DOC RABE Media - Fotolia
How can IT use the OAuth 2.0 protocol for iOS 12 devices?
Learn about the history of OAuth and Apple and how iOS 12 changed the game for authorization. There are a few things to be wary of, too.
Apple included support for OAuth 2.0 in iOS 12, so developers can now simplify user authorization for iOS apps.
OAuth 2.0 is a standard for secure, delegated access to websites and mobile apps. Developers can use the OAuth 2.0 protocol as a low-cost way to simplify app authorization.
OAuth 2.0 enables users to sign into an app with social media login credentials rather than needing to create an entirely new account for that app. When the user enters the application, they select a preferred social media provider and use their existing credentials. Once the social network provider verifies the user's identity, the user automatically gains access to the app.
When Apple announced iOS 11, developers were initially excited because they thought that they could use the supported version of OAuth 2.0 to implement multifactor authentication or conditional access. But they weren't able to enforce access controls with a mobile device management (MDM) server.
With iOS 12, however, there are capabilities for MDM in the Microsoft Exchange payload, which allows developers to enforce policies and configure an Exchange ActiveSync account on the device. In iOS 12, Apple enabled the OAuth 2.0 protocol when IT turns the Exchange profile on during the MDM enrollment process, which allows users with Exchange accounts to log in with OAuth 2.0.
Now, developers can deploy OAuth 2.0 capabilities for iOS native email accounts, or Apple Mail, in iOS 12 devices. This allows users to use native alerts in the iOS Calendar app and sends all the mail to one spot.
The Request for Comments, a document written by the Internet Engineering Task Force, discusses possible implementations and security risks involved when using the OAuth 2.0 protocol for native apps. The task force recommends that developers perform the authorization code flow -- or the best practice to control access to an app -- in an external user agent, such as a browser, rather than in an embedded user agent that is typically used with web views.
This way, the application that hosts the embedded user agent cannot obtain user credentials, which can put users at risk for phishing and other security breaches. At this step in the process, it's important for the app to display the URL and the verified Secure Sockets Layer certificate.
There have been several security breaches on Android and iOS devices after admins authorized OAuth 2.0 to use social media accounts to enable user access. Developers should use social sign-on correctly and validate client authorization tokens before they offer access to an account.
