Mobile App Security: Part 2
Choosing the Right Authentication Flow
Authentication is the process of confirming the identity of a user trying to gain access to an application and its data; it’s an essential part of mobile application security. Designing a secure mobile app authentication process involves choosing an appropriate user login flow, tokens and credentials management approach as well as the use of biometrics.
Mobile apps can use web-based or native login flows. The difference between the two is important to note:
- With the native login flow, users enter their credentials right into the app
- With the web-based login flow, users are redirected to a web login screen where they enter their credentials
Mobile app developers often choose the native login flow for a better user experience. But the drawback is the native login flow can be seen as less secure compared to the web-based login.
The web-based approach is preferred to enable:
- Multi-factor authentication (MFA)
- Single sign-on (SSO) between mobile and web apps
- Green padlock visual indicator of login page authenticity
- Protection against app repackaging attacks (i.e., preventing fake apps from collecting user credentials)
Generally, 12-factor mobile apps that use browser-based login follow specific rules and engagement criteria, such as:
- Never use an embedded web window (e.g. Android WebView or iOS WKWebView) to display the web login screen. Instead, the mobile app either redirects users to a stand-alone mobile browser app (e.g. Android Chrome or iOS Safari) or displays the web login screen in an in-app browser tab (e.g. Android Chrome Custom Tab or iOS SafariViewController).
- Use OAuth 2 Authorization Code flow, where a mobile app gets the authorization code from the redirect URL and uses it to request an access token.
- Use Proof Key for Code Exchange (PKCE) cryptography and/or app-linked authentication callback URLs (i.e. Android App Links or iOS Universal Links) to protect against authorization code interception attacks.
In reaction to the need for stronger security around authentication practices, Hypermedia Authentication API is an emerging standard designed to combine the best of the two login flow types. The primary benefits of the Hypermedia Authentication API are:
- Superior user experience of the native login flow
- Security and flexibility of the web login flow
A 12-factor mobile app may use this new standard, even though it is not widely recognized yet.
TOKENS AND CREDENTIALS MANAGEMENT
A 12-factor mobile app uses short-lived access tokens and long-lived refresh tokens for identity verification. But, in order to maintain application security, there must be a way to revoke the tokens in case they become compromised. The tokens also need to be revoked when users select to log out from the mobile app, ensuring that they cannot be used before their normal expiration time.
User credentials are extremely sensitive bits of data, especially considering that many users might use the same password to access other accounts (like a healthcare or banking portal). A 12-factor mobile app should not store user credentials anywhere on a mobile device. Instead, it should only store the access and refresh tokens in a secure storage (like iOS Keychain).
A 12-factor mobile app can use biometrics authentication: face identification and fingerprint scanning. This form of identity verification can significantly improve both security and usability of your mobile app. However, the mobile app should not only rely on a biometrics API that simply returns a binary « true » or « false » authentication result. Using a biometrics API that unlocks data in a secure storage helps to reduce the risk of data privacy breach (e.g. on iOS choose biometrics-protected keychain items over LocalAuthentication framework usage).