Authentication CS 4720 Mobile Application Development CS 4720 - - PowerPoint PPT Presentation

CS 4720

Authentication

CS 4720 – Mobile Application Development

CS 4720

System Security

2

• Human: social engineering attacks
• Physical: “steal the server itself”
• Network: treat your server like a 2 year old
• Operating System: the war continues
• Application: just discussed
• Database: protecting the data

CS 4720

Application Level Security

• Refers to security safeguards built into a

particular application and operate independently from the network level security

• Authentication
• Authorization
• Integrity / Confidentiality
• Non-repudiation / Auditing

3

CS 4720

Authentication

• Verifying that the requester is the requester…
• … and that the service is the service
• This requires a mechanism of “proof of

identity”

• What are some ways accomplish this?
• Username / password
• Signed Certificates
• Authentication Applications

4

CS 4720

Authorization

• Now that we know who you are, what are you

allowed to do?

• Permissions
• Role-based security
• How does this work in a database system?
• How about an operating system?

5

CS 4720

Integrity / Confidentiality

• What happens if a message is:

– Captured and reused? – Captured and modified? – Monitored as is passes by in a passive manner?

• How do we verify a message hasn’t been

tampered with?

– Digital signature

• How do we verify it hasn’t been viewed?

– Encryption

6

CS 4720

Non-repudiation / Auditing

• When we’re charging to use a web service,

how do we prove you used the service so we can charge you?

• How do we track your activities?
• Digitally signed logs, effectively
• Also saves the certificate used to perform the

transaction (like a signature on a receipt)

7

CS 4720

User Management

• Integrity / Confidentiality and Non-repudiation

/ Auditing are good things to consider for more complex apps, but probably don’t apply to your current projects

• Most of you, however, want to have users

login and be able to do different things

• So Authentication and Authorization are

important

8

CS 4720

User Management

• Let’s assume the simplest case – you want to

have people login to your app

• Options?

– You could have local accounts coded in the app – Create usernames and passwords (we can do this in Firebase pretty easily, but you can also build your own webservice) – Use a third-party service for authentication (such as Google, Facebook, GitHub, etc.)

9

CS 4720

Local Accounts

• There may be good reasons to do something

like this

• Accounts stored in core data or a flat text file
• You can create your own API
• Good for multiple users on one device…
• … but this is mobile, so how often does that

happen?

10

CS 4720

Build A Webservice

• You can probably imagine a service that you

could make using a database and Flight (or something else) that can return an authorization message if a username and password is correct

• In this instance, users would still have to create

accounts (or have them created for them), but you would have control

11

CS 4720

Use an Authentication Service

• We have probably all used one of the following

to login to something OTHER than that service:

– Google – Facebook – Twitter – GitHub

• Even Netbadge!
• How do these work?
• Let’s start with Netbadge

12

CS 4720

Netbadge Login System

• Netbadge (or more

accurately, PubCookie or Shiboleth)

• http://www.pubcoo

kie.org/docs/how- pubcookie- works.html

13

CS 4720

OAUTH2

• The industry standard for this sort of token

authentication is OAUTH2

• It is used in some form by all of the major login

systems mentioned above

• APIs can be slightly different, but the overall

idea is the same

• It looks similar to Netbadge, with a few more

steps

14

CS 4720

OAUTH2 Diagrams

• http://tutorials.jenkov.com/oauth2/overview.h

tml

• https://developer.android.com/training/id-

auth/authenticate.html

• http://brentertainment.com/oauth2/

15

CS 4720

Example Code

• https://github.com/googlesamples/google-

services/tree/master/android/signin

16

CS 4720

Authorization

• Now that you know who the user is, what do

they have the ability to do?

• OAUTH2 can do some of this

– Part of the protocol is to respond with a permission set – Useful if you want an app to login to Google and

• nly have access to certain things

– These things are noted when the login occurs

17

CS 4720

Authorization

• In your apps, you will most likely have user

groups

• Every user is given a certain set of permissions

based upon their grouping

– Such as student, faculty, admin, etc.

• Permissions for each group are hardcoded into

the app

• Which group a user belongs to can be stored in

a few different places

18

CS 4720

Authorization

• Example:

– Menu ordering app – Customer user logs in and gets a screen to add items to cart – Server logs in and gets a list of tables they are serving – Cook logs in and gets a list of orders to prepare

• Same login page and system but different

functionalities are available

19

CS 4720

Mobile Security

• Questions to ask yourself as a developer:

– Is the mobile backend as secure as the app itself? – Is data encrypted whenever and wherever it’s stored? – Does the app use HTTPS encryption – and enforce it? – Has the app binary been scrubbed of sensitive information? – Have steps been taken to thwart reverse engineering and analysis?

20

CS 4720

Mobile Security

• What are the “bad guys” after?

21

CS 4720

Mobile Security

• Personal data stored on the device

– Not just name and address! – Passwords – Confidential documents – Financial information

• Sensor data

– GPS location (to track people) – Microphone / Camera (espionage)

• False installs (for ad hits, for instance)

22