Making Authentication More Secure

Transcript

JULIA POTAPENKO MAKING AUTHENTICATION MORE SECURE

JULIA POTAPENKO • Lead iOS Engineer at Stuzo • Security

Engineer • Mobile Lead at WWCode Kyiv • Co-organizer of OWASP Zhytomyr • Speaker at OWASP, CocoaHeads, WWCode and WTM events

WE WILL TALK ABOUT ★ What can go wrong before

you start coding ★ Top common mistakes of iOS engineers ★ Frictionless local authentication

SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements deﬁnition Design Development Testing

Deployment Maintenance You are here

None

SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements deﬁnition Design Development Testing

Deployment Maintenance You are here

SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements deﬁnition Design Development Testing

Deployment Maintenance You are here S- SECURE

SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements deﬁnition Design Development Testing

Deployment Maintenance You are here S- SECURE Security training

SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements deﬁnition Design Development Testing

Deployment Maintenance You are here S- SECURE Security training + security requirement + risk assessment

SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements deﬁnition Design Development Testing

Deployment Maintenance You are here S- SECURE Security training + security requirement + risk assessment + threat modeling + secure design review

RISKS IT IS NOT ONLY ABOUT MONEY AND HACKERS

RISKS • Legal Responsibility • Reputation Risks • Operations Risks

• Competitors IT IS NOT ONLY ABOUT MONEY AND HACKERS

RISKS • Legal Responsibility • Reputation Risks • Operations Risks

• Competitors IT IS NOT ONLY ABOUT MONEY AND HACKERS http://www.enforcementtracker.com/

EXAMPLE. USER REGISTRATION 1. Enter phone number

EXAMPLE. USER REGISTRATION 1. Enter phone number 2. Enter OTP

3. Accept TC & PP

EXAMPLE. USER REGISTRATION 1. Enter phone number 2. Enter OTP

3. Accept TC & PP

“THE PROBLEM IS NOT ON OUR SIDE”

OWASP MASVS MASVS (Mobile Application Security Veriﬁcation Standard)

OWASP MASVS MASVS (Mobile Application Security Veriﬁcation Standard) • ARCHITECTURE,

DESIGN AND THREAT MODELING • DATA STORAGE AND PRIVACY • CRYPTOGRAPHY • AUTHENTICATION AND SESSION MANAGEMENT • NETWORK COMMUNICATION • ENVIRONMENTAL INTERACTION • CODE QUALITY AND BUILD SETTINGS • RESILIENCY AGAINST REVERSE ENGINEERING

OWASP MASVS MASVS (Mobile Application Security Veriﬁcation Standard) • ARCHITECTURE,

DESIGN AND THREAT MODELING • DATA STORAGE AND PRIVACY • CRYPTOGRAPHY • AUTHENTICATION AND SESSION MANAGEMENT • NETWORK COMMUNICATION • ENVIRONMENTAL INTERACTION • CODE QUALITY AND BUILD SETTINGS • RESILIENCY AGAINST REVERSE ENGINEERING

MASVS LEVELS

MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identiﬁers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 4.7 Sessions are invalidated at the remote endpoint after a predeﬁned period of inactivity and access tokens expire.

MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

BAD JWT TOKEN EXAMPLE https://jwt.io/

None

MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication. 4.11 The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block speciﬁc devices.

MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

None

WARNING

None

A BETTER WAY TO DO IT

WHAT THE CODE LOOKS LIKE IN DISASSEMBLER?

MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

2FA FLOW

2FA FLOW Lets connect the requests

2FA FLOW

MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

DIGITAL SIGNATURE / TRANSACTION SIGNING • Key exchange • Client

creates private, public key pair • Private key is stored in Secure Enclave • Public key is sent to the Server • When transaction is initialized on the client side • Client computes hash from transaction data • Client encrypts hash with its private key to compute signature • Client attaches signature to the transaction data and sends to the Server • Server side validation • Server receives signed transaction data from the Client • Server separates transaction data from the signature • Server decrypts signature with public key received from the Client to get hash value • Server computes transaction data hash and compares it to the decrypted hash

None

MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication. 4.11 The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block speciﬁc devices. Architecture matters

OWASP MOBILE TOP 10

OWASP MOBILE TOP 10 M1 Improper platform usage M2 Insecure

data storage M3 Insecure communication M4 Insecure authentication M5 Insufﬁcient cryptography M6 Insecure authorization M7 Client code quality M8 Code tampering M9 Reverse engineering M10 Extraneous functionality

OWASP MOBILE TOP 10 ~ Biometrics M1 Improper platform usage

M2 Insecure data storage M3 Insecure communication M4 Insecure authentication M5 Insufﬁcient cryptography M6 Insecure authorization M7 Client code quality M8 Code tampering M9 Reverse engineering M10 Extraneous functionality

TOUCH ID AND FACE ID LOCAL AUTHENTICATION

LOCAL AUTHENTICATION • Biometry is stored on device as mathematical

representation • It is encrypted with a private key stored in Secure Enclave • Biometry data is used by Secure Enclave only • It can’t be accessed by OS or any application

SECURE ENCLAVE CREATE AN EXTRA LAYER OF SECURITY FOR YOUR

PRIVATE KEYS. • A part of A7 and newer chips • Secure Enclave Processor (SEP) is separate from Application Processor (AP) • SEP has its own OS

None

KEYCHAIN • A database storing encrypted items • Good for

storing passwords, tokens, not for ﬁles • Each item is protected by passcode/biometry and device secret • Keychain items are available when user authenticates to the device • To work with Keychain specify a particular policy and user message

KEYCHAIN • A database storing encrypted items • Good for

storing passwords, tokens, not for ﬁles • Each item is protected by passcode/biometry and device secret • Keychain items are available when user authenticates to the device • To work with Keychain specify a particular policy and user message WARNING

None

.biometryCurrentSet

None

LONG STORY SHORT ★ Frida + Objection https://medium.com/securing/pentesting-ios-apps-without-jailbreak-91809d23f64e

None

LETS DESIGN A FRICTIONLESS AUTHENTICATION EXAMPLE As a user, when

I’m about to pay for the product in the mobile app, I should be prompt to a step-up authentication and my transaction should be secured. REQUIREMENT

LETS DESIGN A FRICTIONLESS AUTHENTICATION EXAMPLE • Step-up authentication. Validate

user password before sending transaction data • User can enter password or use biometrics instead ▸ To use biometrics we need to store user password in a Keychain ▸ We store user password encrypted with a private key stored in Secure Enclave • Send password to the Backend to validate. If it is correct the Backend will send one-time transaction session token • Secure the transaction. Use session and digital signature • Use one-time session token in transaction request • Add digital signature to transaction data ▸ Use private key stored in Secure Enclave to generate a public key for the Backend and to sign the transactions DESIGN

None

WHERE TO GO NEXT OWASP MSTG – Testing Local Authentication

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local- Authentication.md iOS Security Guide https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf WWDC 14 – Keychain and Authentication with Touch ID https://devstreaming-cdn.apple.com/videos/wwdc/ 2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf David Lindner – Don’t Touch Me That Way https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html

https://speakerdeck.com/julep/ owasp-mstg-in-real-life https://speakerdeck.com/julep/owasp- mstg-when-authentication-goes-wrong OTHER TALKS https://www.facebook.com/julia.potapenko.16 https://t.me/OWASP_ZHYTOMYR_CHAT https://speakerdeck.com/julep/ touch-id-and-face-id-is-it-secure

https://www.facebook.com/wwcodekyiv

Making Authentication More Secure

Making Authentication More Secure

More Decks by Julia Mezher

Other Decks in Programming

Featured

Transcript