Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Making Authentication More Secure

Julia Potapenko
September 29, 2019
Programming
0
260

Making Authentication More Secure

Julia Potapenko

September 29, 2019
Tweet

More Decks by Julia Potapenko

See All by Julia Potapenko
Crypto wallets security: for developers
julep
0
1.3k
React Native Security
julep
0
250
Why can't developers make it secure?
julep
0
210
Encryption Export Regulations. Why should mobile developers care?
julep
0
110
The Art of Secure Architecture
julep
0
320
Common iOS Vulnerabilities and How to Fix Them
julep
1
1.7k
React Native Security
julep
0
190
Secure Authentication. Are you sure you do it right?
julep
1
540
Touch ID and Face ID. Is It Secure?
julep
1
400

Other Decks in Programming

See All in Programming
サーバーと同期してリアルタイムに更新する画面を実装する
rizumi
2
180
SwiftPMのプラグイン機能をiOSアプリ開発に活用する / Development App With SwiftPM Plugins
usamik26
0
800
設計初心者のための「伝わる」フロー図 / How to draw a communicative flow diagram for beginners
rs_tukki
1
400
Lecture №2.3. Concepts
baramiyadenis
0
220
モバイルアプリのオブザーバビリティを向上させるプラクティス
kazumanagano
6
700
PWAの今とこれから、iOSでの対応状況 / PWA now and in the future, status of support on iOS
pkino
2
2.9k
Laravel を低速化する技術 / how to slow laravel
hanhan1978
PRO
0
730
CoreGraphicsでドット絵を描こう
noppefoxwolf
0
400
RDRAとDDDでGoのモジュラーモノリスアプリを設計してみた話
imamotohikaru
1
530
Flutterアプリ開発にネイティブコードはどこまで求められるのか
akatsuki174
2
480
react-reconcilerでオレオレReact Nativeを作ろう!
kwzr
0
240
Why is building the Ruby environment hard?
hsbt
6
2.5k

Featured

See All Featured
Designing Experiences People Love
moore
130
22k
What the flash - Photography Introduction
edds
64
10k
It's Worth the Effort
3n
173
26k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
196
9.6k
Why Our Code Smells
bkeepers
PRO
324
55k
Git: the NoSQL Database
bkeepers
PRO
416
59k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
15k
Docker and Python
trallard
27
1.7k
Visualization
eitanlees
126
12k
Building Adaptive Systems
keathley
25
1.2k
Pencils Down: Stop Designing & Start Developing
hursman
113
9.9k
Six Lessons from altMBA
skipperchong
14
1.4k

Transcript

  1. JULIA POTAPENKO MAKING AUTHENTICATION MORE SECURE

  2. JULIA POTAPENKO • Lead iOS Engineer at Stuzo • Security

    Engineer • Mobile Lead at WWCode Kyiv • Co-organizer of OWASP Zhytomyr • Speaker at OWASP, CocoaHeads, WWCode and WTM events

  3. WE WILL TALK ABOUT ★ What can go wrong before

    you start coding ★ Top common mistakes of iOS engineers ★ Frictionless local authentication

  4. BEFORE CODING BEGINS

  5. BEFORE CODING BEGINS

  6. BEFORE CODING BEGINS your

  7. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

    Deployment Maintenance You are here
  8. None

  9. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

    Deployment Maintenance You are here

  10. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

    Deployment Maintenance You are here S- SECURE

  11. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

    Deployment Maintenance You are here S- SECURE Security training

  12. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

    Deployment Maintenance You are here S- SECURE Security training + security requirement + risk assessment

  13. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

    Deployment Maintenance You are here S- SECURE Security training + security requirement + risk assessment + threat modeling + secure design review

  14. RISKS IT IS NOT ONLY ABOUT MONEY AND HACKERS

  15. RISKS • Legal Responsibility • Reputation Risks • Operations Risks

    • Competitors IT IS NOT ONLY ABOUT MONEY AND HACKERS

  16. RISKS • Legal Responsibility • Reputation Risks • Operations Risks

    • Competitors IT IS NOT ONLY ABOUT MONEY AND HACKERS http://www.enforcementtracker.com/

  17. EXAMPLE. USER REGISTRATION

  18. EXAMPLE. USER REGISTRATION 1. Enter phone number

  19. EXAMPLE. USER REGISTRATION 1. Enter phone number 2. Enter OTP

  20. EXAMPLE. USER REGISTRATION 1. Enter phone number 2. Enter OTP

    3. Accept TC & PP

  21. EXAMPLE. USER REGISTRATION 1. Enter phone number 2. Enter OTP

    3. Accept TC & PP

  22. “THE PROBLEM IS NOT ON OUR SIDE”

  23. OWASP MASVS MASVS (Mobile Application Security Verification Standard)

  24. OWASP MASVS MASVS (Mobile Application Security Verification Standard) • ARCHITECTURE,

    DESIGN AND THREAT MODELING • DATA STORAGE AND PRIVACY • CRYPTOGRAPHY • AUTHENTICATION AND SESSION MANAGEMENT • NETWORK COMMUNICATION • ENVIRONMENTAL INTERACTION • CODE QUALITY AND BUILD SETTINGS • RESILIENCY AGAINST REVERSE ENGINEERING

  25. OWASP MASVS MASVS (Mobile Application Security Verification Standard) • ARCHITECTURE,

    DESIGN AND THREAT MODELING • DATA STORAGE AND PRIVACY • CRYPTOGRAPHY • AUTHENTICATION AND SESSION MANAGEMENT • NETWORK COMMUNICATION • ENVIRONMENTAL INTERACTION • CODE QUALITY AND BUILD SETTINGS • RESILIENCY AGAINST REVERSE ENGINEERING

  26. MASVS LEVELS

  27. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.

  28. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.

  29. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.

  30. BAD JWT TOKEN EXAMPLE https://jwt.io/

  31. None

  32. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.

  33. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.

  34. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.

  35. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.

  36. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.

  37. MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

    is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication. 4.11 The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices.

  38. MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

    is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication. 4.11 The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices.
  39. None
  40. None

  41. WARNING

  42. None

  43. A BETTER WAY TO DO IT

  44. A BETTER WAY TO DO IT

  45. WHAT THE CODE LOOKS LIKE IN DISASSEMBLER?

  46. MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

    is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication. 4.11 The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices.

  47. 2FA FLOW

  48. 2FA FLOW Lets connect the requests

  49. 2FA FLOW

  50. MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

    is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication. 4.11 The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices.

  51. DIGITAL SIGNATURE / TRANSACTION SIGNING • Key exchange • Client

    creates private, public key pair • Private key is stored in Secure Enclave • Public key is sent to the Server • When transaction is initialized on the client side • Client computes hash from transaction data • Client encrypts hash with its private key to compute signature • Client attaches signature to the transaction data and sends to the Server • Server side validation • Server receives signed transaction data from the Client • Server separates transaction data from the signature • Server decrypts signature with public key received from the Client to get hash value • Server computes transaction data hash and compares it to the decrypted hash
  52. None

  53. MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

    is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication. 4.11 The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices.

  54. MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

    is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication. 4.11 The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices. Architecture matters

  55. OWASP MOBILE TOP 10

  56. OWASP MOBILE TOP 10 M1 Improper platform usage M2 Insecure

    data storage M3 Insecure communication M4 Insecure authentication M5 Insufficient cryptography M6 Insecure authorization M7 Client code quality M8 Code tampering M9 Reverse engineering M10 Extraneous functionality

  57. OWASP MOBILE TOP 10 ~ Biometrics M1 Improper platform usage

    M2 Insecure data storage M3 Insecure communication M4 Insecure authentication M5 Insufficient cryptography M6 Insecure authorization M7 Client code quality M8 Code tampering M9 Reverse engineering M10 Extraneous functionality

  58. TOUCH ID AND FACE ID LOCAL AUTHENTICATION

  59. LOCAL AUTHENTICATION • Biometry is stored on device as mathematical

    representation • It is encrypted with a private key stored in Secure Enclave • Biometry data is used by Secure Enclave only • It can’t be accessed by OS or any application

  60. SECURE ENCLAVE CREATE AN EXTRA LAYER OF SECURITY FOR YOUR

    PRIVATE KEYS. • A part of A7 and newer chips • Secure Enclave Processor (SEP) is separate from Application Processor (AP) • SEP has its own OS
  61. None
  62. None

  63. KEYCHAIN • A database storing encrypted items • Good for

    storing passwords, tokens, not for files • Each item is protected by passcode/biometry and device secret • Keychain items are available when user authenticates to the device • To work with Keychain specify a particular policy and user message

  64. KEYCHAIN • A database storing encrypted items • Good for

    storing passwords, tokens, not for files • Each item is protected by passcode/biometry and device secret • Keychain items are available when user authenticates to the device • To work with Keychain specify a particular policy and user message WARNING
  65. None

  66. .biometryCurrentSet

  67. None

  68. LONG STORY SHORT ★ Frida + Objection https://medium.com/securing/pentesting-ios-apps-without-jailbreak-91809d23f64e

  69. None

  70. LETS DESIGN A FRICTIONLESS AUTHENTICATION EXAMPLE As a user, when

    I’m about to pay for the product in the mobile app, I should be prompt to a step-up authentication and my transaction should be secured. REQUIREMENT

  71. LETS DESIGN A FRICTIONLESS AUTHENTICATION EXAMPLE • Step-up authentication. Validate

    user password before sending transaction data • User can enter password or use biometrics instead ▸ To use biometrics we need to store user password in a Keychain ▸ We store user password encrypted with a private key stored in Secure Enclave • Send password to the Backend to validate. If it is correct the Backend will send one-time transaction session token • Secure the transaction. Use session and digital signature • Use one-time session token in transaction request • Add digital signature to transaction data ▸ Use private key stored in Secure Enclave to generate a public key for the Backend and to sign the transactions DESIGN
  72. None

  73. WHERE TO GO NEXT OWASP MSTG – Testing Local Authentication

    https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local- Authentication.md iOS Security Guide https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf WWDC 14 – Keychain and Authentication with Touch ID https://devstreaming-cdn.apple.com/videos/wwdc/ 2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf David Lindner – Don’t Touch Me That Way https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html

  74. https://speakerdeck.com/julep/ owasp-mstg-in-real-life https://speakerdeck.com/julep/owasp- mstg-when-authentication-goes-wrong OTHER TALKS https://www.facebook.com/julia.potapenko.16 https://t.me/OWASP_ZHYTOMYR_CHAT https://speakerdeck.com/julep/ touch-id-and-face-id-is-it-secure

    https://www.facebook.com/wwcodekyiv

  75. THANK YOU!