Secure authentication on mobile application
I'm looking for a way to authenticate users of my mobile app in a secure way. The mobile app is a pure JS app, and is using the ionic framework (and so cordova). The app will only communicate with our server through REST API. Requirements are the following:
What I've found:
OAuth 2 provide a long time token called "refresh token". I would like to use it with an expiration date setup to something like one year.
However, it seems that there is no strong mecanism to protect that token. Indeed, as mention in Jamsheed Kamarudeen comment on that answer https://stackoverflow.com/a/7209263/863581, if the refresh token, client id and secret id are stolen (using sniffing or taking them directly from the device), the attacker will be able to have unlimited access to the user account... without any way, AFAIK, to know it's happening.
Sniffing could be difficult because, obviously, all data will be sent through secure connection (SSL), but it's still possible and this has to be managed, from my point of view. Regarding the second kind of attack, "taking them directly from the device", every solution I've seen is about storing data (token or cookie) on either local storage or browser cookie (this post for example Using OAuth2 in HTML5 Web App). Even if the example from that post is advising to store a hash of the refresh token, I can't see what's the aim of that, because, as mention by Mati Cicero's comment, it will not stop the attacker to be able to retrieve an access token and have, in my case, an unlimited access to the user's account.
Moreover, from what I can see, localstorage and cookies are too easy to read. Is that enough or should I use native secure storage of Android/iOS? Even native local storage seems to not be enough (https://github.com/phonegap/phonegap/wiki/Platform-Security).
The server side will be implemented thanks to Spring. The mecanism provided by Spring-security seems to be better than OAuth 2 regarding the remember me pattern (http://jaspan.com/improved_persistent_login_cookie_best_practice). However, as I have understood, the final user will not be able to login twice on the application (let's say, its personal mobile and its profesional one). I admit it's not a huge issue, but still, it's not perfect. Most important, at the end, we still have storage security issues regarding cookies/tokens.
It's the first time I'm looking for security mecanism, so maybe I've misunderstood some mecanism, please let me know. However, I'm really surprised to see how difficult is it to find the right process. I'm sure it's a classic issue on all mobile applications, but I cannot find any right way to manage that issue.
My question: as you can see above, I don't have found one secure mecanism to setup that "automatic login" process on a web mobile app. What should I setup? Do you have other mecanism than the ones I found to introduce me?
Remember me consequences
Your desire to have the "remember me" requirement means that (there is no way around it) the client will have some way to have all that's needed to connect to the server and be authenticated.
to OAUTH or not
OAUTH is nice, but if you're not going to trust the common providers, then why do all the overhead ? Just let them pick a password on your site in one go in that case and don;t bother with the back andforth way needed to do OAUTH.
Now that said: why not trust the OAUTH providers ? the user trusted them, otherwise they would not pick them, and likely they'll use the same login and pasword everywhere anyway, so it doesn't really matter.
SSL
Getting the credentials by sniffing out of a properly configured SSL connection: you're way beyond what even the more advanced users like banks worry about. But do configure SSL properly on your server!
A compromise on "remember me" ?
What can you do to enhance the situation:
You can void the client's claim it's authenticated if your server notices the browser fingerprint changes, yet the session remains the same. This might happen due to badly configured proxies - but few of those are around anymore. And worst case the user has to log in again.
you can use making of IP address to GEO locations (country eg) and if you notice a change of country from the last connection without it being a re-authenticated connection: do not honor the remember me and demand a proper authentication.
Protect the cookies
You can store cookies in a browser as "secure": it means the browser will only send the cookie to the server if it is on an https connection
You can also set a cookie to be httponly: this makes the browser refuse access to the cookie from client side javascript (and all it'll do is send it to the server.
You can set both httponly and secure at the same time ... (that's what you want).
Whatever the technical solution you'll finally choose, the following stay true :
EDIT
About encryt the credentials
About encryt the credentials, indeed, the code could be read, cause the issue isn't the crypto algorithm, but the private key to use. If you want to encrypt credentials, you have to implement an UI that permit the user to set a shema or pin code or any else secret to transform in private key to encrypt then decrypt the user credentials.
But if the user lost its pin, you need to generate new credentials server-side to reset server-password then reset client-secret client side.
One way to do is, you can store the private key and token encrypted, then the question will be, where to store the key. For that, if you are using cordova, you can simply make a plugin for cordova and store the keys there. At the start of the app, you can make a call to cordova to fetch the keys. Since the plugin is in native part, it will be compiled so it will give you more security.
链接地址: http://www.djcxy.com/p/47950.html上一篇: Android刷新令牌
下一篇: 移动应用程序的安全认证