OWASP MSTG WHEN AUTHENTICATION GOES WRONG JULIA POTAPENKO COCOAHEADS 10 MAY 2019

JULIA POTAPENKO ⭐ iOS Software Engineer ⭐ Mobile Lead at Women Who Code Kyiv ⭐ Org Team Member of OWASP Zhytomyr

TODAY WE WILL TALK ABOUT AUTHENTICATION WHAT SHOULD BE DONE OWASP MASVS WHAT CAN BE BROKEN OWASP MSTG

WHAT IS OWASP? An online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

WHAT IS OWASP? OWASP (Open Web Application Security Project) An online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. wikipedia.org

WHEN AUTHENTICATION GOES WRONG EXAMPLE. USER REGISTRATION Enter phone number

WHEN AUTHENTICATION GOES WRONG EXAMPLE. USER REGISTRATION Enter phone number Enter OTP

WHEN AUTHENTICATION GOES WRONG EXAMPLE. USER REGISTRATION Enter phone number Enter OTP Accept TC & PP

WHAT IS OWASP MASVS? MASVS (Mobile Application Security Verification Standard) WHAT IS OWASP MSTG? MSTG (Mobile Security Testing Guide) https://github.com/OWASP/owasp-masvs https://github.com/OWASP/owasp-mstg

OWASP MASVS MASVS (Mobile Application Security Verification Standard) • ARCHITECTURE, DESIGN AND THREAT MODELING • DATA STORAGE AND PRIVACY • CRYPTOGRAPHY • AUTHENTICATION AND SESSION MANAGEMENT • NETWORK COMMUNICATION • ENVIRONMENTAL INTERACTION • CODE QUALITY AND BUILD SETTINGS • RESILIENCY AGAINST REVERSE ENGINEERING

OWASP MSTG MSTG (Mobile Security Testing Guide) A COMPREHENSIVE MANUAL FOR MOBILE APP SECURITY TESTING AND REVERSE ENGINEERING. IT DESCRIBES TECHNICAL PROCESSES FOR VERIFYING THE CONTROLS LISTED IN THE OWASP MOBILE APPLICATION VERIFICATION STANDARD (MASVS).

MASVS LEVELS

MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint.

MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm.

MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out.

MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint.

MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times.

MASVS. AUTHENTICATION. LEVEL 1. Description 4.1 If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.

MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain.

MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced.

MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication.

MASVS. AUTHENTICATION. LEVEL 2. Description 4.8 Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain. 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 4.10 Sensitive transactions require step-up authentication. 4.11 The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices.

OWASP MSTG AUTHENTICATION • Basic: • Something the user knows: 
 password, PIN, pattern, etc. • Something the user has: 
 SIM-card, OTP (one time password) generator, hardware token, etc. • A biometric property: 
 fingerprint, retina, voice, etc. • 2FA (2-Factor Authentication): • OTP by SMS or phone call • Hardware or software token • Push notifications in combination with PKI (public key infrastructure) and local authentication • Supplementary Authentication: • Geolocation • IP address • Time of the day • Device ID

WHEN AUTHENTICATION GOES WRONG EXAMPLE. BANKING APP. FIRST TIME LOGIN Enter phone number

WHEN AUTHENTICATION GOES WRONG EXAMPLE. BANKING APP. FIRST TIME LOGIN Enter phone number Enter OTP

WHEN AUTHENTICATION GOES WRONG EXAMPLE. BANKING APP. FIRST TIME LOGIN Enter phone number Enter OTP Use biometrics

OWASP MSTG OTP BY SMS CONCERNS • Wireless Interception • SIM SWAP Attack • Verification Code Forwarding Attack
 
 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and- Session-Management.md

WHEN AUTHENTICATION GOES RIGHT EXAMPLE. BANKING APP. FIRST TIME LOGIN Enter username and password ✅

WHEN AUTHENTICATION GOES RIGHT EXAMPLE. BANKING APP. FIRST TIME LOGIN Enter username and password Enter card expiration date ✅

WHEN AUTHENTICATION GOES RIGHT EXAMPLE. BANKING APP. FIRST TIME LOGIN Enter username and password Use biometrics Enter card expiration date ✅

OWASP MSTG TRANSACTION SIGNING

OWASP MSTG TRANSACTION SIGNING • Client generates public and private keys on user registration, registers public key with backend, saves private key to Keychain.

OWASP MSTG TRANSACTION SIGNING • Client generates public and private keys on user registration, registers public key with backend, saves private key to Keychain. • Backend sends transaction data to the client to be authorized.

OWASP MSTG TRANSACTION SIGNING • Client generates public and private keys on user registration, registers public key with backend, saves private key to Keychain. • Backend sends transaction data to the client to be authorized. • Client unlocks Keychain, gets private key, signs the transaction and sends it back to backend.

OWASP MSTG TRANSACTION SIGNING • Client generates public and private keys on user registration, registers public key with backend, saves private key to Keychain. • Backend sends transaction data to the client to be authorized. • Client unlocks Keychain, gets private key, signs the transaction and sends it back to backend. • Backend verifies it with public key.

OWASP MSTG THINGS TO CHECK • Check if with Backend • Login throttling • Session management • Access and refresh token • JWT • Login activity and blocking • Check it on Client • Secure token storage • Access and refresh tokens handling • Proper error handling

LOCAL AUTHENTICATION. TOUCH/FACE ID Local authentication should always be enforced at a remote endpoint or based on cryptographic primitive. Attackers can easily bypass local authentication if no data returns from the authentication process.

LOCAL AUTHENTICATION. TOUCH/FACE ID Local authentication should always be enforced at a remote endpoint or based on cryptographic primitive. Attackers can easily bypass local authentication if no data returns from the authentication process. https://youtu.be/XhXIHVGCFFM David Linder 
 Don’t Touch Me That Way • Don’t • Rely on bool output • Forget to configure Touch ID • Do • Use Touch ID to get data from Keychain • Combine it with user password TOUCH ID EXAMPLE

OWASP MOBILE TOP 10 M1. Improper platform usage M2. Insecure data storage M3. Insecure communication M4. Insecure authentication M5. Insufficient cryptography M6. Insecure authorization M7. Client code quality M8. Code tempering M9. Reverse engineering M10. Extraneous functionality https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 ➡

OWASP MOBILE TOP 10 M1. Improper platform usage M2. Insecure data storage M3. Insecure communication M4. Insecure authentication M5. Insufficient cryptography M6. Insecure authorization M7. Client code quality M8. Code tempering M9. Reverse engineering M10. Extraneous functionality https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 ➡

THANK YOU! ULTIMATELY, THE REVERSE ENGINEER ALWAYS WINS AND REMEMBER