TCSE - Phishing consideration

Reported by: Josh Mandel in OAuth WG.

Forgive me if this is well-trodden territory, but I would have expected the security considerations in this proposal to include a note to the effect of:

"In a scenario where a mobile client is contending with malicious apps on the same device that listen on the same custom URL scheme, it's important to keep in mind that a malicious app can initiate its own authorization request. Such a request would appear the same as a legitimate request from the end-user's perspective. So in this case, a malicious app could request its own verifier code and successfully obtain authorization using the tcse protocol."

Obviously this does not negate the value of the proposal, but it's something I'd expect readers to keep in mind.

In particular, it has very strong implications for whitelisted authorizations, where no end user interaction is required. In such a case, a malicious app could initiate a request at any time and the user would not be in the loop to raise a question about its legitimacy.