ULTIMATE GUIDE TO MOBILE SECURITY

Edward Jiang

HI, I’M EDWARD!

@EdwardStarcraftDeveloper Evangelist @goStormpath

DEVELOPER TOOLS FOR AUTHENTICATION

• Stormpath — Authentication as a Service

• Web Framework Integrations — Authentication in your web framework of choice

• Apache Shiro — Java security framework

• JWTK — JWT libraries for JavaScript & Java

• Simplicity — Easy social login for iOS

• Turnstile — Authentication framework for server-side Swift

USERS STORMPATH INTEGRATIONS

A U T H E N T I C AT I O N

H O W D O E S I T W O R K ?

A U T H E N T I C AT I O N

I T ’ S A B O U T P R O V I N G T H AT Y O U A R E W H O Y O U S AY Y O U A R E

BASIC AUTHENTICATION

GET / HTTP/1.1 Authorization: Basic Base64(username:password)

• Easy and convenient, but insecure • Username / password needs to be stored on the device • Username / password are sent on every request

TOKENIZATION

“myusername” and “mypassword” becomes “rCsspweTxMtz2sypA0PLGns6fkCA”

• No risk of losing the username/password from the device • Device credentials can be independently revoked from the username/password

COOKIE AUTHENTICATION

GET / HTTP/1.1 Cookie: sessionId=rCsspweTxMtz2sypA0PLGns6fkCA

• Convenient: the server sets a cookie, and the HTTP Client automatically takes care of authentication

• Server-side logic for authentication can be shared between mobile and web • Downside: hard to understand state

BEARER AUTHENTICATIONGET / HTTP/1.1 Authorization: Bearer rCsspweTxMtz2sypA0PLGns6fkCA

• Slightly more complicated: Need to write an endpoint, and a format for the client to understand

• Need to deal with storing the token (use the iOS Keychain or Android SharedPreferences)

• But ultimate control over token usage, and state. Preferred method

STATELESS TOKENS

• Used at scale in larger APIs

• Self contained, unlike “dumb” / opaque tokens

• Can be validated easily without a round trip to a central database

• Harder to use properly

JSON WEB TOKEN

eyJrafea.eyJzdWIiopkIefwEWFd.dPPxumeHeader Body Signature

{ "sub": "1234567890", "name": "John Doe", "iat": 1487260586, "exp": 1487264186}

{ "typ": "JWT", "alg": "HS256"}

STORMPATH MOBILE SDKS

• Uses the Stormpath API to authenticate users & validate their identity

• Authenticate to your APIs with Bearer Authentication

• Use JWTs for scalability

LET’S SEE SOME CODE!

FINISHED RESULT

• GitHub: https://github.com/stormpath/stormpath-ios-example

• Review this tutorial: https://stormpath.com/blog/build-note-taking-app-swift-ios

WHAT NEXT?

• Try the Android counterpart: https://stormpath.com/blog/build-user-authentication-for-android-app

• Learn how to build a REST API for mobile: https://stormpath.com/blog/tutorial-build-rest-api-mobile-apps-using-node-js

• Talk to us! Email support@stormpath.com, or edward@stormpath.com

• Follow us @EdwardStarcraft and @goStormpath on Twitter

QUESTIONS?