This document discusses reconciling user experience and security in mobile applications. It explores techniques for user authentication on mobile that can disrupt user experience if not implemented properly. It proposes balancing authentication complexity and frequency to improve user experience without compromising security. The document also examines using biometrics, risk-based authentication, and single sign-on across mobile apps and third-party apps to improve both security and user experience on mobile. It describes components of a solution including API routing, brokering, and protected endpoints to enable secure access to APIs from mobile applications.
3. Layer 7 Confidential 3
Security too
Most Businesses Probably Had a Mobile
Security Incident in the Past Year
Securing corporate information
cited as greatest BYOD challenge
(67%)
THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY: A
SURVEY OF IT PROFESSIONALS
Dimensional research, June 2013
“Securing [data]-to-
mobile is my top
concern”
Everybody, all the timeCompliance
4. Layer 7 Confidential 4
Secure what?
MDM Protect data at-rest
API Man Protect data source / data in-motion
Mobile browser
Any other app
Web
APIs
5. Layer 7 Confidential 5
UX Disruptors
Key defensive techniques, such as user authentication
disrupt UX
The impact on user experience is more severe on mobile
devices
Compounding factors:
- Challenge frequency
- Number of secrets
- Secret complexity
6. Layer 7 Confidential 6
Reconciling UX and Security
Identify
yourself
Show me my
data
9. Layer 7 Confidential 9
Complexity VS Frequency
Parallel sessions with varying secret complexity
Risk assessment-determined challenge
10. Layer 7 Confidential 10
Biometrics
Great alternative to PIN
- Fingerprint, Voice, …
Client-side unlocking of long-lived auth context
- Client-side policy
Multi-factor
- API-side validation
11. Layer 7 Confidential 11
Elevated, Risk-Based Authentication
Stronger security not necessarily
less UX
- Auth only elevated when it
counts most
… (and is expected)
12. Layer 7 Confidential 12
Single sign-on challenge: Mobile App Isolation
Mobile web
Mobile apps
User-agent
Webapp 1
Webapp 2
Webapp 3
Cookie domain A
Cookie domain B
Access token 1
APP A
API 1
API 2
API 3
Access token 2
APP B
Access token 3
APP C
(can be different parties)
Domain A
Domain A
13. Layer 7 Confidential 13
Shared Authentication Context
Client side platforms allow applications within a domain (signed by a
common developer key) to access a common key chain
This allows them to share an authentication context
App A App B
KC A KC B
App A App B
Shared Key Chain
14. Layer 7 Confidential 14
Standard: Federated access token grants
App gets an access token in exchange for another token
- SAML Bearer grant type [urn:ietf:params:oauth:grant-type:saml2-bearer]
- JWT Bearer grant type [urn:ietf:params:oauth:grant-type:jwt-bearer]
Let apps leverage authentication context without disturbing UX
Token endpoint
API ProviderClient
App
API Call incl proof of authentication
Get back access token
15. Layer 7 Confidential 15
Mobile App Domain
Across a group of apps
- Consistent Auth UX
- Single sign-on
Does not cover „3rd party‟ app
16. Layer 7 Confidential 16
3rd Party Mobile SSO
Client side redirections and callback
- App register URL scheme to allow switching between apps
- Passing a token in a redirection callback allows an authentication context to be
extended to a 3rd party app
App A App B
openURL AppA://something?callback=AppB://somethingelse
openURL AppB://somethingelse?arg=that_thing_you_need
step 1
step 2
17. Layer 7 Confidential 17
App-to-app redirection limitations, risks
Un-verified URL schemes opens possibility of “app-in-the-middle” attack
APPLE:
“If more than one third-party app registers to handle
the same URL scheme, there is currently no process
for determining which app will be given that scheme.
”
--link
18. Layer 7 Confidential 18
App Wrapping
Single sign-on across mobile apps normally requires the active participation of
each app
- Wrapping an app can compensate for a 3rd party app‟s lack of awareness
Adding a wrapper to an existing app re-signs app and enables access to shared
authentication context
- On the API side, federation still requires active participation or API calls
themselves need be redirected
3rd P
App
App A App B
Auth Context
3rd P API
?
19. Layer 7 Confidential 19
API-Side Brokering
user@corp
API Broker
- Domain ID <> 3rd party ID
corp@sp
Federating 3rd party is also be achieved
at API side
21. Layer 7 Confidential 21
Enabling Mobile Application Developer
API discovery
App registration
API key
provisioning
Client side libraries
22. Layer 7 Confidential 22
Layer 7 Mobile Access Gateway
Mobile API Delivery
Access Control, UX
Increased Developer
Velocity
• Secure Mobile Endpoint
• Manage permissions across
users, devices, apps
• Integration, Scaling
• Mobile PKI Provisioning
• Mobile app-to-app SSO
• Latest standards (OAuth,
OpenID Connect,
JWT/JWS/JWE)
• Mobile SDK for iOS and
Android
• Configure, not code
• Form factors, deployment
options
2.0
23. Thank you
For more information:
• http://www.layer7.com/products/mobile-access-gateway
• http://www.layer7.com/solutions/mobile-access-solutions-overview