The abstract of the talk is the following:
Although OAuth 2.0 and OpenID Connect are standards for Authorization and Authentication, in practice a lot of developers failed to implement them correctly, paving the way for severe security flaws. One reason could be the diversity of documents that are published later to introduce new mechanisms, functionalities for the OAuth/OpenID Connect core standards. In this talk, we firstly dive into the latest BCPs that are needed to be considered by developers to secure their implementations against known threats for web apps, mobile apps, and SPAs. Then, in the second part of the talk, we mainly focus on the mobile native apps and highlight the common wrong implementation choices based on my experience on Google Play Store application analysis.