The Ultimate Guide to Mobile API Security
17
ULTIMATE GUIDE TO MOBILE SECURITY Edward Jiang
-
Upload
stormpath -
Category
Technology
-
view
166 -
download
0
Transcript of The Ultimate Guide to Mobile API Security
ULTIMATE GUIDE TO MOBILE SECURITY
Edward Jiang
HI, I’M EDWARD!
@EdwardStarcraftDeveloper Evangelist @goStormpath
DEVELOPER TOOLS FOR AUTHENTICATION
• Stormpath — Authentication as a Service
• Web Framework Integrations — Authentication in your web framework of choice
• Apache Shiro — Java security framework
• JWTK — JWT libraries for JavaScript & Java
• Simplicity — Easy social login for iOS
• Turnstile — Authentication framework for server-side Swift
USERS STORMPATH INTEGRATIONS
A U T H E N T I C AT I O N
H O W D O E S I T W O R K ?
A U T H E N T I C AT I O N
I T ’ S A B O U T P R O V I N G T H AT Y O U A R E W H O Y O U S AY Y O U A R E
BASIC AUTHENTICATION
GET / HTTP/1.1 Authorization: Basic Base64(username:password)
• Easy and convenient, but insecure • Username / password needs to be stored on the device • Username / password are sent on every request
TOKENIZATION
“myusername” and “mypassword” becomes “rCsspweTxMtz2sypA0PLGns6fkCA”
• No risk of losing the username/password from the device • Device credentials can be independently revoked from the username/password
COOKIE AUTHENTICATION
GET / HTTP/1.1 Cookie: sessionId=rCsspweTxMtz2sypA0PLGns6fkCA
• Convenient: the server sets a cookie, and the HTTP Client automatically takes care of authentication
• Server-side logic for authentication can be shared between mobile and web • Downside: hard to understand state
BEARER AUTHENTICATIONGET / HTTP/1.1 Authorization: Bearer rCsspweTxMtz2sypA0PLGns6fkCA
• Slightly more complicated: Need to write an endpoint, and a format for the client to understand
• Need to deal with storing the token (use the iOS Keychain or Android SharedPreferences)
• But ultimate control over token usage, and state. Preferred method
STATELESS TOKENS
• Used at scale in larger APIs
• Self contained, unlike “dumb” / opaque tokens
• Can be validated easily without a round trip to a central database
• Harder to use properly
JSON WEB TOKEN
eyJrafea.eyJzdWIiopkIefwEWFd.dPPxumeHeader Body Signature
{ "sub": "1234567890", "name": "John Doe", "iat": 1487260586, "exp": 1487264186}
{ "typ": "JWT", "alg": "HS256"}
STORMPATH MOBILE SDKS
• Uses the Stormpath API to authenticate users & validate their identity
• Authenticate to your APIs with Bearer Authentication
• Use JWTs for scalability
LET’S SEE SOME CODE!
FINISHED RESULT
• GitHub: https://github.com/stormpath/stormpath-ios-example
• Review this tutorial: https://stormpath.com/blog/build-note-taking-app-swift-ios
WHAT NEXT?
• Try the Android counterpart: https://stormpath.com/blog/build-user-authentication-for-android-app
• Learn how to build a REST API for mobile: https://stormpath.com/blog/tutorial-build-rest-api-mobile-apps-using-node-js
• Talk to us! Email [email protected], or [email protected]
• Follow us @EdwardStarcraft and @goStormpath on Twitter
QUESTIONS?
