OAuth Mobile App Impersonation PoC

This is a PoC demonstrating how to perform OAuth Mobile App Impersonation through custom scheme hijacking as described in Ostorlab Blog. This can be used to demonstrate the vulnerability by creating a malicious app that impersonates a legitimate app by registering a custom scheme that is similar to the legitimate app's scheme. The registered custom scheme can then be used to listen for OAuth codes that are sent via redirect_uri.

Requirements

Flutter installed on your machine

Usage

Clone the repository
Install the dependencies by running flutter pub get
Search for "schemeName" in the project and replace it with the custom scheme of the target app (ex: com.example.app)
Fill the oauthurl variable in main.dart with the OAuth URL of the target app
Run the app using flutter run

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
android		android
ios		ios
lib		lib
linux		linux
macos		macos
test		test
web		web
windows		windows
.gitignore		.gitignore
.metadata		.metadata
README.md		README.md
analysis_options.yaml		analysis_options.yaml
pubspec.lock		pubspec.lock
pubspec.yaml		pubspec.yaml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

OAuth Mobile App Impersonation PoC

Requirements

Usage

About

Releases

Packages

Languages

rmRizki/oauth_poc

Folders and files

Latest commit

History

Repository files navigation

OAuth Mobile App Impersonation PoC

Requirements

Usage

About

Topics

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages