Pro Yearly is on sale from $80 to $50! »

Secure Authentication. Are you sure you do it right?

Secure Authentication. Are you sure you do it right?

Dee939e8aa52d13793b2f0c5e463777b?s=128

Julia Potapenko

November 19, 2020
Tweet

Transcript

  1. JULIA POTAPENKO SECURE AUTHENTICATION ARE YOU SURE YOU DO IT

    RIGHT?
  2. JULIA POTAPENKO Security Software Engineer at Cossack Labs with background

    in iOS app development Mobile/Security Lead at WWCodeKyiv Chapter Leader of OWASP Zhytomyr @julepka
  3. WE WILL TALK ABOUT ★ Security as a part of

    development process ★ Standards for secure authentication ★ Common auth mistakes in iOS apps
  4. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

    Deployment Maintenance You are here
  5. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

    Deployment Maintenance You are here MVP IN ONE MONTH WE HAVE NO TIME DOCS WILL WAIT WE ARE AGILE
  6. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

    Deployment Maintenance You are here S- SECURE Security training + security requirement + risk assessment + threat modeling + secure design review + secure coding + secure code review + security testing + pentest + responding to incidents
  7. EXAMPLE. USER REGISTRATION 1. Enter phone number/email

  8. EXAMPLE. USER REGISTRATION 1. Enter phone number/email 2. Enter OTP

  9. EXAMPLE. USER REGISTRATION 1. Enter phone number/email 2. Enter OTP

    3. Accept TC & PP
  10. EXAMPLE. USER REGISTRATION 1. Enter phone number/email 2. Enter OTP

    3. Accept TC & PP INVEST IN SECURITY AWARENESS
  11. RISKS • Legal Responsibility • Reputation Risks • Competitors IT

    IS NOT ONLY ABOUT HACKERS http://www.enforcementtracker.com/
  12. “THE PROBLEM IS NOT ON OUR SIDE”

  13. STANDARDS Apple Platform Security Guide OWASP MASVS & MSTG OWASP

    SAMM MITRE CVE List NIST Standards OWASP Mobile Top 10
  14. OWASP MASVS MASVS (Mobile Application Security Verification Standard) • ARCHITECTURE,

    DESIGN AND THREAT MODELING • DATA STORAGE AND PRIVACY • CRYPTOGRAPHY • AUTHENTICATION AND SESSION MANAGEMENT • NETWORK COMMUNICATION • ENVIRONMENTAL INTERACTION • CODE QUALITY AND BUILD SETTINGS • RESILIENCY AGAINST REVERSE ENGINEERING https://github.com/OWASP/owasp-masvs
  15. MASVS V4 Authentication and Session Management

  16. SECURE AUTHENTICATION – LEVEL 1 – BASICS • User authentication

    before accessing remote resources • Authentication is enforced by the remote endpoint • Secure session ID and access token • Access token should expire • Logout • Password policy • Throttling
  17. JWT TOKEN EXAMPLE https://jwt.io/

  18. None
  19. LEVEL 2 DEFENCE-IN-DEPTH

  20. OWASP MASVS 4.8 BIOMETRIC AUTHENTICATION, IF ANY, IS NOT EVENT-BOUND

    (I.E. USING AN API THAT SIMPLY RETURNS "TRUE" OR "FALSE"). INSTEAD, IT IS BASED ON UNLOCKING THE KEYCHAIN. LEVEL 2 BIOMETRICS UNLOCKING KEYCHAIN
  21. let reason = "Log in to your account" context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason:

    reason ) { success, error in if success { // Move to the main thread because a state update triggers UI changes. DispatchQueue.main.async { [unowned self] in self.state = .loggedin } } else { print(error?.localizedDescription ?? "Failed to authenticate") // Fall back to a asking for username and password. // ... } } https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id
  22. let reason = "Log in to your account" context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason:

    reason ) { success, error in if success { // Move to the main thread because a state update triggers UI changes. DispatchQueue.main.async { [unowned self] in self.state = .loggedin } } else { print(error?.localizedDescription ?? "Failed to authenticate") // Fall back to a asking for username and password. // ... } } https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id WARNING
  23. WHAT THE CODE LOOKS LIKE IN DISASSEMBLER?

  24. let access = SecAccessControlCreateWithFlags(nil, // Use the default allocator. kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,

    .userPresence, nil) // Ignore any error.
  25. let access = SecAccessControlCreateWithFlags(nil, // Use the default allocator. kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,

    .userPresence, nil) // Ignore any error. .biometryCurrentSet
  26. OWASP MASVS 4.9 A SECOND FACTOR OF AUTHENTICATION EXISTS AT

    THE REMOTE ENDPOINT AND THE 2FA REQUIREMENT IS CONSISTENTLY ENFORCED. LEVEL 2 2FA
  27. 2FA - TWO FACTOR AUTHENTICATION • Something you know (password,

    PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS
  28. 2SV FLOW

  29. 2SV FLOW

  30. 2FA - TWO FACTOR AUTHENTICATION • Something you know (password,

    PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS
  31. https://www.mayurpahwa.com/2019/01/digital-signature.html

  32. 2FA - TWO FACTOR AUTHENTICATION • Something you know (password,

    PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS
  33. OWASP MASVS 4.10 SENSITIVE TRANSACTIONS REQUIRE STEP-UP AUTHENTICATION. LEVEL 2

    STEP-UP AUTH
  34. OWASP MASVS 4.11 THE APP INFORMS THE USER OF ALL

    LOGIN ACTIVITIES WITH THEIR ACCOUNT. USERS ARE ABLE VIEW A LIST OF DEVICES USED TO ACCESS THE ACCOUNT, AND TO BLOCK SPECIFIC DEVICES. LEVEL 2 TRACK LOGIN ACTIVITY
  35. FINAL THOUGHTS

  36. WHERE TO GO NEXT OWASP MSTG – Testing Local Authentication

    https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md Apple Platform Security Guide https://support.apple.com/en-gb/guide/security/welcome/web WWDC 14 – Keychain and Authentication with Touch ID https://devstreaming-cdn.apple.com/videos/wwdc/ 2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf David Lindner – Don’t Touch Me That Way https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html
  37. THANK YOU! @julepka