
As a developer, I find this a bit of a burden especially since I’m working on a cross-platform application since this increases the amount of integration work I have to (adding hooks for special URI schemes versus just dropping a Web view and listening on them). As a user with this information, I’d actively avoid any attempt to collect credentials of mine within their Web views. This implictly means that Electron-based applications that provide a false sense of security within their Chromium runtimes are suspectiable to these attacks if people manage to manipulate one of those application and change the contents (I’d want to do a test of this).
All of this said, I’ll be looking to make a change to #activitydesk to do the following:
- Refactor the authentication flow to request this information in the system’s browser instead of the in-built one.
- Register the URI scheme
activitydesk://
on desktops so it can be used to capture the token when called from the browser
This shouldn’t be too difficult but I won’t focus on making this change just yet.