tricky and hard to guarantee good enough security for financial services › Malicious code execution via XSS › Javascript is not signed › Core security features should be implemented in native code › Need to implement a bridge so that hybrid app can use those security features from the JavaScript side
to transaction information › Multi-factor authentication › Device binding › Rely on eKYC(Electronic Know Your Customer) › Server only trusts transactions signed with this key › Biometric authentication › Requires additional biometric authentication for transactions › Transaction confirmation › To prevent transaction information to be tampered on the JavaScript side › Requires visual confirmation by the user through a native UI
other requested information to verify identity User Client Server Request an attestation challenge Attestation challenge Generate asymmetric signing key pair inside the *TEE/SE* Share attestation certificate chains Get *KEY ATTESTATION* certificate chains Verify that the client's attestation certificate chains are valid and then store the public key Request a challenge Challenge Build a challenge-response protocol with the signing key pair Signed transaction(request body, challenge, signature) Activate the user public key REGISTRATION AUTHENTICATION *E-KYC PROCESS* Check the data with identity verification documents
protects the sensitive operations even though the device is compromised › User authentication, Cryptographic operations and keys › Most smartphones contain a TEE › ARM Trustzone › Android Hardware backed keystore › Apple Secure Enclave
application) development available › The availability of ARM Trustzone is nearly a per manufacturer problem › Apple doesn't give to access to their Secure Enclave › Expensive for small scale deployments. › Code signing and provisioning infrastructure for trusted application is required › Infrastructure needs HSMs, servers and load balancer
by each platform trusted operating system › Android hardware backed keystore and StrongBox › Apple Secure Enclave › Android Keystore and iOS Keychain features are mismatched › Doesn’t support key importation, key attestation on iOS › All android keystore operations are not guaranteed to happen inside the TEE (it’s a per manufacturer dependency)
and fallback functionalities › Keys are embedded in the algorithms making it inherently difficult to extract › Keys are never revealed in plaintext form › Offer increased resistance to reverse engineering and dynamic code instrumentation toolkit like Frida, Xposed › Performance is slower than non-white-box implementation
devices that don’t support the TEE based key attestation › Secure key provisioning › Hardcoded static key problems › Enables the protection of static key or dynamic key sent by the server › Allow to bind the key to the device
authentication - “Something you know” › Users hate passwords › Hate creating them › Hate remembering them › Hate typing them (especially on mobile) › Product manager hate passwords › Hate enforcing rules to avoid weak passwords
authentication - “Something you know” › Users hate passwords › Hate creating them › Hate remembering them › Hate typing them (especially on mobile) › Product manager hate passwords › Hate enforcing rules to avoid weak passwords › Security engineers hate passwords › Hate managing password transmission and storage
authentication - “Something you are” Fingerprint, Iris, Face, … › Very popular on mobile devices › FaceID or TouchID available on every iOS devices › Part of Android CDD specification since Android 6.0 › Very user friendly
authentication - “Something you are” Fingerprint, Iris, Face, … › Very popular on mobile devices › FaceID or TouchID available on every iOS devices › Part of Android CDD specification since Android 6.0 › Very user friendly › How to leverage biometrics securely?
stick to standards whenever possible › Fast IDentity Online (FIDO) › Set of authentication standards (FIDO UAF, FIDO U2F, FIDO2) › Cover biometric authentication and much more › Alliance members include Microsoft, Google, Apple, … and LINE
stick to standards whenever possible › Fast IDentity Online (FIDO) › Set of authentication standards (FIDO UAF, FIDO U2F, FIDO2) › Cover biometric authentication and much more › Alliance members include Microsoft, Google, Apple, … and LINE › For LINE, FIDO2 makes more sense › Support both first and second factor authentication flows › Has been standardized by W3C for the web as WebAuthn
recent browser › Chrome, Firefox, Edge, Safari, Android Browser, Safari for iOS, … › Native support is more limited › No native FIDO2 support on iOS or macOS
recent browser › Chrome, Firefox, Edge, Safari, Android Browser, Safari for iOS, … › Native support is more limited › No native FIDO2 support on iOS or macOS › Android native FIDO2 support is provided by Google Mobile Service › Allow any authentication method including the screen lock › Can't select or discriminate the authentication method used › Problem for internal security policies and external regulations
solve those issues › Why not make a custom cross-platform implementation? › Platform abstraction layer for biometric and key management › Shared FIDO2 logic in C++
solve those issues › Why not make a custom cross-platform implementation? › Platform abstraction layer for biometric and key management › Shared FIDO2 logic in C++ › Perfect match of features and behavior between platforms › Same type of credential type, cryptographic algorithm, attestation format › Can support our own FIDO2 extensions
straightforward › SecKeyGeneratePair, SecKeyCopyPublicKey, SecKeyCreateSignature, … › Access control can be configured using SecAccessControlCreateWithFlags › Flags allow to control the security policy and requirements to use the key
straightforward › SecKeyGeneratePair, SecKeyCopyPublicKey, SecKeyCreateSignature, … › Access control can be configured using SecAccessControlCreateWithFlags › Flags allow to control the security policy and requirements to use the key › SecKeyCreateSignature will automatically trigger FaceID or TouchID › UI is handled by the system › Authentication dialog can be customized
APIs are separated › Keys are managed using the KeyStore › KeyPairGenerator for key generation › KeyGenParameterSpec to specify algorithm and access control
APIs are separated › Keys are managed using the KeyStore › KeyPairGenerator for key generation › KeyGenParameterSpec to specify algorithm and access control › TEE protection can only be checked after the generation using KeyInfo.isInsideSecureHardware
APIs are separated › Keys are managed using the KeyStore › KeyPairGenerator for key generation › KeyGenParameterSpec to specify algorithm and access control › TEE protection can only be checked after the generation using KeyInfo.isInsideSecureHardware › PrivateKey.initSign returns a Signature object › Signature object has to be unlocked by an authentication API
Fingerprint Other biometrics 21-22 KeyguardManager 23-27 FingerprintManager 28 BiometricPrompt 29 30 › Google made the androidx.biometric compatibility layer to simplify this API fragmentation
integrating with the authentication API › Support is device and Android version dependent › Sensors categorized into “weak” and “strong” security level › Image based face recognition is “weak” › 3D scan based face recognition is “strong” › Only “strong” biometric are allowed to protect private keys
integrating with the authentication API › Support is device and Android version dependent › Sensors categorized into “weak” and “strong” security level › Image based face recognition is “weak” › 3D scan based face recognition is “strong” › Only “strong” biometric are allowed to protect private keys › This can be confusing for users
client identity › Protects against MITM during registration › Poor native attestation API support › Fallback on white-box cryptography based attestation
authentication projects › LINE's Omnidirectional Cyber Security Efforts and Challenges By Naohisa Ichihara › Secure LINE Login with biometric key replacing password By Bekboum Pyun
line_devday2020
negi111111
takumiogawa
ryuichi1208
oracle4engineer
isaoshimizu
ysknsid25
cmusudakeisuke
lycorp_recruit_jp
shujisado
koichiotomo
neuecc
syntasso
rasmusluckow
dougneiner
brianwarren
bluesmoon
rmw
jcasabona
paigeccino
akosma
chrislema
lauravandoore
erikaheidi
gr2m
