Secure authentication on mobile application

I'm looking for a way to authenticate users of my mobile app in a secure way. The mobile app is a pure JS app, and is using the ionic framework (and so cordova). The app will only communicate with our server through REST API. Requirements are the following:

  • The mecanism has to rely on a standalone business account (ie link to Google, Facebook, or any other API is not an option.)
  • The application will be on public stores
  • Like a lot of mobile app (Gmail, Facebook, ...) that doesn't need as much security than bank applications, the user has to be automatically authenticated after a first login ("remember me" pattern)
  • What I've found:

  • Using of OAuth 2
  • OAuth 2 provide a long time token called "refresh token". I would like to use it with an expiration date setup to something like one year.

    However, it seems that there is no strong mecanism to protect that token. Indeed, as mention in Jamsheed Kamarudeen comment on that answer https://stackoverflow.com/a/7209263/863581, if the refresh token, client id and secret id are stolen (using sniffing or taking them directly from the device), the attacker will be able to have unlimited access to the user account... without any way, AFAIK, to know it's happening.

    Sniffing could be difficult because, obviously, all data will be sent through secure connection (SSL), but it's still possible and this has to be managed, from my point of view. Regarding the second kind of attack, "taking them directly from the device", every solution I've seen is about storing data (token or cookie) on either local storage or browser cookie (this post for example Using OAuth2 in HTML5 Web App). Even if the example from that post is advising to store a hash of the refresh token, I can't see what's the aim of that, because, as mention by Mati Cicero's comment, it will not stop the attacker to be able to retrieve an access token and have, in my case, an unlimited access to the user's account.

    Moreover, from what I can see, localstorage and cookies are too easy to read. Is that enough or should I use native secure storage of Android/iOS? Even native local storage seems to not be enough (https://github.com/phonegap/phonegap/wiki/Platform-Security).

  • Using of Spring security
  • The server side will be implemented thanks to Spring. The mecanism provided by Spring-security seems to be better than OAuth 2 regarding the remember me pattern (http://jaspan.com/improved_persistent_login_cookie_best_practice). However, as I have understood, the final user will not be able to login twice on the application (let's say, its personal mobile and its profesional one). I admit it's not a huge issue, but still, it's not perfect. Most important, at the end, we still have storage security issues regarding cookies/tokens.

    It's the first time I'm looking for security mecanism, so maybe I've misunderstood some mecanism, please let me know. However, I'm really surprised to see how difficult is it to find the right process. I'm sure it's a classic issue on all mobile applications, but I cannot find any right way to manage that issue.

    My question: as you can see above, I don't have found one secure mecanism to setup that "automatic login" process on a web mobile app. What should I setup? Do you have other mecanism than the ones I found to introduce me?


    Remember me consequences

    Your desire to have the "remember me" requirement means that (there is no way around it) the client will have some way to have all that's needed to connect to the server and be authenticated.

    to OAUTH or not

    OAUTH is nice, but if you're not going to trust the common providers, then why do all the overhead ? Just let them pick a password on your site in one go in that case and don;t bother with the back andforth way needed to do OAUTH.

    Now that said: why not trust the OAUTH providers ? the user trusted them, otherwise they would not pick them, and likely they'll use the same login and pasword everywhere anyway, so it doesn't really matter.

    SSL

    Getting the credentials by sniffing out of a properly configured SSL connection: you're way beyond what even the more advanced users like banks worry about. But do configure SSL properly on your server!

    A compromise on "remember me" ?

    What can you do to enhance the situation:

  • You can void the client's claim it's authenticated if your server notices the browser fingerprint changes, yet the session remains the same. This might happen due to badly configured proxies - but few of those are around anymore. And worst case the user has to log in again.

  • you can use making of IP address to GEO locations (country eg) and if you notice a change of country from the last connection without it being a re-authenticated connection: do not honor the remember me and demand a proper authentication.

  • Protect the cookies

  • You can store cookies in a browser as "secure": it means the browser will only send the cookie to the server if it is on an https connection

  • You can also set a cookie to be httponly: this makes the browser refuse access to the cookie from client side javascript (and all it'll do is send it to the server.

  • You can set both httponly and secure at the same time ... (that's what you want).


  • Whatever the technical solution you'll finally choose, the following stay true :

  • its not about mobile app, all client/server architecture is concerned
  • no manner to persist logins without security risk
  • the more secure way is to encrypt it on device
  • the only better way is the way that bank apps use: no persistance
  • however, two factor sigin is pretty secure too
  • there is no absolute answer to this question, it is just about making the best choice between these considerations and the needs of your app
  • EDIT

    About encryt the credentials

    About encryt the credentials, indeed, the code could be read, cause the issue isn't the crypto algorithm, but the private key to use. If you want to encrypt credentials, you have to implement an UI that permit the user to set a shema or pin code or any else secret to transform in private key to encrypt then decrypt the user credentials.

    But if the user lost its pin, you need to generate new credentials server-side to reset server-password then reset client-secret client side.


    One way to do is, you can store the private key and token encrypted, then the question will be, where to store the key. For that, if you are using cordova, you can simply make a plugin for cordova and store the keys there. At the start of the app, you can make a call to cordova to fetch the keys. Since the plugin is in native part, it will be compiled so it will give you more security.

    链接地址: http://www.djcxy.com/p/47950.html

    上一篇: Android刷新令牌

    下一篇: 移动应用程序的安全认证