Date post: | 08-Jul-2015 |
Category: |
Technology |
Upload: | ca-api-management |
View: | 919 times |
Download: | 0 times |
Reconciling Mobile UX and SecurityAn API Management Perspective
Francois Lascelles
Chief architect
Layer 7 Technologies
@flascelles
Layer 7 Confidential 2
Mobile UX matters
UX
Adop
tion
Layer 7 Confidential 3
Security too
Most Businesses Probably Had a Mobile
Security Incident in the Past Year
Securing corporate information
cited as greatest BYOD challenge
(67%)THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY: A
SURVEY OF IT PROFESSIONALS
Dimensional research, June 2013
“Securing [data]-to-
mobile is my top
concern”Everybody, all the timeCompliance
Layer 7 Confidential 4
Secure what?
MDM Protect data at-rest
API Man Protect data source / data in-motion
Mobile browser
Any other app
Web
APIs
Layer 7 Confidential 5
UX Disruptors
Key defensive techniques, such as user authentication
disrupt UX
The impact on user experience is more severe on mobile
devices
Compounding factors:
- Challenge frequency
- Number of secrets
- Secret complexity
Layer 7 Confidential 6
Reconciling UX and Security
Identify
yourself
Show me my
data
Layer 7 Confidential 7
Implants?
- Not mobile enough
HSM
NFC
Layer 7 Confidential 8
Authentication Context Lifespan
Shorter token lifespan
- More secure
Longer token lifespan
- Better UX
Layer 7 Confidential 9
Complexity VS Frequency
Parallel sessions with varying secret complexity
Risk assessment-determined challenge
Layer 7 Confidential 10
Biometrics
Great alternative to PIN
- Fingerprint, Voice, …
Client-side unlocking of long-lived auth context
- Client-side policy
Multi-factor
- API-side validation
Layer 7 Confidential 11
Elevated, Risk-Based Authentication
Stronger security not necessarily
less UX
- Auth only elevated when it
counts most
… (and is expected)
Layer 7 Confidential 12
Single sign-on challenge: Mobile App Isolation
Mobile web
Mobile apps
User-agent
Webapp 1
Webapp 2
Webapp 3
Cookie domain A
Cookie domain B
Access token 1
APP A
API 1
API 2
API 3
Access token 2
APP B
Access token 3
APP C
(can be different parties)
Domain A
Domain A
Layer 7 Confidential 13
Shared Authentication Context
Client side platforms allow applications within a domain (signed by a
common developer key) to access a common key chain
This allows them to share an authentication context
App A App B
KC A KC B
App A App B
Shared Key Chain
Layer 7 Confidential 14
Standard: Federated access token grants
App gets an access token in exchange for another token
- SAML Bearer grant type [urn:ietf:params:oauth:grant-type:saml2-bearer]
- JWT Bearer grant type [urn:ietf:params:oauth:grant-type:jwt-bearer]
Let apps leverage authentication context without disturbing UX
Token endpoint
API ProviderClient
App
API Call incl proof of authentication
Get back access token
Layer 7 Confidential 15
Mobile App Domain
Across a group of apps
- Consistent Auth UX
- Single sign-on
Does not cover „3rd party‟ app
Layer 7 Confidential 16
3rd Party Mobile SSO
Client side redirections and callback
- App register URL scheme to allow switching between apps
- Passing a token in a redirection callback allows an authentication context to be
extended to a 3rd party app
App A App B
openURL AppA://something?callback=AppB://somethingelse
openURL AppB://somethingelse?arg=that_thing_you_need
step 1
step 2
Layer 7 Confidential 17
App-to-app redirection limitations, risks
Un-verified URL schemes opens possibility of “app-in-the-middle” attack
APPLE:
“If more than one third-party app registers to handle
the same URL scheme, there is currently no process
for determining which app will be given that scheme.
”
--link
Layer 7 Confidential 18
App Wrapping
Single sign-on across mobile apps normally requires the active participation of
each app
- Wrapping an app can compensate for a 3rd party app‟s lack of awareness
Adding a wrapper to an existing app re-signs app and enables access to shared
authentication context
- On the API side, federation still requires active participation or API calls
themselves need be redirected
3rd P
App
App A App B
Auth Context
3rd P API?
Layer 7 Confidential 19
API-Side Brokering
user@corp
API Broker
- Domain ID <> 3rd party ID
co
rp@
sp
Federating 3rd party is also be achieved
at API side
Layer 7 Confidential 20
Mobile app/API solution components
API Routing
API Brokering
OAuth Endpoints
- Access token
issuing
- OpenID Connect
Protected endpoints
Identity infrastructure
Secure API invocation libs
- User
prompts, redirections
- Handshake
- Share auth context
- Biometrics integration
- PKI/MDM integration
Backend Data/IdentityEdge API/OAuth GWClient-side framework
Layer 7 Confidential 21
Enabling Mobile Application Developer
API discovery
App registration
API key
provisioning
Client side libraries
Layer 7 Confidential 22
Layer 7 Mobile Access Gateway
Mobile API Delivery
Access Control, UXIncreased Developer
Velocity
• Secure Mobile Endpoint
• Manage permissions across
users, devices, apps
• Integration, Scaling
• Mobile PKI Provisioning
• Mobile app-to-app SSO
• Latest standards (OAuth,
OpenID Connect,
JWT/JWS/JWE)
• Mobile SDK for iOS and
Android
• Configure, not code
• Form factors, deployment
options
2.0
Thank you
For more information:
• http://www.layer7.com/products/mobile-access-gateway
• http://www.layer7.com/solutions/mobile-access-solutions-overview