online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. wikipedia.org
DESIGN AND THREAT MODELING • DATA STORAGE AND PRIVACY • CRYPTOGRAPHY • AUTHENTICATION AND SESSION MANAGEMENT • NETWORK COMMUNICATION • ENVIRONMENTAL INTERACTION • CODE QUALITY AND BUILD SETTINGS • RESILIENCY AGAINST REVERSE ENGINEERING
FOR MOBILE APP SECURITY TESTING AND REVERSE ENGINEERING. IT DESCRIBES TECHNICAL PROCESSES FOR VERIFYING THE CONTROLS LISTED IN THE OWASP MOBILE APPLICATION VERIFICATION STANDARD (MASVS).
users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm.
users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out.
users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint.
users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times.
users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.
is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced.
is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication.
is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication. 4.11 The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices.
password, PIN, pattern, etc. • Something the user has: SIM-card, OTP (one time password) generator, hardware token, etc. • A biometric property: fingerprint, retina, voice, etc. • 2FA (2-Factor Authentication): • OTP by SMS or phone call • Hardware or software token • Push notifications in combination with PKI (public key infrastructure) and local authentication • Supplementary Authentication: • Geolocation • IP address • Time of the day • Device ID
keys on user registration, registers public key with backend, saves private key to Keychain. • Backend sends transaction data to the client to be authorized.
keys on user registration, registers public key with backend, saves private key to Keychain. • Backend sends transaction data to the client to be authorized. • Client unlocks Keychain, gets private key, signs the transaction and sends it back to backend.
keys on user registration, registers public key with backend, saves private key to Keychain. • Backend sends transaction data to the client to be authorized. • Client unlocks Keychain, gets private key, signs the transaction and sends it back to backend. • Backend verifies it with public key.
at a remote endpoint or based on cryptographic primitive. Attackers can easily bypass local authentication if no data returns from the authentication process.
at a remote endpoint or based on cryptographic primitive. Attackers can easily bypass local authentication if no data returns from the authentication process. https://youtu.be/XhXIHVGCFFM David Linder Don’t Touch Me That Way • Don’t • Rely on bool output • Forget to configure Touch ID • Do • Use Touch ID to get data from Keychain • Combine it with user password TOUCH ID EXAMPLE