JULIA POTAPENKO SECURE AUTHENTICATION ARE YOU SURE YOU DO IT RIGHT?

JULIA POTAPENKO Security Software Engineer at Cossack Labs with background in iOS app development Mobile/Security Lead at WWCodeKyiv Chapter Leader of OWASP Zhytomyr @julepka

WE WILL TALK ABOUT ★ Security as a part of development process ★ Standards for secure authentication ★ Common auth mistakes in iOS apps

SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing Deployment Maintenance You are here

SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing Deployment Maintenance You are here MVP IN ONE MONTH WE HAVE NO TIME DOCS WILL WAIT WE ARE AGILE

SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing Deployment Maintenance You are here S- SECURE Security training + security requirement + risk assessment + threat modeling + secure design review + secure coding + secure code review + security testing + pentest + responding to incidents

EXAMPLE. USER REGISTRATION 1. Enter phone number/email

EXAMPLE. USER REGISTRATION 1. Enter phone number/email 2. Enter OTP

EXAMPLE. USER REGISTRATION 1. Enter phone number/email 2. Enter OTP 3. Accept TC & PP

EXAMPLE. USER REGISTRATION 1. Enter phone number/email 2. Enter OTP 3. Accept TC & PP INVEST IN SECURITY AWARENESS

RISKS • Legal Responsibility • Reputation Risks • Competitors IT IS NOT ONLY ABOUT HACKERS http://www.enforcementtracker.com/

“THE PROBLEM IS NOT ON OUR SIDE”

STANDARDS Apple Platform Security Guide OWASP MASVS & MSTG OWASP SAMM MITRE CVE List NIST Standards OWASP Mobile Top 10

OWASP MASVS MASVS (Mobile Application Security Verification Standard) • ARCHITECTURE, DESIGN AND THREAT MODELING • DATA STORAGE AND PRIVACY • CRYPTOGRAPHY • AUTHENTICATION AND SESSION MANAGEMENT • NETWORK COMMUNICATION • ENVIRONMENTAL INTERACTION • CODE QUALITY AND BUILD SETTINGS • RESILIENCY AGAINST REVERSE ENGINEERING https://github.com/OWASP/owasp-masvs

MASVS V4 Authentication and Session Management

SECURE AUTHENTICATION – LEVEL 1 – BASICS • User authentication before accessing remote resources • Authentication is enforced by the remote endpoint • Secure session ID and access token • Access token should expire • Logout • Password policy • Throttling

JWT TOKEN EXAMPLE https://jwt.io/

No content

LEVEL 2 DEFENCE-IN-DEPTH

OWASP MASVS 4.8 BIOMETRIC AUTHENTICATION, IF ANY, IS NOT EVENT-BOUND (I.E. USING AN API THAT SIMPLY RETURNS "TRUE" OR "FALSE"). INSTEAD, IT IS BASED ON UNLOCKING THE KEYCHAIN. LEVEL 2 BIOMETRICS UNLOCKING KEYCHAIN

let reason = "Log in to your account" context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: reason ) { success, error in if success { // Move to the main thread because a state update triggers UI changes. DispatchQueue.main.async { [unowned self] in self.state = .loggedin } } else { print(error?.localizedDescription ?? "Failed to authenticate") // Fall back to a asking for username and password. // ... } } https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id

let reason = "Log in to your account" context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: reason ) { success, error in if success { // Move to the main thread because a state update triggers UI changes. DispatchQueue.main.async { [unowned self] in self.state = .loggedin } } else { print(error?.localizedDescription ?? "Failed to authenticate") // Fall back to a asking for username and password. // ... } } https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id WARNING

WHAT THE CODE LOOKS LIKE IN DISASSEMBLER?

let access = SecAccessControlCreateWithFlags(nil, // Use the default allocator. kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, .userPresence, nil) // Ignore any error.

let access = SecAccessControlCreateWithFlags(nil, // Use the default allocator. kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, .userPresence, nil) // Ignore any error. .biometryCurrentSet

OWASP MASVS 4.9 A SECOND FACTOR OF AUTHENTICATION EXISTS AT THE REMOTE ENDPOINT AND THE 2FA REQUIREMENT IS CONSISTENTLY ENFORCED. LEVEL 2 2FA

2FA - TWO FACTOR AUTHENTICATION • Something you know (password, PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS

2SV FLOW

2SV FLOW

2FA - TWO FACTOR AUTHENTICATION • Something you know (password, PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS

https://www.mayurpahwa.com/2019/01/digital-signature.html

2FA - TWO FACTOR AUTHENTICATION • Something you know (password, PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS

OWASP MASVS 4.10 SENSITIVE TRANSACTIONS REQUIRE STEP-UP AUTHENTICATION. LEVEL 2 STEP-UP AUTH

OWASP MASVS 4.11 THE APP INFORMS THE USER OF ALL LOGIN ACTIVITIES WITH THEIR ACCOUNT. USERS ARE ABLE VIEW A LIST OF DEVICES USED TO ACCESS THE ACCOUNT, AND TO BLOCK SPECIFIC DEVICES. LEVEL 2 TRACK LOGIN ACTIVITY

FINAL THOUGHTS

WHERE TO GO NEXT OWASP MSTG – Testing Local Authentication https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md Apple Platform Security Guide https://support.apple.com/en-gb/guide/security/welcome/web WWDC 14 – Keychain and Authentication with Touch ID https://devstreaming-cdn.apple.com/videos/wwdc/ 2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf David Lindner – Don’t Touch Me That Way https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html

THANK YOU! @julepka