Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure authentication on mobile application

Tags:

People also ask

What is authentication in mobile app development?

Authentication is the process of confirming the identity of a user trying to gain access to an application and its data; it's an essential part of mobile application security.

What is mobile authentication?

Mobile authentication is the verification of a user's identity through the use a mobile device and one or more authentication methods for secure access.


I'm looking for a way to authenticate users of my mobile app in a secure way. The mobile app is a pure JS app, and is using the ionic framework (and so cordova). The app will only communicate with our server through REST API. Requirements are the following:

  • The mecanism has to rely on a standalone business account (i.e link to Google, Facebook, or any other API is not an option.)
  • The application will be on public stores
  • Like a lot of mobile app (Gmail, Facebook, ...) that doesn't need as much security than bank applications, the user has to be automatically authenticated after a first login ("remember me" pattern)

What I've found:

  • Using of OAuth 2

OAuth 2 provide a long time token called "refresh token". I would like to use it with an expiration date setup to something like one year.

However, it seems that there is no strong mecanism to protect that token. Indeed, as mention in Jamsheed Kamarudeen comment on that answer https://stackoverflow.com/a/7209263/863581, if the refresh token, client id and secret id are stolen (using sniffing or taking them directly from the device), the attacker will be able to have unlimited access to the user account... without any way, AFAIK, to know it's happening.

Sniffing could be difficult because, obviously, all data will be sent through secure connection (SSL), but it's still possible and this has to be managed, from my point of view. Regarding the second kind of attack, "taking them directly from the device", every solution I've seen is about storing data (token or cookie) on either local storage or browser cookie (this post for example Using OAuth2 in HTML5 Web App). Even if the example from that post is advising to store a hash of the refresh token, I can't see what's the aim of that, because, as mention by Mati Cicero's comment, it will not stop the attacker to be able to retrieve an access token and have, in my case, an unlimited access to the user's account.

Moreover, from what I can see, localstorage and cookies are too easy to read. Is that enough or should I use native secure storage of Android/iOS? Even native local storage seems to not be enough (https://github.com/phonegap/phonegap/wiki/Platform-Security).

  • Using of Spring security

The server side will be implemented thanks to Spring. The mecanism provided by Spring-security seems to be better than OAuth 2 regarding the remember me pattern (http://jaspan.com/improved_persistent_login_cookie_best_practice). However, as I have understood, the final user will not be able to login twice on the application (let's say, its personal mobile and its profesional one). I admit it's not a huge issue, but still, it's not perfect. Most important, at the end, we still have storage security issues regarding cookies/tokens.

It's the first time I'm looking for security mecanism, so maybe I've misunderstood some mecanism, please let me know. However, I'm really surprised to see how difficult is it to find the right process. I'm sure it's a classic issue on all mobile applications, but I cannot find any right way to manage that issue.

My question: as you can see above, I don't have found one secure mecanism to setup that "automatic login" process on a web mobile app. What should I setup? Do you have other mecanism than the ones I found to introduce me?