Slide 1
Slide 1 text
ೝূͱೝՄͱ܅ͱ
The Triple-A:
Authentication, Authorization, and Android
2018/02/09
Slide 2
Slide 2 text
Obligatory Self Introduction
- @ken5scal
- 2018/0 ʙ : FOLIO
- Security Architect/Engineer
'SPN4PGUXBSF
Slide 3
Slide 3 text
Got FINTECH?
Slide 4
Slide 4 text
IUUQTXXXQZNOUTDPNOFXTCCQBZNFOUTUSFBTVSZpOUFDIFBTUQBSUOFSTSFQPSUJOWFTUNFOUDPSQPSBUFBEPQUJPOpOBODJBMUFDIOPMPHZ
Slide 5
Slide 5 text
3 main finTECH
Slide 6
Slide 6 text
IUUQTXXXDSZQUPFDPOPNZOFUFWFSZUIJOHOFFELOPXCMPDLDIBJOUFDIOPMPHZ MBOHFO
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
One More Thing…
Slide 9
Slide 9 text
API
Slide 10
Slide 10 text
IUUQTXXXDSZQUPFDPOPNZOFUFWFSZUIJOHOFFELOPXCMPDLDIBJOUFDIOPMPHZ MBOHFO
Slide 11
Slide 11 text
New Value, New Risk
Slide 12
Slide 12 text
in Android
AuthN and AuthZ
Slide 13
Slide 13 text
1. OAuth 2.0 for Native Application
2. FIDO UAF
3. Firebase Authentication
Overview
Slide 14
Slide 14 text
1. OAuth 2.0 for Native Application
2. FIDO UAF
3. Firebase Authentication
1. AndroidϞμϯϓϩάϥϛϯά
2. ken5scal.hatenablog.com
Overview
Slide 15
Slide 15 text
AuthZ for Android
AuthZ for Android
Slide 16
Slide 16 text
OAuth 2.0 in nutshell
- OAuth … is a delegation protocol.ʢRFC6749ʣɹ
- 4 Roles
-
OAuth2.0 for Native ApplicationʢRFC8252ʣ
Slide 17
Slide 17 text
OAuth as Delegation Protocol
IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXTIUNM
Slide 18
Slide 18 text
OAuth 2.0 Main Roles
Client • ຊηογϣϯͷओ
• ROΛཧ͠ɺอޢ͞ΕͨϦιʔεʹΞΫηε͢Διϑτ
• AndroidͰ͋ΕAndroidΞϓϦɹ͘͠SDK
•
Resource
Owner
(RO)
• อޢ͞ΕͨϦιʔεͷΞΫηεݖݶΛอ༗͢Δ
• อޢ͞ΕͨϦιʔεجຊAPIͷܗΛऔΔࣄ͕ଟ͍
• ௨ৗɺΤϯυϢʔβʔʢਓʣ
Authorization
Server
(AS)
• ΞΫηετʔΫϯΛΫϥΠΞϯτʹൃߦ͢Δαʔόʔ
• อޢ͞ΕͨϦιʔεʹ৴པ͞Ε͍ͯΔ
• ROͷೝূͱݖݶ༩͕ྃͨ͠ޙʹτʔΫϯΛൃߦ
Resource
Server
(RS)
• อޢ͞ΕͨϦιʔεΛϗεςΟϯά͢Δαʔόʔ
• τʔΫϯ͔ΒϦιʔεͷϦΫΤετൣғΛ੍ݶ
Slide 19
Slide 19 text
OAuth 2.0 for Native Application
-
RFC 8252 extends RFC 6759
- released 2017/10
- Android-AppAuth
- https://github.com/openid/
AppAuth-Android
Slide 20
Slide 20 text
OAuth 2.0 before RFC8252
- Client is un-trusted to store
secret
- APK Reverse Engineering
- Reading by Web Proxy
- Easy to get spoofed
-
Implicit Flow is the way to go
Slide 21
Slide 21 text
Implicit Flow
IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXTIUNM
3'$
Slide 22
Slide 22 text
Problem with Implicit Flow
- Unfriendly Token Refresh
- Stealing the Redirect
- Embedded User-Agent (WebView)
Slide 23
Slide 23 text
Problem with Implicit Flow
- Unfriendly Token Refresh
- Stealing the Redirect
- Embedded User-Agent (WebView)
Slide 24
Slide 24 text
Problem with Implicit Flow
- Unfriendly Token Refresh
1. Implicit Flow does not support Refresh Token
2. Cannot refresh token without user interaction
Slide 25
Slide 25 text
Problem with Implicit Flow
- Stealing the Redirect
- Unfriendly Token Refresh
- Embedded User-Agent (WebView)
Slide 26
Slide 26 text
Stealing the Redirect
3'$
Slide 27
Slide 27 text
Defining Custom URL Scheme
android:name=“android.intent.category.DEFAULT”
android:name=“android.intent.category.BROWSABLE”
android:scheme="com.ken5scal.ex"
android:host=“oauth2redirect”
Slide 28
Slide 28 text
Sending a Request w/ custom URL Scheme
Uri.parse("https://ex.com/authZ_ep").buildUpon()
.appendQueryParameter("response_type", "code")
.appendQueryParameter("client_id", ${client_id})
.appendQueryParameter("scope", "profile")
.appendQueryParameter(“state", “xxxxxxxxxxx")
.appendQueryParameter(
"redirect_uri", "com.ken5scal.ex:/oauth2redirect
Slide 29
Slide 29 text
Redirect can be acquired by EVIL
3'$
Slide 30
Slide 30 text
Problem with Implicit Flow
- Stealing the Redirect
1. Cannot closely tie Redirect URL with actual App.
2. Token gets likely to be stolen by spoofing
Slide 31
Slide 31 text
Problem with Implicit Flow
- Stealing the Redirect
- Unfriendly Token Refresh
- Embedded User-Agent (WebView)
Slide 32
Slide 32 text
Presumption
-
Only WebView option when OAuth 2.0 came out
Slide 33
Slide 33 text
Obtaining Plain-txt sensitive Info from WebView
var webView = object : WebView(baseContext) {
override fun dispatchKeyEventPreIme(
event: KeyEvent?): Boolean {
Log.d(“even_password", event?.keyCode.toString()
return super.dispatchKeyEventPreIme(event)}}
Slide 34
Slide 34 text
Stealing Cookie
webView.webViewClient = object : WebViewClient(){
override fun onPageFinished(view: WebView?, url:
String?) {
var cookieManager =
CookieManager.getInstance().getCookie(url)
for (cookie in cookieManager.split(";") ) {
//You can steal cookie here
}
}
Slide 35
Slide 35 text
No Address Bar
- User cannot verify SSL Cert
- Bad for User Enlightenment
Slide 36
Slide 36 text
Unfriendly Sign-in Experience
-
Session cannot be shared with other App
- Anti-SSO
Slide 37
Slide 37 text
How to Address?
- Authorization Code Grant Flow (Kinda)
- Stealing the Redirect
- Unfriendly Token Refresh
- External User-Agent
- Embedded User-Agent (WebView)
Slide 38
Slide 38 text
for Native Apps
(RFC 8252)
Slide 39
Slide 39 text
Authorization Code Grant
3'$
Slide 40
Slide 40 text
Authorization Code Grant
3'$
4UJMMBCMFUPTQPPG
Slide 41
Slide 41 text
PKCE (RFC 7636)
Slide 42
Slide 42 text
Proof Key for Code Exchange(PKCE) Overview
3'$
Slide 43
Slide 43 text
Generate Code Verifier
3'$
Slide 44
Slide 44 text
Generate Code Verifier
var srnm = SecureRandom()
var codeVerifier = byteArrayOf(64)
srnm.nextBytes(randomBytes)
var codeChallenge =
Base64.encodeToString(codeVerifier, Base64.NO_WRAP
or Base64.NO_PADDING or Base64.URL_SAFE)
Slide 45
Slide 45 text
Send Code Verifier with
Uri.parse(“https://ex.com/authZ_ep”).buildUpon()
.appendQueryParameter("response_type", "code")
.appendQueryParameter("client_id", $client_id)
.appendQueryParameter(
“redirect_uri", "com.ken5scal.ex:/oauth2redirect"
.appendQueryParameter("scope", "profile")
.appendQueryParameter("state", "xxxxxxxxxxxxxxx")
.appendQueryParameter(
"code_challenge", codeChallenge)
.appendQueryParameter(
"code_challenge_method", "S256")
Slide 46
Slide 46 text
Access Token Request with Code Verifier
3'$
Slide 47
Slide 47 text
Access Token Request with Code Verifier
Uri.parse(“https://ex.com/token_ep").buildUpon()
.appendQueryParameter("response_type", “code")
.appendQueryParameter(“code”,$auth_code)
.appendQueryParameter(“client_id”,$client_id)
.appendQueryParameter(
"redirect_uri", “com.ken5scal.ex:/oauth2redirect")
.appendQueryParameter("code_verifier",$codeVerifier)
Slide 48
Slide 48 text
Verify the challenge on Auth Server
3'$
EPU DPEF@WFSJpFS
BU&OEQPJOU
DPNQBSFUIFSFTVMUXJUI"VUI3FR
Slide 49
Slide 49 text
How to Address?
- Stealing the Redirect
- > PKCE
- Unfriendly Token Refresh
- > AuthZ Code Grant Flow = refresh token is available
Slide 50
Slide 50 text
Important Note
Slide 51
Slide 51 text
the use of the Implicit
Flow with native apps is
NOT RECOMMENDED.
3'$
Slide 52
Slide 52 text
Using App Link
Slide 53
Slide 53 text
Alternative Approach for Redirect URL stealing
- “https” scheme can be set as Redirect URL
- For Android M or later, using App Link is Recommended
- as it can tightly couple actual app and URL.
- “App-claimed "https" scheme redirect URIs have some
advantages compared to other native app redirect
options in that the identity of destination app is
guaranteed to the authorization server by the operating
system. For this reason, native apps SHOULD use them
over the other options where possible.
3'$
Slide 54
Slide 54 text
Intent-filter for App Link
Slide 55
Slide 55 text
Linking App and WebSite
Slide 56
Slide 56 text
Yet
-
RFC insists to do PKCE anyway because risk remains
- “but the app is still a public client; further, the URI is sent
using the operating system's URI dispatch handler with
unknown security properties. (OAuth 2.0 for Native Apps,
p10)”
Slide 57
Slide 57 text
External User-Agent
Slide 58
Slide 58 text
native apps MUST
NOT use embedded
user-agents to perform
authorization requests
3'$
Slide 59
Slide 59 text
In case of Google…
IUUQTEFWFMPQFSTHPPHMFCMPHDPNNPEFSOJ[JOHPBVUIJOUFSBDUJPOTJOOBUJWFBQQTIUNM
Slide 60
Slide 60 text
Use External User-Agent
- Chrome Custom Tab
- Google Sign In SDK
- Becareful w/ External User-Agents
- Use only trusted SDK
Slide 61
Slide 61 text
Other Security
Consideration
Slide 62
Slide 62 text
Other Security Consideration
- Registration of Native App Clients
- Cross-App Request Forgery Protections
Slide 63
Slide 63 text
Registration of Native App Clients
Slide 64
Slide 64 text
Cross-App Request Forgery Protection
- Protecting CSRF in Native App.
- CSRF is type of attack “that forces an
end user to execute unwanted actions
on a web application in which they're
currently authenticated.”
- https://www.owasp.org/index.php/
Cross-Site_Request_Forgery_(CSRF)
Slide 65
Slide 65 text
CSRF in nutshell
IUUQTIZESBTLZDPNOFUXPSLTFDVSJUZDSPTTTJUFSFRVFTUGPSHFSZDTSG
Slide 66
Slide 66 text
Cross-App Request Forgery Example
- Attacker creates S3 bucket
- Attacker makes a AuthZ request and receives response
- Redirect the response to Target App.
- User receives token (or auth_code)
- User will uploads her/his data on Attacker’s S3 bucket
-
Granting access to unsafe resource
Slide 67
Slide 67 text
State Parameter for CARF
- Make something like CSRF Token: State Parameter
- App creates a random value and send to server w/ AuthZ
request
var srnm = SecureRandom()
var randomBytes = byteArrayOf(64)
srnm.nextBytes(randomBytes)
var state = Base64.encodeToString(randomBytes,
Base64.NO_WRAP or Base64.NO_PADDING or
Base64.URL_SAFE)
- Auth server sends back the value with AuthZ response
- App checks whether state parameters are the same.
- If they are the same , they are in same session and safe
-
Recommended in RFC 6749 and RFC 8252
Slide 68
Slide 68 text
for Native Apps
Summary
Slide 69
Slide 69 text
OAuth2.0 for Android Summary
- Follow RFC 8252
- AppAuth-Android is Good
- https://github.com/openid/AppAuth-Android
- Use
- PKCE
- Authorization Grant Type
- External User-Agent
Slide 70
Slide 70 text
Is API Protected?
Slide 71
Slide 71 text
ɹɹˎɹɹNot Yetɹɹɹʴ
ɹ ɹɹ ɹ∧ʊ∧ ʊ∧
ɹʴɹɹʢ* ´∀ʆʣ´∀ʆʣ
ɹɹɹnʗɹɹ ɹʘnɹɹʘn
ɹ (((ż ɹʣ ɹ ůʘE) ůʘE)))
ɹɹɹɹɹʢʊ˶ʋɹ˶ʋ
ɹɹɹɹɹɹʋɹųɹ}ɹųɹ}
ɹ ε≡Ξɹůϊ ʆJϊ ʆJ
Slide 72
Slide 72 text
No content
Slide 73
Slide 73 text
No content
Slide 74
Slide 74 text
܅ͷ໊
AuthN for Android
Slide 75
Slide 75 text
AuthN for Android
Slide 76
Slide 76 text
FIDO in Nutshell
Slide 77
Slide 77 text
What is FIDO
-
Fast IDentity Online Alliance
- Less relying on Password for AuthN
- Scalable, Inter-operable, Open standard AuthN
- Boards
- Google, Facebook, Amazon, Microsoft
- LINE, MUFJ(Bank), Docomo
Slide 78
Slide 78 text
UAF vs U2F
Slide 79
Slide 79 text
Legacy AuthN: The Password
- Not to mention it’s bad UX
- Not good in term of the system
- Easily targeted by phishing attack.
- Chance of getting breached
- Too much responsibility on Server-side
Slide 80
Slide 80 text
Server-Side Responsibility
*%1BTT
WFSJGZ
*EFOUJGZ
4UPSF
Slide 81
Slide 81 text
FIDO AuthN Model
4JHOFE7FSJpDBUJPO
3FTVMU
$SFEFOUJBM
7FSJGZ
7FSJGZUIFSFTVMU
*EFOUJGZ
4UPSF
Slide 82
Slide 82 text
Roles in FIDO
$SFEFOUJBM
'*%0
ೝূث
'*%0
ΫϥΠΞϯτ
'*%0
αʔόʔ
ΞϓϦ
ϒϥβ
4JHOFE7FSJpDBUJPO
3FTVMU
Slide 83
Slide 83 text
AuthN Flow
Slide 84
Slide 84 text
AutheN Flow
อଘ
ᶄ(FOFSBUF
$IBMMFOHFT
ᶃTUBSU"VUI/
ᶅ"VUI/3FRVFTU
Slide 85
Slide 85 text
Authentication Request
[{
"header": {
"upv": { "major": 1, ”minor": 1 },
"op": "Auth",
"appID": "https://hoge.com/SampleApp/uaf/facets",
"serverData": "xxxxxxxxxxxxxxxx"
},
"challenge": “this_is_challenge”,
"policy": {
"accepted": [ … ],
"disallowd": [ … ]
}
Slide 86
Slide 86 text
Authentication Request
[{
"header": {
"upv": { "major": 1, ”minor": 1 },
"op": "Auth",
"appID": "https://hoge.com/SampleApp/uaf/facets",
"serverData": "xxxxxxxxxxxxxxxx"
},
"challenge": “this_is_challenge”,
"policy": {
"accepted": [ … ],
"disallowd": [ … ]
}
Slide 87
Slide 87 text
Authentication Request
[{
"header": {
"upv": { "major": 1, ”minor": 1 },
"op": "Auth",
"appID": "https://hoge.com/SampleApp/uaf/facets",
"serverData": "xxxxxxxxxxxxxxxx"
},
"challenge": “this_is_challenge”,
"policy": {
"accepted": [ … ],
"disallowd": [ … ]
}
Slide 88
Slide 88 text
Authentication Request
[{
"header": {
"upv": { "major": 1, ”minor": 1 },
"op": "Auth",
"appID": "https://hoge.com/SampleApp/uaf/facets",
"serverData": "xxxxxxxxxxxxxxxx"
},
"challenge": “this_is_challenge”,
"policy": {
"accepted": [ … ],
"disallowd": [ … ]
}
Slide 89
Slide 89 text
Verification & Signing
ᶇ7FSJGZ
HFOFSBUF
SFTVMU
ᶈ4JHOWFSJpDBUJPOSFTVMUCZ
"VUI/QSJWLFZ
Slide 90
Slide 90 text
Signing
val ks = KeyStore.getInstance("AndroidKeyStore")
ks.load(null)
val privateKey = ks.getEntry("authN_key",null)
if (privateKey is KeyStore.PrivateKeyEntry) {
val s = Signature.getInstance("SHA256withECDSA")
s.initSign(privateKey.privateKey)
s.update(authNResult)
val assertionInByteArray = s.sign()
}
Slide 91
Slide 91 text
Sending Authentication Response
[{
"assertions": [{
"assertion": "assertionInByteArray",
"assertionScheme": "UAFV1TLV" }],
"fcParams": "I_will_explain_this_next_time",
"header": {
"appID": "https://hoge.com/SampleApp/uaf/facets",
"op": "Auth",
"serverData": "xxxxxxxxxxxxxxxx",
"upv": { "major": 1, "minor": 1} }
}]
Slide 92
Slide 92 text
Sending Authentication Response
[{
"assertions": [{
"assertion": "assertionInByteArray",
"assertionScheme": "UAFV1TLV" }],
"fcParams": "I_will_explain_this_next_time",
"header": {
"appID": "https://hoge.com/SampleApp/uaf/facets",
"op": "Auth",
"serverData": "xxxxxxxxxxxxxxxx",
"upv": { "major": 1, "minor": 1} }
}]
Slide 93
Slide 93 text
Sending Authentication Response
[{
"assertions": [{
"assertion": "assertionInByteArray",
"assertionScheme": "UAFV1TLV" }],
"fcParams": “challenge_response”,
"header": {
"appID": "https://hoge.com/SampleApp/uaf/facets",
"op": "Auth",
"serverData": "xxxxxxxxxxxxxxxx",
"upv": { "major": 1, "minor": 1} }
}]
Slide 94
Slide 94 text
Sending Authentication Response
ᶉ"VUI/3FTQPOTF
XJUITJHOFESFTVMU
"VUI/QVCLFZ ᶊ7BMJEBUFTJHO
Slide 95
Slide 95 text
What does this achieve?
-
Authenticity Verification
-
Integrity Verification
- User AuthN on Android && Device AuthN on Server
-
2FA by Default
Slide 96
Slide 96 text
Revisiting FIDO AuthN
$SFEFOUJBM
7FSJGZ
4UPSF
- Not to mention it’s bad UX
- Easily targeted by phishing attack.
- Chance of getting breached
- Too much responsibility on Server-side
4JHOFE7FSJpDBUJPO
3FTVMU
7FSJGZUIFSFTVMU
*EFOUJGZ
Slide 97
Slide 97 text
Pro-Tip: FIDO in Transaction Confirmation
IUUQTNPCJMFJEXPSMEDPNBNB[POKPJOTpEPCPBSE
Slide 98
Slide 98 text
Is API Protected?
Slide 99
Slide 99 text
ɹɹˎɹɹNot Yetɹɹɹʴ
ɹ ɹɹ ɹ∧ʊ∧ ʊ∧
ɹʴɹɹʢ* ´∀ʆʣ´∀ʆʣ
ɹɹɹnʗɹɹ ɹʘnɹɹʘn
ɹ (((ż ɹʣ ɹ ůʘE) ůʘE)))
ɹɹɹɹɹʢʊ˶ʋɹ˶ʋ
ɹɹɹɹɹɹʋɹųɹ}ɹųɹ}
ɹ ε≡Ξɹůϊ ʆJϊ ʆJ
Slide 100
Slide 100 text
Private Key
Security
Slide 101
Slide 101 text
Secure Private Key
Slide 102
Slide 102 text
Protecting Private Key
- Is it stored in safely manner
- How to verify storing method
1SJWBUF,FZ
GPS"VUI/
Slide 103
Slide 103 text
HW-backed KeyStore
Slide 104
Slide 104 text
KeyStore Architecture
"OESPJE,FZTUPSF"UUFTUBUJPO
Slide 105
Slide 105 text
Is API Protected?
Slide 106
Slide 106 text
ɹɹˎɹɹNot Yetɹɹɹʴ
ɹ ɹɹ ɹ∧ʊ∧ ʊ∧
ɹʴɹɹʢ* ´∀ʆʣ´∀ʆʣ
ɹɹɹnʗɹɹ ɹʘnɹɹʘn
ɹ (((ż ɹʣ ɹ ůʘE) ůʘE)))
ɹɹɹɹɹʢʊ˶ʋɹ˶ʋ
ɹɹɹɹɹɹʋɹųɹ}ɹųɹ}
ɹ ε≡Ξɹůϊ ʆJϊ ʆJ
Slide 107
Slide 107 text
Key Attestation
Slide 108
Slide 108 text
Key Attestation
- Ensure and certify keys by using CA private key in TEE
- issuing X.509 Certificate
IUUQTNTEONJDSPTPGUDPNFOVTMJCSBSZ⒎BTQY
Slide 109
Slide 109 text
Key Attestation
ᶃ(FOFSBUF
"UUFTUBUJPO,FZ1BJS
ᶄ*OKFDUQSWLFZ
JO5&&
ᶅ4IJQ
ᶄ4FOEQVCLFZ
UP'*%0BMMJBODF
Slide 110
Slide 110 text
Key Attestation in Android
- From Preinstalled Oreo
- with Google Play Installed
- All the device must be shipped with Attestaion Key
- For Preinstalled Nougat
-
some Device has Attestation Key
- Only HW-backed KeyStore is ensured
Slide 111
Slide 111 text
Registration Flow
Slide 112
Slide 112 text
Registration Flow
ᶄ3FHJTUSBUJPO
3FRVFTU
ᶃ(FOFSBUF
$IBMMFOHFT
Slide 113
Slide 113 text
Registration Request
[{
"header": {
"upv": { "major": 1, ”minor": 1 },
"op": "Reg", <-
"appID": "https://hoge.com/SampleApp/uaf/facets",
"serverData": "xxxxxxxxxxxxxxxx"
},
"challenge": “this_is_challenge”,
"username": “ken5scal”, <-
"policy": {
"accepted": [ … ],
"disallowd": [ … ]
}
Slide 114
Slide 114 text
Generating AuthN_Key Pair
ᶆ3FRVTU
DSFEFOUJBM
ᶇ3FTQPOTF
ᶈ(FOFSBUF
"VUI/,FZ1BJS
ᶉ4JHO"VUI/QVC
LFZCZ"UUFTUBUJPO
QSWLFZ $FSUJpDBUF
Slide 115
Slide 115 text
Generating AuthN_Key Pair
val notBefore = Calendar.getInstance()
val notAfter = Calendar.getInstance()
notAfter.add(Calendar.YEAR, 10)
val kpg = KeyPairGenerator.getInstance(
KeyProperties.KEY_ALGORITHM_EC,"AndroidKeyStore")
val builder = KeyGenParameterSpec.Builder(
"authN_key", KeyProperties.PURPOSE_SIGN)
builder
.setDigests(KeyProperties.DIGEST_SHA256)
.setAlgorithmParameterSpec(
ECGenParameterSpec("prime256v1"))
.setUserAuthenticationRequired(true)
.setCertificateSubject(
X500Principal(String.format("CN=%s, OU=%s",
”authN_key", applicationContext.packageName))
.setKeyValidityStart(notBefore.time)
.setKeyValidityStart(notAfter.time)
Slide 116
Slide 116 text
Generating AuthN_Key Pair
builder.setAttestationChallenge(finalHash)
kpg.initialize(builder.build())
val authNKeyPair = kpg.generateKeyPair()
Slide 117
Slide 117 text
Registration Response
ᶊ4FOE$FSUJpDBUF
ᶃೝূ։࢝
Slide 118
Slide 118 text
Retrieving Certificate
val ks = KeyStore.getInstance(
KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore")
ks.load(null)
val certificate = ks.getCertificate("authN_key")
val signedPubKey = Base64.encodeToString(
certificate.encoded,
Base64.NO_WRAP or Base64.NO_PADDING)
Slide 119
Slide 119 text
Registration Response
[{
"assertions": [{
"assertion": "attestationInByteArray",
"assertionScheme": "UAFV1TLV" }],
"fcParams": "finalHash",
"header": {
"appID": "https://hoge.com/SampleApp/uaf/facets",
"op": "Reg",
"serverData": "xxxxxxxxxxxxxxxx",
"upv": { "major": 1, "minor": 1} }
}]
Slide 120
Slide 120 text
Registration Response
ᶋ7FSJGZ$FSUCZ"UUFTUBUJPO
QVC,FZQSPWJEFECZ'*%0
"MMJBODF
Slide 121
Slide 121 text
Revisiting: Protecting Private Key
- Is it stored in safely manner
- How to verify storing method
- Lost/Change Device
1SJWBUF,FZ
GPS"VUI/
Slide 122
Slide 122 text
AuthN for Android
Summary
Slide 123
Slide 123 text
FIDO UAF for Android Summary
- 2FA by Default
- Use Authenticator to authN user locally
- Send signed verification over network (AuthN device remotely
- Protecting private key
- TEE
- Key Attestation
Slide 124
Slide 124 text
No content
Slide 125
Slide 125 text
Is API Protected?
Slide 126
Slide 126 text
ɹɹˎɹɹNot Yetɹɹɹʴ
ɹ ɹɹ ɹ∧ʊ∧ ʊ∧
ɹʴɹɹʢ* ´∀ʆʣ´∀ʆʣ
ɹɹɹnʗɹɹ ɹʘnɹɹʘn
ɹ (((ż ɹʣ ɹ ůʘE) ůʘE)))
ɹɹɹɹɹʢʊ˶ʋɹ˶ʋ
ɹɹɹɹɹɹʋɹųɹ}ɹųɹ}
ɹ ε≡Ξɹůϊ ʆJϊ ʆJ
Slide 127
Slide 127 text
No such thing as
100% risk free
Slide 128
Slide 128 text
Keep Protecting
Slide 129
Slide 129 text
Thank You!