Reconciling Mobile UX and SecurityAn API Management Perspective

Francois Lascelles

Chief architect

Layer 7 Technologies

@flascelles

Layer 7 Confidential 2

Mobile UX matters

UX

Adop

tion

Layer 7 Confidential 3

Security too

Most Businesses Probably Had a Mobile

Security Incident in the Past Year

Securing corporate information

cited as greatest BYOD challenge

(67%)THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY: A

SURVEY OF IT PROFESSIONALS

Dimensional research, June 2013

“Securing [data]-to-

mobile is my top

concern”Everybody, all the timeCompliance

Layer 7 Confidential 4

Secure what?

MDM Protect data at-rest

API Man Protect data source / data in-motion

Mobile browser

Any other app

Web

APIs

Layer 7 Confidential 5

UX Disruptors

Key defensive techniques, such as user authentication

disrupt UX

The impact on user experience is more severe on mobile

devices

Compounding factors:

- Challenge frequency

- Number of secrets

- Secret complexity

Layer 7 Confidential 6

Reconciling UX and Security

Identify

yourself

Show me my

data

Layer 7 Confidential 7

Implants?

- Not mobile enough

HSM

NFC

Layer 7 Confidential 8

Authentication Context Lifespan

Shorter token lifespan

- More secure

Longer token lifespan

- Better UX

Layer 7 Confidential 9

Complexity VS Frequency

Parallel sessions with varying secret complexity

Risk assessment-determined challenge

Layer 7 Confidential 10

Biometrics

Great alternative to PIN

- Fingerprint, Voice, …

Client-side unlocking of long-lived auth context

- Client-side policy

Multi-factor

- API-side validation

Layer 7 Confidential 11

Elevated, Risk-Based Authentication

Stronger security not necessarily

less UX

- Auth only elevated when it

counts most

… (and is expected)

Layer 7 Confidential 12

Single sign-on challenge: Mobile App Isolation

Mobile web

Mobile apps

User-agent

Webapp 1

Webapp 2

Webapp 3

Cookie domain A

Cookie domain B

Access token 1

APP A

API 1

API 2

API 3

Access token 2

APP B

Access token 3

APP C

(can be different parties)

Domain A

Domain A

Layer 7 Confidential 13

Shared Authentication Context

Client side platforms allow applications within a domain (signed by a

common developer key) to access a common key chain

This allows them to share an authentication context

App A App B

KC A KC B

App A App B

Shared Key Chain

Layer 7 Confidential 14

Standard: Federated access token grants

App gets an access token in exchange for another token

- SAML Bearer grant type [urn:ietf:params:oauth:grant-type:saml2-bearer]

- JWT Bearer grant type [urn:ietf:params:oauth:grant-type:jwt-bearer]

Let apps leverage authentication context without disturbing UX

Token endpoint

API ProviderClient

App

API Call incl proof of authentication

Get back access token

Layer 7 Confidential 15

Mobile App Domain

Across a group of apps

- Consistent Auth UX

- Single sign-on

Does not cover „3rd party‟ app

Layer 7 Confidential 16

3rd Party Mobile SSO

Client side redirections and callback

- App register URL scheme to allow switching between apps

- Passing a token in a redirection callback allows an authentication context to be

extended to a 3rd party app

App A App B

openURL AppA://something?callback=AppB://somethingelse

openURL AppB://somethingelse?arg=that_thing_you_need

step 1

step 2

Layer 7 Confidential 17

App-to-app redirection limitations, risks

Un-verified URL schemes opens possibility of “app-in-the-middle” attack

APPLE:

“If more than one third-party app registers to handle

the same URL scheme, there is currently no process

for determining which app will be given that scheme.

”

--link

Layer 7 Confidential 18

App Wrapping

Single sign-on across mobile apps normally requires the active participation of

each app

- Wrapping an app can compensate for a 3rd party app‟s lack of awareness

Adding a wrapper to an existing app re-signs app and enables access to shared

authentication context

- On the API side, federation still requires active participation or API calls

themselves need be redirected

3rd P

App

App A App B

Auth Context

3rd P API?

Layer 7 Confidential 19

API-Side Brokering

user@corp

API Broker

- Domain ID <> 3rd party ID

co

rp@

sp

Federating 3rd party is also be achieved

at API side

Layer 7 Confidential 20

Mobile app/API solution components

API Routing

API Brokering

OAuth Endpoints

- Access token

issuing

- OpenID Connect

Protected endpoints

Identity infrastructure

Secure API invocation libs

- User

prompts, redirections

- Handshake

- Share auth context

- Biometrics integration

- PKI/MDM integration

Backend Data/IdentityEdge API/OAuth GWClient-side framework

Layer 7 Confidential 21

Enabling Mobile Application Developer

API discovery

App registration

API key

provisioning

Client side libraries

Layer 7 Confidential 22

Layer 7 Mobile Access Gateway

Mobile API Delivery

Access Control, UXIncreased Developer

Velocity

• Secure Mobile Endpoint

• Manage permissions across

users, devices, apps

• Integration, Scaling

• Mobile PKI Provisioning

• Mobile app-to-app SSO

• Latest standards (OAuth,

OpenID Connect,

JWT/JWS/JWE)

• Mobile SDK for iOS and

Android

• Configure, not code

• Form factors, deployment

options

2.0

Thank you

For more information:

• http://www.layer7.com/products/mobile-access-gateway

• http://www.layer7.com/solutions/mobile-access-solutions-overview