Secure Authentication. Are you sure you do it right?

Transcript

1. JULIA POTAPENKO SECURE AUTHENTICATION ARE YOU SURE YOU DO IT

   RIGHT?

2. JULIA POTAPENKO Security Software Engineer at Cossack Labs with background

   in iOS app development Mobile/Security Lead at WWCodeKyiv Chapter Leader of OWASP Zhytomyr @julepka

3. WE WILL TALK ABOUT ★ Security as a part of

   development process ★ Standards for secure authentication ★ Common auth mistakes in iOS apps

4. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

   Deployment Maintenance You are here

5. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

   Deployment Maintenance You are here MVP IN ONE MONTH WE HAVE NO TIME DOCS WILL WAIT WE ARE AGILE

6. SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing

   Deployment Maintenance You are here S- SECURE Security training + security requirement + risk assessment + threat modeling + secure design review + secure coding + secure code review + security testing + pentest + responding to incidents

7. EXAMPLE. USER REGISTRATION 1. Enter phone number/email

8. EXAMPLE. USER REGISTRATION 1. Enter phone number/email 2. Enter OTP

9. EXAMPLE. USER REGISTRATION 1. Enter phone number/email 2. Enter OTP

   3. Accept TC & PP

10. EXAMPLE. USER REGISTRATION 1. Enter phone number/email 2. Enter OTP

    3. Accept TC & PP INVEST IN SECURITY AWARENESS

11. RISKS • Legal Responsibility • Reputation Risks • Competitors IT

    IS NOT ONLY ABOUT HACKERS http://www.enforcementtracker.com/

12. “THE PROBLEM IS NOT ON OUR SIDE”

13. STANDARDS Apple Platform Security Guide OWASP MASVS & MSTG OWASP

    SAMM MITRE CVE List NIST Standards OWASP Mobile Top 10

14. OWASP MASVS MASVS (Mobile Application Security Verification Standard) • ARCHITECTURE,

    DESIGN AND THREAT MODELING • DATA STORAGE AND PRIVACY • CRYPTOGRAPHY • AUTHENTICATION AND SESSION MANAGEMENT • NETWORK COMMUNICATION • ENVIRONMENTAL INTERACTION • CODE QUALITY AND BUILD SETTINGS • RESILIENCY AGAINST REVERSE ENGINEERING https://github.com/OWASP/owasp-masvs

15. MASVS V4 Authentication and Session Management

16. SECURE AUTHENTICATION – LEVEL 1 – BASICS • User authentication

    before accessing remote resources • Authentication is enforced by the remote endpoint • Secure session ID and access token • Access token should expire • Logout • Password policy • Throttling

17. JWT TOKEN EXAMPLE https://jwt.io/

18. None

19. LEVEL 2 DEFENCE-IN-DEPTH

20. OWASP MASVS 4.8 BIOMETRIC AUTHENTICATION, IF ANY, IS NOT EVENT-BOUND

    (I.E. USING AN API THAT SIMPLY RETURNS "TRUE" OR "FALSE"). INSTEAD, IT IS BASED ON UNLOCKING THE KEYCHAIN. LEVEL 2 BIOMETRICS UNLOCKING KEYCHAIN

21. let reason = "Log in to your account" context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason:

    reason ) { success, error in if success { // Move to the main thread because a state update triggers UI changes. DispatchQueue.main.async { [unowned self] in self.state = .loggedin } } else { print(error?.localizedDescription ?? "Failed to authenticate") // Fall back to a asking for username and password. // ... } } https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id

22. let reason = "Log in to your account" context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason:

    reason ) { success, error in if success { // Move to the main thread because a state update triggers UI changes. DispatchQueue.main.async { [unowned self] in self.state = .loggedin } } else { print(error?.localizedDescription ?? "Failed to authenticate") // Fall back to a asking for username and password. // ... } } https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id WARNING

23. WHAT THE CODE LOOKS LIKE IN DISASSEMBLER?

24. let access = SecAccessControlCreateWithFlags(nil, // Use the default allocator. kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,

    .userPresence, nil) // Ignore any error.

25. let access = SecAccessControlCreateWithFlags(nil, // Use the default allocator. kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,

    .userPresence, nil) // Ignore any error. .biometryCurrentSet

26. OWASP MASVS 4.9 A SECOND FACTOR OF AUTHENTICATION EXISTS AT

    THE REMOTE ENDPOINT AND THE 2FA REQUIREMENT IS CONSISTENTLY ENFORCED. LEVEL 2 2FA

27. 2FA - TWO FACTOR AUTHENTICATION • Something you know (password,

    PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS

28. 2SV FLOW

29. 2SV FLOW

30. 2FA - TWO FACTOR AUTHENTICATION • Something you know (password,

    PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS

31. https://www.mayurpahwa.com/2019/01/digital-signature.html

32. 2FA - TWO FACTOR AUTHENTICATION • Something you know (password,

    PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS

33. OWASP MASVS 4.10 SENSITIVE TRANSACTIONS REQUIRE STEP-UP AUTHENTICATION. LEVEL 2

    STEP-UP AUTH

34. OWASP MASVS 4.11 THE APP INFORMS THE USER OF ALL

    LOGIN ACTIVITIES WITH THEIR ACCOUNT. USERS ARE ABLE VIEW A LIST OF DEVICES USED TO ACCESS THE ACCOUNT, AND TO BLOCK SPECIFIC DEVICES. LEVEL 2 TRACK LOGIN ACTIVITY

35. FINAL THOUGHTS

36. WHERE TO GO NEXT OWASP MSTG – Testing Local Authentication

    https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md Apple Platform Security Guide https://support.apple.com/en-gb/guide/security/welcome/web WWDC 14 – Keychain and Authentication with Touch ID https://devstreaming-cdn.apple.com/videos/wwdc/ 2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf David Lindner – Don’t Touch Me That Way https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html

37. THANK YOU! @julepka