Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Authentication. Are you sure you do it r...

Julia Mezher
November 19, 2020

Secure Authentication. Are you sure you do it right?

Julia Mezher

November 19, 2020
Tweet

More Decks by Julia Mezher

Other Decks in Programming

Transcript

  1. JULIA POTAPENKO Security Software Engineer at Cossack Labs with background

    in iOS app development Mobile/Security Lead at WWCodeKyiv Chapter Leader of OWASP Zhytomyr @julepka
  2. WE WILL TALK ABOUT ★ Security as a part of

    development process ★ Standards for secure authentication ★ Common auth mistakes in iOS apps
  3. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

    Deployment Maintenance You are here MVP IN ONE MONTH WE HAVE NO TIME DOCS WILL WAIT WE ARE AGILE
  4. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

    Deployment Maintenance You are here S- SECURE Security training + security requirement + risk assessment + threat modeling + secure design review + secure coding + secure code review + security testing + pentest + responding to incidents
  5. EXAMPLE. USER REGISTRATION 1. Enter phone number/email 2. Enter OTP

    3. Accept TC & PP INVEST IN SECURITY AWARENESS
  6. RISKS • Legal Responsibility • Reputation Risks • Competitors IT

    IS NOT ONLY ABOUT HACKERS http://www.enforcementtracker.com/
  7. STANDARDS Apple Platform Security Guide OWASP MASVS & MSTG OWASP

    SAMM MITRE CVE List NIST Standards OWASP Mobile Top 10
  8. OWASP MASVS MASVS (Mobile Application Security Verification Standard) • ARCHITECTURE,

    DESIGN AND THREAT MODELING • DATA STORAGE AND PRIVACY • CRYPTOGRAPHY • AUTHENTICATION AND SESSION MANAGEMENT • NETWORK COMMUNICATION • ENVIRONMENTAL INTERACTION • CODE QUALITY AND BUILD SETTINGS • RESILIENCY AGAINST REVERSE ENGINEERING https://github.com/OWASP/owasp-masvs
  9. SECURE AUTHENTICATION – LEVEL 1 – BASICS • User authentication

    before accessing remote resources • Authentication is enforced by the remote endpoint • Secure session ID and access token • Access token should expire • Logout • Password policy • Throttling
  10. OWASP MASVS 4.8 BIOMETRIC AUTHENTICATION, IF ANY, IS NOT EVENT-BOUND

    (I.E. USING AN API THAT SIMPLY RETURNS "TRUE" OR "FALSE"). INSTEAD, IT IS BASED ON UNLOCKING THE KEYCHAIN. LEVEL 2 BIOMETRICS UNLOCKING KEYCHAIN
  11. let reason = "Log in to your account" context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason:

    reason ) { success, error in if success { // Move to the main thread because a state update triggers UI changes. DispatchQueue.main.async { [unowned self] in self.state = .loggedin } } else { print(error?.localizedDescription ?? "Failed to authenticate") // Fall back to a asking for username and password. // ... } } https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id
  12. let reason = "Log in to your account" context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason:

    reason ) { success, error in if success { // Move to the main thread because a state update triggers UI changes. DispatchQueue.main.async { [unowned self] in self.state = .loggedin } } else { print(error?.localizedDescription ?? "Failed to authenticate") // Fall back to a asking for username and password. // ... } } https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id WARNING
  13. OWASP MASVS 4.9 A SECOND FACTOR OF AUTHENTICATION EXISTS AT

    THE REMOTE ENDPOINT AND THE 2FA REQUIREMENT IS CONSISTENTLY ENFORCED. LEVEL 2 2FA
  14. 2FA - TWO FACTOR AUTHENTICATION • Something you know (password,

    PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS
  15. 2FA - TWO FACTOR AUTHENTICATION • Something you know (password,

    PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS
  16. 2FA - TWO FACTOR AUTHENTICATION • Something you know (password,

    PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS
  17. OWASP MASVS 4.11 THE APP INFORMS THE USER OF ALL

    LOGIN ACTIVITIES WITH THEIR ACCOUNT. USERS ARE ABLE VIEW A LIST OF DEVICES USED TO ACCESS THE ACCOUNT, AND TO BLOCK SPECIFIC DEVICES. LEVEL 2 TRACK LOGIN ACTIVITY
  18. WHERE TO GO NEXT OWASP MSTG – Testing Local Authentication

    https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md Apple Platform Security Guide https://support.apple.com/en-gb/guide/security/welcome/web WWDC 14 – Keychain and Authentication with Touch ID https://devstreaming-cdn.apple.com/videos/wwdc/ 2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf David Lindner – Don’t Touch Me That Way https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html