Making Authentication More Secure

Transcript

1. JULIA POTAPENKO
   MAKING
   AUTHENTICATION
   MORE SECURE
   

   View Slide

2. JULIA POTAPENKO
   • Lead iOS Engineer at Stuzo
   • Security Engineer
   • Mobile Lead at WWCode Kyiv
   • Co-organizer of OWASP Zhytomyr
   • Speaker at OWASP, CocoaHeads,
   WWCode and WTM events
   

   View Slide

3. WE WILL TALK ABOUT
   ★ What can go wrong before you start coding
   ★ Top common mistakes of iOS engineers
   ★ Frictionless local authentication
   

   View Slide

4. BEFORE CODING BEGINS
   

   View Slide

5. BEFORE CODING BEGINS
   

   View Slide

6. BEFORE CODING BEGINS
   your
   

   View Slide

7. SDLC
   SOFTWARE DEVELOPMENT LIFE CYCLE
   Requirements definition
   Design
   Development
   Testing
   Deployment
   Maintenance
   You are here
   

   View Slide

8. View Slide

9. SDLC
   SOFTWARE DEVELOPMENT LIFE CYCLE
   Requirements definition
   Design
   Development
   Testing
   Deployment
   Maintenance
   You are here
   

   View Slide

10. SDLC
    SOFTWARE DEVELOPMENT LIFE CYCLE
    Requirements definition
    Design
    Development
    Testing
    Deployment
    Maintenance
    You are here
    S-
    SECURE
    

    View Slide

11. SDLC
    SOFTWARE DEVELOPMENT LIFE CYCLE
    Requirements definition
    Design
    Development
    Testing
    Deployment
    Maintenance
    You are here
    S-
    SECURE
    Security training
    

    View Slide

12. SDLC
    SOFTWARE DEVELOPMENT LIFE CYCLE
    Requirements definition
    Design
    Development
    Testing
    Deployment
    Maintenance
    You are here
    S-
    SECURE
    Security training
    + security requirement
    + risk assessment
    

    View Slide

13. SDLC
    SOFTWARE DEVELOPMENT LIFE CYCLE
    Requirements definition
    Design
    Development
    Testing
    Deployment
    Maintenance
    You are here
    S-
    SECURE
    Security training
    + security requirement
    + risk assessment
    + threat modeling
    + secure design review
    

    View Slide

14. RISKS
    IT IS NOT ONLY ABOUT MONEY AND HACKERS
    

    View Slide

15. RISKS
    • Legal Responsibility
    • Reputation Risks
    • Operations Risks
    • Competitors
    IT IS NOT ONLY ABOUT MONEY AND HACKERS
    

    View Slide

16. RISKS
    • Legal Responsibility
    • Reputation Risks
    • Operations Risks
    • Competitors
    IT IS NOT ONLY ABOUT MONEY AND HACKERS
    http://www.enforcementtracker.com/
    

    View Slide

17. EXAMPLE. USER REGISTRATION
    

    View Slide

18. EXAMPLE. USER REGISTRATION
    1. Enter phone number
    
    

    View Slide

19. EXAMPLE. USER REGISTRATION
    1. Enter phone number
    
    2. Enter OTP
    
    

    View Slide

20. EXAMPLE. USER REGISTRATION
    1. Enter phone number
    
    2. Enter OTP
    
    3. Accept TC & PP
    

    View Slide

21. EXAMPLE. USER REGISTRATION
    1. Enter phone number
    
    2. Enter OTP
    
    3. Accept TC & PP
    

    View Slide

22. “THE PROBLEM IS NOT ON OUR SIDE”
    

    View Slide

23. OWASP MASVS
    MASVS (Mobile Application Security Verification Standard)
    
    

    View Slide

24. OWASP MASVS
    MASVS (Mobile Application Security Verification Standard)
    
    • ARCHITECTURE, DESIGN AND THREAT MODELING
    • DATA STORAGE AND PRIVACY
    • CRYPTOGRAPHY
    • AUTHENTICATION AND SESSION MANAGEMENT
    • NETWORK COMMUNICATION
    • ENVIRONMENTAL INTERACTION
    • CODE QUALITY AND BUILD SETTINGS
    • RESILIENCY AGAINST REVERSE ENGINEERING
    

    View Slide

25. OWASP MASVS
    MASVS (Mobile Application Security Verification Standard)
    
    • ARCHITECTURE, DESIGN AND THREAT MODELING
    • DATA STORAGE AND PRIVACY
    • CRYPTOGRAPHY
    • AUTHENTICATION AND SESSION MANAGEMENT
    • NETWORK COMMUNICATION
    • ENVIRONMENTAL INTERACTION
    • CODE QUALITY AND BUILD SETTINGS
    • RESILIENCY AGAINST REVERSE ENGINEERING
    

    View Slide

26. MASVS LEVELS
    

    View Slide

27. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    4.2
    If stateful session management is used, the remote endpoint uses randomly
    generated session identifiers to authenticate client requests without sending the
    user's credentials.
    4.3 If stateless token-based authentication is used, the server provides a token that
    has been signed using a secure algorithm.
    4.4 The remote endpoint terminates the existing session when the user logs out.
    4.5 A password policy exists and is enforced at the remote endpoint.
    4.6 The remote endpoint implements a mechanism to protect against the
    submission of credentials an excessive number of times.
    4.7
    Sessions are invalidated at the remote endpoint after a predefined period of
    inactivity and access tokens expire.
    

    View Slide

28. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    4.2
    If stateful session management is used, the remote endpoint uses randomly
    generated session identifiers to authenticate client requests without sending the
    user's credentials.
    4.3 If stateless token-based authentication is used, the server provides a token that
    has been signed using a secure algorithm.
    4.4 The remote endpoint terminates the existing session when the user logs out.
    4.5 A password policy exists and is enforced at the remote endpoint.
    4.6 The remote endpoint implements a mechanism to protect against the
    submission of credentials an excessive number of times.
    4.7
    Sessions are invalidated at the remote endpoint after a predefined period of
    inactivity and access tokens expire.
    

    View Slide

29. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    4.2
    If stateful session management is used, the remote endpoint uses randomly
    generated session identifiers to authenticate client requests without sending the
    user's credentials.
    4.3 If stateless token-based authentication is used, the server provides a token that
    has been signed using a secure algorithm.
    4.4 The remote endpoint terminates the existing session when the user logs out.
    4.5 A password policy exists and is enforced at the remote endpoint.
    4.6 The remote endpoint implements a mechanism to protect against the
    submission of credentials an excessive number of times.
    4.7
    Sessions are invalidated at the remote endpoint after a predefined period of
    inactivity and access tokens expire.
    

    View Slide

30. BAD JWT TOKEN EXAMPLE
    https://jwt.io/
    

    View Slide

31. View Slide

32. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    4.2
    If stateful session management is used, the remote endpoint uses randomly
    generated session identifiers to authenticate client requests without sending the
    user's credentials.
    4.3 If stateless token-based authentication is used, the server provides a token that
    has been signed using a secure algorithm.
    4.4 The remote endpoint terminates the existing session when the user logs out.
    4.5 A password policy exists and is enforced at the remote endpoint.
    4.6 The remote endpoint implements a mechanism to protect against the
    submission of credentials an excessive number of times.
    4.7
    Sessions are invalidated at the remote endpoint after a predefined period of
    inactivity and access tokens expire.
    

    View Slide

33. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    4.2
    If stateful session management is used, the remote endpoint uses randomly
    generated session identifiers to authenticate client requests without sending the
    user's credentials.
    4.3 If stateless token-based authentication is used, the server provides a token that
    has been signed using a secure algorithm.
    4.4 The remote endpoint terminates the existing session when the user logs out.
    4.5 A password policy exists and is enforced at the remote endpoint.
    4.6 The remote endpoint implements a mechanism to protect against the
    submission of credentials an excessive number of times.
    4.7
    Sessions are invalidated at the remote endpoint after a predefined period of
    inactivity and access tokens expire.
    

    View Slide

34. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    4.2
    If stateful session management is used, the remote endpoint uses randomly
    generated session identifiers to authenticate client requests without sending the
    user's credentials.
    4.3 If stateless token-based authentication is used, the server provides a token that
    has been signed using a secure algorithm.
    4.4 The remote endpoint terminates the existing session when the user logs out.
    4.5 A password policy exists and is enforced at the remote endpoint.
    4.6 The remote endpoint implements a mechanism to protect against the
    submission of credentials an excessive number of times.
    4.7
    Sessions are invalidated at the remote endpoint after a predefined period of
    inactivity and access tokens expire.
    

    View Slide

35. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    4.2
    If stateful session management is used, the remote endpoint uses randomly
    generated session identifiers to authenticate client requests without sending the
    user's credentials.
    4.3 If stateless token-based authentication is used, the server provides a token that
    has been signed using a secure algorithm.
    4.4 The remote endpoint terminates the existing session when the user logs out.
    4.5 A password policy exists and is enforced at the remote endpoint.
    4.6 The remote endpoint implements a mechanism to protect against the
    submission of credentials an excessive number of times.
    4.7
    Sessions are invalidated at the remote endpoint after a predefined period of
    inactivity and access tokens expire.
    

    View Slide

36. MASVS. AUTHENTICATION. LEVEL 1.
    Description
    4.1
    If the app provides users access to a remote service, some form of
    authentication, such as username/password authentication, is performed at the
    remote endpoint.
    4.2
    If stateful session management is used, the remote endpoint uses randomly
    generated session identifiers to authenticate client requests without sending the
    user's credentials.
    4.3 If stateless token-based authentication is used, the server provides a token that
    has been signed using a secure algorithm.
    4.4 The remote endpoint terminates the existing session when the user logs out.
    4.5 A password policy exists and is enforced at the remote endpoint.
    4.6 The remote endpoint implements a mechanism to protect against the
    submission of credentials an excessive number of times.
    4.7
    Sessions are invalidated at the remote endpoint after a predefined period of
    inactivity and access tokens expire.
    

    View Slide

37. MASVS. AUTHENTICATION. LEVEL 2.
    Description
    4.8
    Biometric authentication, if any, is not event-bound (i.e. using an API that
    simply returns "true" or "false"). Instead, it is based on unlocking the keychain.
    4.9 A second factor of authentication exists at the remote endpoint and the 2FA
    requirement is consistently enforced.
    4.10 Sensitive transactions require step-up authentication.
    4.11
    The app informs the user of all login activities with their account. Users are able
    view a list of devices used to access the account, and to block specific
    devices.
    

    View Slide

38. MASVS. AUTHENTICATION. LEVEL 2.
    Description
    4.8
    Biometric authentication, if any, is not event-bound (i.e. using an API that
    simply returns "true" or "false"). Instead, it is based on unlocking the keychain.
    4.9 A second factor of authentication exists at the remote endpoint and the 2FA
    requirement is consistently enforced.
    4.10 Sensitive transactions require step-up authentication.
    4.11
    The app informs the user of all login activities with their account. Users are able
    view a list of devices used to access the account, and to block specific
    devices.
    

    View Slide

39. View Slide

40. View Slide

41. WARNING
    

    View Slide

42. View Slide

43. A BETTER WAY TO DO IT
    

    View Slide

44. A BETTER WAY TO DO IT
    

    View Slide

45. WHAT THE CODE LOOKS LIKE IN DISASSEMBLER?
    

    View Slide

46. MASVS. AUTHENTICATION. LEVEL 2.
    Description
    4.8
    Biometric authentication, if any, is not event-bound (i.e. using an API that
    simply returns "true" or "false"). Instead, it is based on unlocking the keychain.
    4.9 A second factor of authentication exists at the remote endpoint and the 2FA
    requirement is consistently enforced.
    4.10 Sensitive transactions require step-up authentication.
    4.11
    The app informs the user of all login activities with their account. Users are able
    view a list of devices used to access the account, and to block specific
    devices.
    

    View Slide

47. 2FA FLOW
    

    View Slide

48. 2FA FLOW
    Lets connect
    the requests
    

    View Slide

49. 2FA FLOW
    

    View Slide

50. MASVS. AUTHENTICATION. LEVEL 2.
    Description
    4.8
    Biometric authentication, if any, is not event-bound (i.e. using an API that
    simply returns "true" or "false"). Instead, it is based on unlocking the keychain.
    4.9 A second factor of authentication exists at the remote endpoint and the 2FA
    requirement is consistently enforced.
    4.10 Sensitive transactions require step-up authentication.
    4.11
    The app informs the user of all login activities with their account. Users are able
    view a list of devices used to access the account, and to block specific
    devices.
    

    View Slide

51. DIGITAL SIGNATURE / TRANSACTION SIGNING
    • Key exchange
    • Client creates private, public key pair
    • Private key is stored in Secure Enclave
    • Public key is sent to the Server
    • When transaction is initialized on the client side
    • Client computes hash from transaction data
    • Client encrypts hash with its private key to compute signature
    • Client attaches signature to the transaction data and sends to the Server
    • Server side validation
    • Server receives signed transaction data from the Client
    • Server separates transaction data from the signature
    • Server decrypts signature with public key received from the Client to get hash value
    • Server computes transaction data hash and compares it to the decrypted hash
    

    View Slide

52. View Slide

53. MASVS. AUTHENTICATION. LEVEL 2.
    Description
    4.8
    Biometric authentication, if any, is not event-bound (i.e. using an API that
    simply returns "true" or "false"). Instead, it is based on unlocking the keychain.
    4.9 A second factor of authentication exists at the remote endpoint and the 2FA
    requirement is consistently enforced.
    4.10 Sensitive transactions require step-up authentication.
    4.11
    The app informs the user of all login activities with their account. Users are able
    view a list of devices used to access the account, and to block specific
    devices.
    

    View Slide

54. MASVS. AUTHENTICATION. LEVEL 2.
    Description
    4.8
    Biometric authentication, if any, is not event-bound (i.e. using an API that
    simply returns "true" or "false"). Instead, it is based on unlocking the keychain.
    4.9 A second factor of authentication exists at the remote endpoint and the 2FA
    requirement is consistently enforced.
    4.10 Sensitive transactions require step-up authentication.
    4.11
    The app informs the user of all login activities with their account. Users are able
    view a list of devices used to access the account, and to block specific
    devices.
    Architecture
    matters
    

    View Slide

55. OWASP MOBILE TOP 10
    

    View Slide

56. OWASP MOBILE TOP 10
    M1 Improper platform usage
    M2 Insecure data storage
    M3 Insecure communication
    M4 Insecure authentication
    M5 Insufficient cryptography
    M6 Insecure authorization
    M7 Client code quality
    M8 Code tampering
    M9 Reverse engineering
    M10 Extraneous functionality
    

    View Slide

57. OWASP MOBILE TOP 10
    ~ Biometrics
    M1 Improper platform usage
    M2 Insecure data storage
    M3 Insecure communication
    M4 Insecure authentication
    M5 Insufficient cryptography
    M6 Insecure authorization
    M7 Client code quality
    M8 Code tampering
    M9 Reverse engineering
    M10 Extraneous functionality
    

    View Slide

58. TOUCH ID AND FACE ID
    LOCAL AUTHENTICATION
    

    View Slide

59. LOCAL AUTHENTICATION
    • Biometry is stored on device as mathematical representation
    • It is encrypted with a private key stored in Secure Enclave
    • Biometry data is used by Secure Enclave only
    • It can’t be accessed by OS or any application
    

    View Slide

60. SECURE ENCLAVE
    CREATE AN EXTRA LAYER
    OF SECURITY FOR YOUR
    PRIVATE KEYS.
    • A part of A7 and newer chips
    • Secure Enclave Processor (SEP)
    is separate from Application
    Processor (AP)
    • SEP has its own OS
    

    View Slide

61. View Slide

62. View Slide

63. KEYCHAIN
    • A database storing encrypted items
    • Good for storing passwords, tokens, not for files
    • Each item is protected by passcode/biometry and device
    secret
    • Keychain items are available when user authenticates to the
    device
    • To work with Keychain specify a particular policy and user
    message
    

    View Slide

64. KEYCHAIN
    • A database storing encrypted items
    • Good for storing passwords, tokens, not for files
    • Each item is protected by passcode/biometry and device
    secret
    • Keychain items are available when user authenticates to the
    device
    • To work with Keychain specify a particular policy and user
    message
    WARNING
    

    View Slide

65. View Slide

66. .biometryCurrentSet
    

    View Slide

67. View Slide

68. LONG STORY SHORT
    ★ Frida + Objection
    https://medium.com/securing/pentesting-ios-apps-without-jailbreak-91809d23f64e
    

    View Slide

69. View Slide

70. LETS DESIGN A FRICTIONLESS AUTHENTICATION EXAMPLE
    As a user, when I’m about to pay for the product in the
    mobile app, I should be prompt to a step-up authentication
    and my transaction should be secured.
    REQUIREMENT
    

    View Slide

71. LETS DESIGN A FRICTIONLESS AUTHENTICATION EXAMPLE
    • Step-up authentication. Validate user password before sending transaction data
    • User can enter password or use biometrics instead
    ▸ To use biometrics we need to store user password in a Keychain
    ▸ We store user password encrypted with a private key stored in
    Secure Enclave
    • Send password to the Backend to validate. If it is correct the Backend will
    send one-time transaction session token
    • Secure the transaction. Use session and digital signature
    • Use one-time session token in transaction request
    • Add digital signature to transaction data
    ▸ Use private key stored in Secure Enclave to generate a public key
    for the Backend and to sign the transactions
    DESIGN
    

    View Slide

72. View Slide

73. WHERE TO GO NEXT
    OWASP MSTG – Testing Local Authentication
    https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local-
    Authentication.md
    iOS Security Guide
    https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf
    WWDC 14 – Keychain and Authentication with Touch ID
    https://devstreaming-cdn.apple.com/videos/wwdc/
    2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf
    David Lindner – Don’t Touch Me That Way
    https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html
    

    View Slide

74. https://speakerdeck.com/julep/
    owasp-mstg-in-real-life
    https://speakerdeck.com/julep/owasp-
    mstg-when-authentication-goes-wrong
    OTHER TALKS
    https://www.facebook.com/julia.potapenko.16
    https://t.me/OWASP_ZHYTOMYR_CHAT
    https://speakerdeck.com/julep/
    touch-id-and-face-id-is-it-secure
    https://www.facebook.com/wwcodekyiv
    

    View Slide

75. THANK YOU!
    

    View Slide