$30 off During Our Annual Pro Sale. View Details »

Secure Authentication. Are you sure you do it right?

Julia Mezher
November 19, 2020

Secure Authentication. Are you sure you do it right?

Julia Mezher

November 19, 2020
Tweet

More Decks by Julia Mezher

Other Decks in Programming

Transcript

  1. JULIA POTAPENKO
    SECURE AUTHENTICATION
    ARE YOU SURE YOU DO IT RIGHT?

    View Slide

  2. JULIA POTAPENKO
    Security Software Engineer at Cossack Labs
    with background in iOS app development
    Mobile/Security Lead at WWCodeKyiv
    Chapter Leader of OWASP Zhytomyr
    @julepka

    View Slide

  3. WE WILL TALK ABOUT
    ★ Security as a part of development process
    ★ Standards for secure authentication
    ★ Common auth mistakes in iOS apps

    View Slide

  4. SDLC
    SOFTWARE DEVELOPMENT LIFE CYCLE
    Requirements definition
    Design
    Development
    Testing
    Deployment
    Maintenance
    You are here

    View Slide

  5. SDLC
    SOFTWARE DEVELOPMENT LIFE CYCLE
    Requirements definition
    Design
    Development
    Testing
    Deployment
    Maintenance
    You are here
    MVP IN ONE MONTH
    WE HAVE NO TIME
    DOCS WILL WAIT
    WE ARE AGILE

    View Slide

  6. SDLC
    SOFTWARE DEVELOPMENT LIFE CYCLE
    Requirements definition
    Design
    Development
    Testing
    Deployment
    Maintenance
    You are here
    S-
    SECURE
    Security training
    + security requirement
    + risk assessment
    + threat modeling
    + secure design review
    + secure coding
    + secure code review
    + security testing
    + pentest
    + responding
    to incidents

    View Slide

  7. EXAMPLE. USER REGISTRATION
    1. Enter phone number/email



    View Slide

  8. EXAMPLE. USER REGISTRATION
    1. Enter phone number/email

    2. Enter OTP

    View Slide

  9. EXAMPLE. USER REGISTRATION
    1. Enter phone number/email

    2. Enter OTP

    3. Accept TC & PP

    View Slide

  10. EXAMPLE. USER REGISTRATION
    1. Enter phone number/email

    2. Enter OTP

    3. Accept TC & PP
    INVEST IN SECURITY
    AWARENESS

    View Slide

  11. RISKS
    • Legal Responsibility
    • Reputation Risks
    • Competitors
    IT IS NOT ONLY ABOUT HACKERS
    http://www.enforcementtracker.com/

    View Slide

  12. “THE PROBLEM IS NOT ON OUR SIDE”

    View Slide

  13. STANDARDS
    Apple Platform
    Security Guide
    OWASP MASVS & MSTG
    OWASP SAMM
    MITRE CVE List
    NIST Standards
    OWASP Mobile Top 10

    View Slide

  14. OWASP MASVS
    MASVS (Mobile Application Security Verification Standard)

    • ARCHITECTURE, DESIGN AND THREAT MODELING
    • DATA STORAGE AND PRIVACY
    • CRYPTOGRAPHY
    • AUTHENTICATION AND SESSION MANAGEMENT
    • NETWORK COMMUNICATION
    • ENVIRONMENTAL INTERACTION
    • CODE QUALITY AND BUILD SETTINGS
    • RESILIENCY AGAINST REVERSE ENGINEERING
    https://github.com/OWASP/owasp-masvs

    View Slide

  15. MASVS V4
    Authentication and Session Management

    View Slide

  16. SECURE AUTHENTICATION – LEVEL 1 – BASICS
    • User authentication before accessing remote resources
    • Authentication is enforced by the remote endpoint
    • Secure session ID and access token
    • Access token should expire
    • Logout
    • Password policy
    • Throttling

    View Slide

  17. JWT TOKEN EXAMPLE
    https://jwt.io/

    View Slide

  18. View Slide

  19. LEVEL 2
    DEFENCE-IN-DEPTH

    View Slide

  20. OWASP MASVS 4.8
    BIOMETRIC AUTHENTICATION, IF ANY, IS NOT EVENT-BOUND (I.E. USING
    AN API THAT SIMPLY RETURNS "TRUE" OR "FALSE"). INSTEAD, IT IS
    BASED ON UNLOCKING THE KEYCHAIN.
    LEVEL 2
    BIOMETRICS UNLOCKING KEYCHAIN

    View Slide

  21. let reason = "Log in to your account"
    context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: reason ) { success, error in
    if success {
    // Move to the main thread because a state update triggers UI changes.
    DispatchQueue.main.async { [unowned self] in
    self.state = .loggedin
    }
    } else {
    print(error?.localizedDescription ?? "Failed to authenticate")
    // Fall back to a asking for username and password.
    // ...
    }
    }
    https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id

    View Slide

  22. let reason = "Log in to your account"
    context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: reason ) { success, error in
    if success {
    // Move to the main thread because a state update triggers UI changes.
    DispatchQueue.main.async { [unowned self] in
    self.state = .loggedin
    }
    } else {
    print(error?.localizedDescription ?? "Failed to authenticate")
    // Fall back to a asking for username and password.
    // ...
    }
    }
    https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id
    WARNING

    View Slide

  23. WHAT THE CODE LOOKS LIKE IN DISASSEMBLER?

    View Slide

  24. let access = SecAccessControlCreateWithFlags(nil, // Use the default allocator.
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
    .userPresence,
    nil) // Ignore any error.

    View Slide

  25. let access = SecAccessControlCreateWithFlags(nil, // Use the default allocator.
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
    .userPresence,
    nil) // Ignore any error.
    .biometryCurrentSet

    View Slide

  26. OWASP MASVS 4.9
    A SECOND FACTOR OF AUTHENTICATION EXISTS AT THE REMOTE
    ENDPOINT AND THE 2FA REQUIREMENT IS CONSISTENTLY ENFORCED.
    LEVEL 2
    2FA

    View Slide

  27. 2FA - TWO FACTOR AUTHENTICATION
    • Something you know (password, PIN, OTP)
    • Something you have (phone, SIM card, USB token)
    • Something you are, something physically unique for you (fingerprint)
    2SV - TWO STEP VERIFICATION
    AUTH FACTORS

    View Slide

  28. 2SV FLOW

    View Slide

  29. 2SV FLOW

    View Slide

  30. 2FA - TWO FACTOR AUTHENTICATION
    • Something you know (password, PIN, OTP)
    • Something you have (phone, SIM card, USB token)
    • Something you are, something physically unique for you (fingerprint)
    2SV - TWO STEP VERIFICATION
    AUTH FACTORS

    View Slide

  31. https://www.mayurpahwa.com/2019/01/digital-signature.html

    View Slide

  32. 2FA - TWO FACTOR AUTHENTICATION
    • Something you know (password, PIN, OTP)
    • Something you have (phone, SIM card, USB token)
    • Something you are, something physically unique for you (fingerprint)
    2SV - TWO STEP VERIFICATION
    AUTH FACTORS

    View Slide

  33. OWASP MASVS 4.10
    SENSITIVE TRANSACTIONS REQUIRE STEP-UP AUTHENTICATION.
    LEVEL 2
    STEP-UP AUTH

    View Slide

  34. OWASP MASVS 4.11
    THE APP INFORMS THE USER OF ALL LOGIN ACTIVITIES WITH THEIR
    ACCOUNT. USERS ARE ABLE VIEW A LIST OF DEVICES USED TO ACCESS
    THE ACCOUNT, AND TO BLOCK SPECIFIC DEVICES.
    LEVEL 2
    TRACK LOGIN ACTIVITY

    View Slide

  35. FINAL THOUGHTS

    View Slide

  36. WHERE TO GO NEXT
    OWASP MSTG – Testing Local Authentication
    https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md
    Apple Platform Security Guide
    https://support.apple.com/en-gb/guide/security/welcome/web
    WWDC 14 – Keychain and Authentication with Touch ID
    https://devstreaming-cdn.apple.com/videos/wwdc/
    2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf
    David Lindner – Don’t Touch Me That Way
    https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html

    View Slide

  37. THANK YOU!
    @julepka

    View Slide