Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cross-platform Mobile Security at LINE

Cross-platform Mobile Security at LINE

Charles Hubain
LINE Security R&D Team Senior Security Engineer
Sanghwan Ahn
LINE Security R&D Team Senior Security Engineer
https://linedevday.linecorp.com/2020/ja/sessions/8802
https://linedevday.linecorp.com/2020/en/sessions/8802

LINE DevDay 2020

November 25, 2020
Tweet

More Decks by LINE DevDay 2020

Other Decks in Technology

Transcript

  1. Agenda › Secure Software Development › LINE Banking Services ›

    Biometric Authentication on Mobile › Lesson Learned
  2. Deploy SSDLC Secure Software Development Life Cycle Design Implement Test

    Plan › Security requirements › Security & privacy risk assessment › Security by design › Threat modeling › Design review › Penetration test › Code review › Security development › Crypto modules (TEE, WBC) › Auth modules(FIDO2) › HSM modules
  3. › Japan, Taiwan, Thailand and Indonesia › User-friendly financial services

    › Support both standalone app and channel web app LINE Banking Services
  4. Supports Channel Web App › Hybrid app security is more

    tricky and hard to guarantee good enough security for financial services › Malicious code execution via XSS › Javascript is not signed › Core security features should be implemented in native code › Need to implement a bridge so that hybrid app can use those security features from the JavaScript side
  5. Transaction Data Signing › To prevent any interception or modification

    to transaction information › Multi-factor authentication › Device binding › Rely on eKYC(Electronic Know Your Customer) › Server only trusts transactions signed with this key › Biometric authentication › Requires additional biometric authentication for transactions › Transaction confirmation › To prevent transaction information to be tampered on the JavaScript side › Requires visual confirmation by the user through a native UI
  6. Device Binding Upload user’s own ID(driving license, passport, etc) and

    other requested information to verify identity User Client Server Request an attestation challenge Attestation challenge Generate asymmetric signing key pair inside the *TEE/SE* Share attestation certificate chains Get *KEY ATTESTATION* certificate chains Verify that the client's attestation certificate chains are valid and then store the public key Request a challenge Challenge Build a challenge-response protocol with the signing key pair Signed transaction(request body, challenge, signature) Activate the user public key REGISTRATION AUTHENTICATION *E-KYC PROCESS* Check the data with identity verification documents
  7. Trusted Execution Environment › Hardware based isolation technology › TEE

    protects the sensitive operations even though the device is compromised › User authentication, Cryptographic operations and keys › Most smartphones contain a TEE › ARM Trustzone › Android Hardware backed keystore › Apple Secure Enclave
  8. ARM Trustzone › Commercial TEE development solution › Custom TEE(Trusted

    application) development available › The availability of ARM Trustzone is nearly a per manufacturer problem › Apple doesn't give to access to their Secure Enclave › Expensive for small scale deployments. › Code signing and provisioning infrastructure for trusted application is required › Infrastructure needs HSMs, servers and load balancer
  9. KeyStore APIs › Hardware-backed crypto APIs, the features natively supported

    by each platform trusted operating system › Android hardware backed keystore and StrongBox › Apple Secure Enclave › Android Keystore and iOS Keychain features are mismatched › Doesn’t support key importation, key attestation on iOS › All android keystore operations are not guaranteed to happen inside the TEE (it’s a per manufacturer dependency)
  10. White-Box Cryptography › Purely software-based › Implementable custom cryptographic APIs

    and fallback functionalities › Keys are embedded in the algorithms making it inherently difficult to extract › Keys are never revealed in plaintext form › Offer increased resistance to reverse engineering and dynamic code instrumentation toolkit like Frida, Xposed › Performance is slower than non-white-box implementation
  11. WhiteBox Use Cases › Key attestation › Fallback implementation for

    devices that don’t support the TEE based key attestation › Secure key provisioning › Hardcoded static key problems › Enables the protection of static key or dynamic key sent by the server › Allow to bind the key to the device
  12. How to do Authentication - Passwords › Knowledge factor of

    authentication - “Something you know”
  13. How to do Authentication - Passwords › Knowledge factor of

    authentication - “Something you know” › Users hate passwords › Hate creating them › Hate remembering them › Hate typing them (especially on mobile)
  14. How to do Authentication - Passwords › Knowledge factor of

    authentication - “Something you know” › Users hate passwords › Hate creating them › Hate remembering them › Hate typing them (especially on mobile) › Product manager hate passwords › Hate enforcing rules to avoid weak passwords
  15. How to do Authentication - Passwords › Knowledge factor of

    authentication - “Something you know” › Users hate passwords › Hate creating them › Hate remembering them › Hate typing them (especially on mobile) › Product manager hate passwords › Hate enforcing rules to avoid weak passwords › Security engineers hate passwords › Hate managing password transmission and storage
  16. How to do Authentication - Passwords › Frustrated users ›

    Use password managers instead › Frustrated product managers › Ask for longer authentication session “Remember me” / “Automatic login” option
  17. How to do Authentication - Passwords › Frustrated users ›

    Use password managers instead › Frustrated product managers › Ask for longer authentication session “Remember me” / “Automatic login” option › Frustrated security engineers › Explore other authentication methods PAKE, 2FA, Biometric, …
  18. How to do Authentication - Biometrics › Inherent factor of

    authentication - “Something you are” Fingerprint, Iris, Face, …
  19. How to do Authentication - Biometrics › Inherent factor of

    authentication - “Something you are” Fingerprint, Iris, Face, … › Very popular on mobile devices › FaceID or TouchID available on every iOS devices › Part of Android CDD specification since Android 6.0 › Very user friendly
  20. How to do Authentication - Biometrics › Inherent factor of

    authentication - “Something you are” Fingerprint, Iris, Face, … › Very popular on mobile devices › FaceID or TouchID available on every iOS devices › Part of Android CDD specification since Android 6.0 › Very user friendly › How to leverage biometrics securely?
  21. There’s a Standard for That › In security you should

    stick to standards whenever possible
  22. There’s a Standard for That › In security you should

    stick to standards whenever possible › Fast IDentity Online (FIDO) › Set of authentication standards (FIDO UAF, FIDO U2F, FIDO2) › Cover biometric authentication and much more › Alliance members include Microsoft, Google, Apple, … and LINE
  23. There’s a Standard for That › In security you should

    stick to standards whenever possible › Fast IDentity Online (FIDO) › Set of authentication standards (FIDO UAF, FIDO U2F, FIDO2) › Cover biometric authentication and much more › Alliance members include Microsoft, Google, Apple, … and LINE › For LINE, FIDO2 makes more sense › Support both first and second factor authentication flows › Has been standardized by W3C for the web as WebAuthn
  24. Standard Doesn’t Mean Supported › WebAuthn is well supported in

    recent browser › Chrome, Firefox, Edge, Safari, Android Browser, Safari for iOS, …
  25. Standard Doesn’t Mean Supported › WebAuthn is well supported in

    recent browser › Chrome, Firefox, Edge, Safari, Android Browser, Safari for iOS, … › Native support is more limited › No native FIDO2 support on iOS or macOS
  26. Standard Doesn’t Mean Supported › WebAuthn is well supported in

    recent browser › Chrome, Firefox, Edge, Safari, Android Browser, Safari for iOS, … › Native support is more limited › No native FIDO2 support on iOS or macOS › Android native FIDO2 support is provided by Google Mobile Service › Allow any authentication method including the screen lock › Can't select or discriminate the authentication method used › Problem for internal security policies and external regulations
  27. Implementing FIDO2 - Why › Making our own authenticator would

    solve those issues › Why not make a custom cross-platform implementation? › Platform abstraction layer for biometric and key management › Shared FIDO2 logic in C++
  28. Implementing FIDO2 - Why › Making our own authenticator would

    solve those issues › Why not make a custom cross-platform implementation? › Platform abstraction layer for biometric and key management › Shared FIDO2 logic in C++ › Perfect match of features and behavior between platforms › Same type of credential type, cryptographic algorithm, attestation format › Can support our own FIDO2 extensions
  29. Implementing FIDO2 - iOS APIs › Key management APIs are

    straightforward › SecKeyGeneratePair, SecKeyCopyPublicKey, SecKeyCreateSignature, …
  30. Implementing FIDO2 - iOS APIs › Key management APIs are

    straightforward › SecKeyGeneratePair, SecKeyCopyPublicKey, SecKeyCreateSignature, … › Access control can be configured using SecAccessControlCreateWithFlags › Flags allow to control the security policy and requirements to use the key
  31. Implementing FIDO2 - iOS APIs › Key management APIs are

    straightforward › SecKeyGeneratePair, SecKeyCopyPublicKey, SecKeyCreateSignature, … › Access control can be configured using SecAccessControlCreateWithFlags › Flags allow to control the security policy and requirements to use the key › SecKeyCreateSignature will automatically trigger FaceID or TouchID › UI is handled by the system › Authentication dialog can be customized
  32. Implementing FIDO2 - Android APIs › Key management and biometric

    APIs are separated › Keys are managed using the KeyStore › KeyPairGenerator for key generation › KeyGenParameterSpec to specify algorithm and access control
  33. Implementing FIDO2 - Android APIs › Key management and biometric

    APIs are separated › Keys are managed using the KeyStore › KeyPairGenerator for key generation › KeyGenParameterSpec to specify algorithm and access control › TEE protection can only be checked after the generation using KeyInfo.isInsideSecureHardware
  34. Implementing FIDO2 - Android APIs › Key management and biometric

    APIs are separated › Keys are managed using the KeyStore › KeyPairGenerator for key generation › KeyGenParameterSpec to specify algorithm and access control › TEE protection can only be checked after the generation using KeyInfo.isInsideSecureHardware › PrivateKey.initSign returns a Signature object › Signature object has to be unlocked by an authentication API
  35. Implementing FIDO2 - Android APIs Android API Device screen lock

    Fingerprint Other biometrics 21-22 KeyguardManager 23-27 FingerprintManager 28 BiometricPrompt 29 30
  36. Implementing FIDO2 - Android APIs Android API Device screen lock

    Fingerprint Other biometrics 21-22 KeyguardManager 23-27 FingerprintManager 28 BiometricPrompt 29 30 › Google made the androidx.biometric compatibility layer to simplify this API fragmentation
  37. Implementing FIDO2 - Android APIs › Manufacturer is responsible for

    integrating with the authentication API › Support is device and Android version dependent
  38. Implementing FIDO2 - Android APIs › Manufacturer is responsible for

    integrating with the authentication API › Support is device and Android version dependent › Sensors categorized into “weak” and “strong” security level › Image based face recognition is “weak” › 3D scan based face recognition is “strong” › Only “strong” biometric are allowed to protect private keys
  39. Implementing FIDO2 - Android APIs › Manufacturer is responsible for

    integrating with the authentication API › Support is device and Android version dependent › Sensors categorized into “weak” and “strong” security level › Image based face recognition is “weak” › 3D scan based face recognition is “strong” › Only “strong” biometric are allowed to protect private keys › This can be confusing for users
  40. Key Attestation › Need some key attestation mechanism › Verify

    client identity › Protects against MITM during registration
  41. Key Attestation › Need some key attestation mechanism › Verify

    client identity › Protects against MITM during registration › Poor native attestation API support › Fallback on white-box cryptography based attestation
  42. LINE Passwordless › For more details on LINE and biometric

    authentication projects › LINE's Omnidirectional Cyber Security Efforts and Challenges By Naohisa Ichihara › Secure LINE Login with biometric key replacing password By Bekboum Pyun
  43. Lessons Learned - Legacy 1. Legacy support is the most

    important factor 2. New security features will have to wait
  44. Lessons Learned - Legacy 1. Legacy support is the most

    important factor 2. New security features will have to wait 3. Android fragmentation is about version and hardware
  45. Lessons Learned - Cross-Platform 1. Matching features on multiple platform

    can be challenging 2. It’s easier to have one common implementation
  46. Lessons Learned - Cross-Platform 1. Matching features on multiple platform

    can be challenging 2. It’s easier to have one common implementation 3. Cross-platform development can be made easy
  47. Lessons Learned - TEE is Still Hard to Use 1.

    Custom TEE development is not realistic for application developers
  48. Lessons Learned - TEE is Still Hard to Use 1.

    Custom TEE development is not realistic for application developers 2. Existing TEE/SE APIs are not uniform across platforms
  49. Lessons Learned - Security Development 1. Developers understand security basics

    2. Developers priority is the release schedule, not security
  50. Lessons Learned - Security Development 1. Developers understand security basics

    2. Developers priority is the release schedule, not security 3. Doing some development inside the security department can be more efficient
  51. Thank you All of this work was made in collaboration

    with our wonderful colleagues at LINE, LINE Plus and LINE Financial Plus