Threat Category: Authentication: User or Device to Remote Service
Threat Description: Malicious applications can intercept and steal passwords when logging in using webpages rendered within applications.
OAuth 2.0 for Native Apps 1
Stealing Passwords is Easy in Native Mobile Apps Despite OAuth 2
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use app-vetting tools or services to identify malicious behaviors in apps.
W. Denniss and J. Bradley, “OAuth 2.0 for Native Apps”, IETF Internet Draft, work in progress, July 2016; https://datatracker.ietf.org/doc/html/draft-wdenniss-oauth-native-apps [accessed 8/1/2022] ↩
A. Wulf, “Stealing Passwords is Easy in Native Mobile Apps Despite OAuth”, blog, 12 Jan. 2011; http://welcome.totheinter.net/2011/01/12/stealing-passwords-is-easy-in-native-mobile-apps-despite-oauth/ [accessed 8/25/2016] ↩