Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP MSTG. When Authentication Goes Wrong

Dee939e8aa52d13793b2f0c5e463777b?s=47 Julia Potapenko
May 10, 2019
Programming
0
150

OWASP MSTG. When Authentication Goes Wrong

Dee939e8aa52d13793b2f0c5e463777b?s=128

Julia Potapenko

May 10, 2019
Tweet

More Decks by Julia Potapenko

See All by Julia Potapenko
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
130
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
82
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
61
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
14
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
1
1.4k
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
120
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
1
420
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
190
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
1
360

Other Decks in Programming

See All in Programming
Eabc3d48a76f6827e35a4cd0a44008b3?s=48 sunyryr
0
340
79fe3c13c618a61329298bdd6a86ec42?s=48 basthomas
0
120
3f62dc4b2c8447c38d74267b871e7d37?s=48 solt9029
5
250
2594ac7ce91fd7d9a3ce71ca7cc2d0c0?s=48 d_date
1
150
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
0
150
D8ca2261592f73dc422829e1e20feea0?s=48 tawamura1224
2
1k
36c29634c5d55eae66224c24ba2b933c?s=48 rivuchk
1
120
B3b2139e4f2c0eca4efe2379fcebc1c5?s=48 afilina
PRO
1
500
Ae7a5166a7b7776ffdd5676c2d6ab42f?s=48 aseiide
1
240
F21d69109b1c03921abf7d12f0fb6654?s=48 dscs
0
140
Fb0a40e5e7a9dc85520f1646fd41eb44?s=48 higuuu
0
160
80a3a3857a55f154d23acb705eff72cc?s=48 star_zero
2
4.1k

Featured

See All Featured
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
25
930
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
58
3.8k
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
57
9.6k
78b475797a14c84799063c7cd073962f?s=48 holman
451
140k
5b9fe87ec1faa67a4599782930f45ec9?s=48 sstephenson
149
12k
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1021
400k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1352
200k
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
PRO
331
36k
1f74b13f1e5c6c69cb5d7fbaabb1e2cb?s=48 sferik
612
56k
Aebc2d07a50011e2a30d38435fde564a?s=48 jrom
120
7.4k
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
224
15k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
96
3.3k

Transcript

  1. OWASP MSTG WHEN AUTHENTICATION GOES WRONG JULIA POTAPENKO COCOAHEADS 10

    MAY 2019

  2. JULIA POTAPENKO ⭐ iOS Software Engineer ⭐ Mobile Lead at

    Women Who Code Kyiv ⭐ Org Team Member of OWASP Zhytomyr

  3. TODAY WE WILL TALK ABOUT AUTHENTICATION WHAT SHOULD BE DONE

    OWASP MASVS WHAT CAN BE BROKEN OWASP MSTG

  4. WHAT IS OWASP? An online community that produces freely-available articles,

    methodologies, documentation, tools, and technologies in the field of web application security.

  5. WHAT IS OWASP? OWASP (Open Web Application Security Project) An

    online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. wikipedia.org

  6. WHEN AUTHENTICATION GOES WRONG EXAMPLE. USER REGISTRATION Enter phone number

  7. WHEN AUTHENTICATION GOES WRONG EXAMPLE. USER REGISTRATION Enter phone number

    Enter OTP

  8. WHEN AUTHENTICATION GOES WRONG EXAMPLE. USER REGISTRATION Enter phone number

    Enter OTP Accept TC & PP

  9. WHAT IS OWASP MASVS? MASVS (Mobile Application Security Verification Standard)

    WHAT IS OWASP MSTG? MSTG (Mobile Security Testing Guide) https://github.com/OWASP/owasp-masvs https://github.com/OWASP/owasp-mstg

  10. OWASP MASVS MASVS (Mobile Application Security Verification Standard) • ARCHITECTURE,

    DESIGN AND THREAT MODELING • DATA STORAGE AND PRIVACY • CRYPTOGRAPHY • AUTHENTICATION AND SESSION MANAGEMENT • NETWORK COMMUNICATION • ENVIRONMENTAL INTERACTION • CODE QUALITY AND BUILD SETTINGS • RESILIENCY AGAINST REVERSE ENGINEERING

  11. OWASP MSTG MSTG (Mobile Security Testing Guide) A COMPREHENSIVE MANUAL

    FOR MOBILE APP SECURITY TESTING AND REVERSE ENGINEERING. IT DESCRIBES TECHNICAL PROCESSES FOR VERIFYING THE CONTROLS LISTED IN THE OWASP MOBILE APPLICATION VERIFICATION STANDARD (MASVS).

  12. MASVS LEVELS

  13. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint.

  14. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm.

  15. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out.

  16. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint.

  17. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times.

  18. MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides

    users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.

  19. MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

    is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain.

  20. MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

    is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced.

  21. MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

    is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication.

  22. MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any,

    is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication. 4.11 The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices.

  23. OWASP MSTG AUTHENTICATION • Basic: • Something the user knows:

    
 password, PIN, pattern, etc. • Something the user has: 
 SIM-card, OTP (one time password) generator, hardware token, etc. • A biometric property: 
 fingerprint, retina, voice, etc. • 2FA (2-Factor Authentication): • OTP by SMS or phone call • Hardware or software token • Push notifications in combination with PKI (public key infrastructure) and local authentication • Supplementary Authentication: • Geolocation • IP address • Time of the day • Device ID

  24. WHEN AUTHENTICATION GOES WRONG EXAMPLE. BANKING APP. FIRST TIME LOGIN

    Enter phone number

  25. WHEN AUTHENTICATION GOES WRONG EXAMPLE. BANKING APP. FIRST TIME LOGIN

    Enter phone number Enter OTP

  26. WHEN AUTHENTICATION GOES WRONG EXAMPLE. BANKING APP. FIRST TIME LOGIN

    Enter phone number Enter OTP Use biometrics

  27. OWASP MSTG OTP BY SMS CONCERNS • Wireless Interception •

    SIM SWAP Attack • Verification Code Forwarding Attack
 
 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and- Session-Management.md

  28. WHEN AUTHENTICATION GOES RIGHT EXAMPLE. BANKING APP. FIRST TIME LOGIN

    Enter username and password ✅

  29. WHEN AUTHENTICATION GOES RIGHT EXAMPLE. BANKING APP. FIRST TIME LOGIN

    Enter username and password Enter card expiration date ✅

  30. WHEN AUTHENTICATION GOES RIGHT EXAMPLE. BANKING APP. FIRST TIME LOGIN

    Enter username and password Use biometrics Enter card expiration date ✅

  31. OWASP MSTG TRANSACTION SIGNING

  32. OWASP MSTG TRANSACTION SIGNING • Client generates public and private

    keys on user registration, registers public key with backend, saves private key to Keychain.

  33. OWASP MSTG TRANSACTION SIGNING • Client generates public and private

    keys on user registration, registers public key with backend, saves private key to Keychain. • Backend sends transaction data to the client to be authorized.

  34. OWASP MSTG TRANSACTION SIGNING • Client generates public and private

    keys on user registration, registers public key with backend, saves private key to Keychain. • Backend sends transaction data to the client to be authorized. • Client unlocks Keychain, gets private key, signs the transaction and sends it back to backend.

  35. OWASP MSTG TRANSACTION SIGNING • Client generates public and private

    keys on user registration, registers public key with backend, saves private key to Keychain. • Backend sends transaction data to the client to be authorized. • Client unlocks Keychain, gets private key, signs the transaction and sends it back to backend. • Backend verifies it with public key.

  36. OWASP MSTG THINGS TO CHECK • Check if with Backend

    • Login throttling • Session management • Access and refresh token • JWT • Login activity and blocking • Check it on Client • Secure token storage • Access and refresh tokens handling • Proper error handling

  37. LOCAL AUTHENTICATION. TOUCH/FACE ID Local authentication should always be enforced

    at a remote endpoint or based on cryptographic primitive. Attackers can easily bypass local authentication if no data returns from the authentication process.

  38. LOCAL AUTHENTICATION. TOUCH/FACE ID Local authentication should always be enforced

    at a remote endpoint or based on cryptographic primitive. Attackers can easily bypass local authentication if no data returns from the authentication process. https://youtu.be/XhXIHVGCFFM David Linder 
 Don’t Touch Me That Way • Don’t • Rely on bool output • Forget to configure Touch ID • Do • Use Touch ID to get data from Keychain • Combine it with user password TOUCH ID EXAMPLE

  39. OWASP MOBILE TOP 10 M1. Improper platform usage M2. Insecure

    data storage M3. Insecure communication M4. Insecure authentication M5. Insufficient cryptography M6. Insecure authorization M7. Client code quality M8. Code tempering M9. Reverse engineering M10. Extraneous functionality https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 ➡

  40. OWASP MOBILE TOP 10 M1. Improper platform usage M2. Insecure

    data storage M3. Insecure communication M4. Insecure authentication M5. Insufficient cryptography M6. Insecure authorization M7. Client code quality M8. Code tempering M9. Reverse engineering M10. Extraneous functionality https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 ➡

  41. THANK YOU! ULTIMATELY, THE REVERSE ENGINEER ALWAYS WINS AND REMEMBER