OWASP MSTG. When Authentication Goes Wrong

Transcript

1. OWASP MSTG
   WHEN AUTHENTICATION GOES WRONG
   JULIA POTAPENKO
   COCOAHEADS 10 MAY 2019
   

   View Slide

2. JULIA POTAPENKO
   ⭐ iOS Software Engineer
   ⭐ Mobile Lead at Women Who Code Kyiv
   ⭐ Org Team Member of OWASP Zhytomyr
   

   View Slide

3. TODAY WE WILL TALK ABOUT
   AUTHENTICATION
   WHAT SHOULD BE DONE
   OWASP MASVS
   WHAT CAN BE BROKEN
   OWASP MSTG
   

   View Slide

4. WHAT IS OWASP?
   An online community that produces freely-available
   articles, methodologies, documentation, tools, and
   technologies in the field of web application security.
   

   View Slide

5. WHAT IS OWASP?
   OWASP (Open Web Application Security Project)
   
   An online community that produces freely-available
   articles, methodologies, documentation, tools, and
   technologies in the field of web application security.
   wikipedia.org
   

   View Slide

6. WHEN AUTHENTICATION GOES WRONG
   EXAMPLE. USER REGISTRATION
   Enter phone number
   
   

   View Slide

7. WHEN AUTHENTICATION GOES WRONG
   EXAMPLE. USER REGISTRATION
   Enter phone number Enter OTP
   
   

   View Slide

8. WHEN AUTHENTICATION GOES WRONG
   EXAMPLE. USER REGISTRATION
   Enter phone number Enter OTP Accept TC & PP
   
   

   View Slide

9. WHAT IS OWASP MASVS?
   MASVS (Mobile Application Security Verification Standard)
   
   WHAT IS OWASP MSTG?
   MSTG (Mobile Security Testing Guide)
   
   https://github.com/OWASP/owasp-masvs
   https://github.com/OWASP/owasp-mstg
   

   View Slide

10. OWASP MASVS
    MASVS (Mobile Application Security Verification Standard)
    
    • ARCHITECTURE, DESIGN AND THREAT MODELING
    • DATA STORAGE AND PRIVACY
    • CRYPTOGRAPHY
    • AUTHENTICATION AND SESSION MANAGEMENT
    • NETWORK COMMUNICATION
    • ENVIRONMENTAL INTERACTION
    • CODE QUALITY AND BUILD SETTINGS
    • RESILIENCY AGAINST REVERSE ENGINEERING
    

    View Slide

11. OWASP MSTG
    MSTG (Mobile Security Testing Guide)
    
    A COMPREHENSIVE MANUAL FOR MOBILE APP
    SECURITY TESTING AND REVERSE ENGINEERING.
    IT DESCRIBES TECHNICAL PROCESSES FOR VERIFYING
    THE CONTROLS LISTED IN THE OWASP MOBILE
    APPLICATION VERIFICATION STANDARD (MASVS).
    

    View Slide

12. MASVS LEVELS
    

    View Slide

13. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    

    View Slide

14. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    4.2
    If stateful session management is used, the remote endpoint uses randomly
    generated session identifiers to authenticate client requests without sending the
    user's credentials.
    4.3 If stateless token-based authentication is used, the server provides a token that
    has been signed using a secure algorithm.
    

    View Slide

15. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    4.2
    If stateful session management is used, the remote endpoint uses randomly
    generated session identifiers to authenticate client requests without sending the
    user's credentials.
    4.3 If stateless token-based authentication is used, the server provides a token that
    has been signed using a secure algorithm.
    4.4 The remote endpoint terminates the existing session when the user logs out.
    

    View Slide

16. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    4.2
    If stateful session management is used, the remote endpoint uses randomly
    generated session identifiers to authenticate client requests without sending the
    user's credentials.
    4.3 If stateless token-based authentication is used, the server provides a token that
    has been signed using a secure algorithm.
    4.4 The remote endpoint terminates the existing session when the user logs out.
    4.5 A password policy exists and is enforced at the remote endpoint.
    

    View Slide

17. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    4.2
    If stateful session management is used, the remote endpoint uses randomly
    generated session identifiers to authenticate client requests without sending the
    user's credentials.
    4.3 If stateless token-based authentication is used, the server provides a token that
    has been signed using a secure algorithm.
    4.4 The remote endpoint terminates the existing session when the user logs out.
    4.5 A password policy exists and is enforced at the remote endpoint.
    4.6
    The remote endpoint implements a mechanism to protect against the
    submission of credentials an excessive number of times.
    

    View Slide

18. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    4.2
    If stateful session management is used, the remote endpoint uses randomly
    generated session identifiers to authenticate client requests without sending the
    user's credentials.
    4.3 If stateless token-based authentication is used, the server provides a token that
    has been signed using a secure algorithm.
    4.4 The remote endpoint terminates the existing session when the user logs out.
    4.5 A password policy exists and is enforced at the remote endpoint.
    4.6 The remote endpoint implements a mechanism to protect against the
    submission of credentials an excessive number of times.
    4.7
    Sessions are invalidated at the remote endpoint after a predefined period of
    inactivity and access tokens expire.
    

    View Slide

19. MASVS. AUTHENTICATION. LEVEL 2.
    Description
    4.8 Biometric authentication, if any, is not event-bound (i.e. using an API that
    simply returns "true" or "false"). Instead, it is based on unlocking the keychain.
    

    View Slide

20. MASVS. AUTHENTICATION. LEVEL 2.
    Description
    4.8
    Biometric authentication, if any, is not event-bound (i.e. using an API that
    simply returns "true" or "false"). Instead, it is based on unlocking the keychain.
    4.9 A second factor of authentication exists at the remote endpoint and the 2FA
    requirement is consistently enforced.
    

    View Slide

21. MASVS. AUTHENTICATION. LEVEL 2.
    Description
    4.8
    Biometric authentication, if any, is not event-bound (i.e. using an API that
    simply returns "true" or "false"). Instead, it is based on unlocking the keychain.
    4.9 A second factor of authentication exists at the remote endpoint and the 2FA
    requirement is consistently enforced.
    4.10 Sensitive transactions require step-up authentication.
    

    View Slide

22. MASVS. AUTHENTICATION. LEVEL 2.
    Description
    4.8
    Biometric authentication, if any, is not event-bound (i.e. using an API that
    simply returns "true" or "false"). Instead, it is based on unlocking the keychain.
    4.9 A second factor of authentication exists at the remote endpoint and the 2FA
    requirement is consistently enforced.
    4.10 Sensitive transactions require step-up authentication.
    4.11
    The app informs the user of all login activities with their account. Users are able
    view a list of devices used to access the account, and to block specific
    devices.
    

    View Slide

23. OWASP MSTG
    AUTHENTICATION
    • Basic:
    • Something the user knows: 

    password, PIN, pattern, etc.
    • Something the user has: 

    SIM-card, OTP (one time
    password) generator,
    hardware token, etc.
    • A biometric property: 

    fingerprint, retina, voice, etc.
    • 2FA (2-Factor Authentication):
    • OTP by SMS or phone call
    • Hardware or software token
    • Push notifications in combination
    with PKI (public key infrastructure)
    and local authentication
    • Supplementary Authentication:
    • Geolocation
    • IP address
    • Time of the day
    • Device ID
    

    View Slide

24. WHEN AUTHENTICATION GOES WRONG
    EXAMPLE. BANKING APP. FIRST TIME LOGIN
    Enter phone number
    
    

    View Slide

25. WHEN AUTHENTICATION GOES WRONG
    EXAMPLE. BANKING APP. FIRST TIME LOGIN
    Enter phone number Enter OTP
    
    

    View Slide

26. WHEN AUTHENTICATION GOES WRONG
    EXAMPLE. BANKING APP. FIRST TIME LOGIN
    Enter phone number Enter OTP Use biometrics
    
    

    View Slide

27. OWASP MSTG
    OTP BY SMS CONCERNS
    • Wireless Interception
    • SIM SWAP Attack
    • Verification Code Forwarding Attack

    

    https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-
    Session-Management.md
    

    View Slide

28. WHEN AUTHENTICATION GOES RIGHT
    EXAMPLE. BANKING APP. FIRST TIME LOGIN
    Enter username and password
    ✅
    

    View Slide

29. WHEN AUTHENTICATION GOES RIGHT
    EXAMPLE. BANKING APP. FIRST TIME LOGIN
    Enter username and password Enter card expiration date
    ✅
    

    View Slide

30. WHEN AUTHENTICATION GOES RIGHT
    EXAMPLE. BANKING APP. FIRST TIME LOGIN
    Enter username and password Use biometrics
    Enter card expiration date
    ✅
    

    View Slide

31. OWASP MSTG
    TRANSACTION SIGNING
    

    View Slide

32. OWASP MSTG
    TRANSACTION SIGNING
    • Client generates public and private keys on user
    registration, registers public key with backend, saves
    private key to Keychain.
    

    View Slide

33. OWASP MSTG
    TRANSACTION SIGNING
    • Client generates public and private keys on user
    registration, registers public key with backend, saves
    private key to Keychain.
    • Backend sends transaction data to the client to be
    authorized.
    

    View Slide

34. OWASP MSTG
    TRANSACTION SIGNING
    • Client generates public and private keys on user
    registration, registers public key with backend, saves
    private key to Keychain.
    • Backend sends transaction data to the client to be
    authorized.
    • Client unlocks Keychain, gets private key, signs the
    transaction and sends it back to backend.
    

    View Slide

35. OWASP MSTG
    TRANSACTION SIGNING
    • Client generates public and private keys on user
    registration, registers public key with backend, saves
    private key to Keychain.
    • Backend sends transaction data to the client to be
    authorized.
    • Client unlocks Keychain, gets private key, signs the
    transaction and sends it back to backend.
    • Backend verifies it with public key.
    

    View Slide

36. OWASP MSTG
    THINGS TO CHECK
    • Check if with Backend
    • Login throttling
    • Session management
    • Access and refresh token
    • JWT
    • Login activity and blocking
    • Check it on Client
    • Secure token storage
    • Access and refresh tokens
    handling
    • Proper error handling
    

    View Slide

37. LOCAL AUTHENTICATION. TOUCH/FACE ID
    Local authentication should always be enforced at a remote endpoint
    or based on cryptographic primitive. Attackers can easily bypass local
    authentication if no data returns from the authentication process.
    

    View Slide

38. LOCAL AUTHENTICATION. TOUCH/FACE ID
    Local authentication should always be enforced at a remote endpoint
    or based on cryptographic primitive. Attackers can easily bypass local
    authentication if no data returns from the authentication process.
    https://youtu.be/XhXIHVGCFFM
    David Linder 

    Don’t Touch Me That Way
    • Don’t
    • Rely on bool output
    • Forget to configure Touch ID
    • Do
    • Use Touch ID to get data from
    Keychain
    • Combine it with user password
    TOUCH ID EXAMPLE
    

    View Slide

39. OWASP MOBILE TOP 10
    M1. Improper platform usage
    
    M2. Insecure data storage
    
    M3. Insecure communication
    
    M4. Insecure authentication
    
    M5. Insufficient cryptography
    
    M6. Insecure authorization
    
    M7. Client code quality
    
    M8. Code tempering
    
    M9. Reverse engineering
    
    M10. Extraneous functionality
    https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
    ➡
    

    View Slide

40. OWASP MOBILE TOP 10
    M1. Improper platform usage
    
    M2. Insecure data storage
    
    M3. Insecure communication
    
    M4. Insecure authentication
    
    M5. Insufficient cryptography
    
    M6. Insecure authorization
    
    M7. Client code quality
    
    M8. Code tempering
    
    M9. Reverse engineering
    
    M10. Extraneous functionality
    https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
    ➡
    
    
    
    
    
    

    View Slide

41. THANK YOU!
    ULTIMATELY, THE REVERSE
    ENGINEER ALWAYS WINS
    AND REMEMBER
    

    View Slide