balancing mobile ux & security: an api management perspective presentation from gartner catalyst...
DESCRIPTION
Chief Architect Francois Lascelles gave this presentation at Gartner Catalyst 2013. The user experience associated with mobile applications is a critical determinant of the adoption of the APIs that powers them. Mobile platforms and their public app stores create challenges when it comes to securing APIs consumed by mobile applications in such a way that does not require constant user prompts. This presentation will describe the challenge of providing positive UX patterns such as single sign-on on mobile platforms and explore API provider-side architectures enabling them.TRANSCRIPT
Reconciling Mobile UX and SecurityAn API Management Perspective
Francois Lascelles
Chief architect
Layer 7 Technologies
@flascelles
Layer 7 Confidential 2
Mobile UX matters
UX
Adop
tion
Layer 7 Confidential 3
Security too
Most Businesses Probably Had a Mobile
Security Incident in the Past Year
Securing corporate information
cited as greatest BYOD challenge
(67%)THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY: A
SURVEY OF IT PROFESSIONALS
Dimensional research, June 2013
“Securing [data]-to-
mobile is my top
concern”Everybody, all the timeCompliance
Layer 7 Confidential 4
Secure what?
MDM Protect data at-rest
API Man Protect data source / data in-motion
Mobile browser
Any other app
Web
APIs
Layer 7 Confidential 5
UX Disruptors
Key defensive techniques, such as user authentication
disrupt UX
The impact on user experience is more severe on mobile
devices
Compounding factors:
- Challenge frequency
- Number of secrets
- Secret complexity
Layer 7 Confidential 6
Reconciling UX and Security
Identify
yourself
Show me my
data
Layer 7 Confidential 7
Implants?
- Not mobile enough
HSM
NFC
Layer 7 Confidential 8
Authentication Context Lifespan
Shorter token lifespan
- More secure
Longer token lifespan
- Better UX
Layer 7 Confidential 9
Complexity VS Frequency
Parallel sessions with varying secret complexity
Risk assessment-determined challenge
Layer 7 Confidential 10
Biometrics
Great alternative to PIN
- Fingerprint, Voice, …
Client-side unlocking of long-lived auth context
- Client-side policy
Multi-factor
- API-side validation
Layer 7 Confidential 11
Elevated, Risk-Based Authentication
Stronger security not necessarily
less UX
- Auth only elevated when it
counts most
… (and is expected)
Layer 7 Confidential 12
Single sign-on challenge: Mobile App Isolation
Mobile web
Mobile apps
User-agent
Webapp 1
Webapp 2
Webapp 3
Cookie domain A
Cookie domain B
Access token 1
APP A
API 1
API 2
API 3
Access token 2
APP B
Access token 3
APP C
(can be different parties)
Domain A
Domain A
Layer 7 Confidential 13
Shared Authentication Context
Client side platforms allow applications within a domain (signed by a
common developer key) to access a common key chain
This allows them to share an authentication context
App A App B
KC A KC B
App A App B
Shared Key Chain
Layer 7 Confidential 14
Standard: Federated access token grants
App gets an access token in exchange for another token
- SAML Bearer grant type [urn:ietf:params:oauth:grant-type:saml2-bearer]
- JWT Bearer grant type [urn:ietf:params:oauth:grant-type:jwt-bearer]
Let apps leverage authentication context without disturbing UX
Token endpoint
API ProviderClient
App
API Call incl proof of authentication
Get back access token
Layer 7 Confidential 15
Mobile App Domain
Across a group of apps
- Consistent Auth UX
- Single sign-on
Does not cover „3rd party‟ app
Layer 7 Confidential 16
3rd Party Mobile SSO
Client side redirections and callback
- App register URL scheme to allow switching between apps
- Passing a token in a redirection callback allows an authentication context to be
extended to a 3rd party app
App A App B
openURL AppA://something?callback=AppB://somethingelse
openURL AppB://somethingelse?arg=that_thing_you_need
step 1
step 2
Layer 7 Confidential 17
App-to-app redirection limitations, risks
Un-verified URL schemes opens possibility of “app-in-the-middle” attack
APPLE:
“If more than one third-party app registers to handle
the same URL scheme, there is currently no process
for determining which app will be given that scheme.
”
--link
Layer 7 Confidential 18
App Wrapping
Single sign-on across mobile apps normally requires the active participation of
each app
- Wrapping an app can compensate for a 3rd party app‟s lack of awareness
Adding a wrapper to an existing app re-signs app and enables access to shared
authentication context
- On the API side, federation still requires active participation or API calls
themselves need be redirected
3rd P
App
App A App B
Auth Context
3rd P API?
Layer 7 Confidential 19
API-Side Brokering
user@corp
API Broker
- Domain ID <> 3rd party ID
co
rp@
sp
Federating 3rd party is also be achieved
at API side
Layer 7 Confidential 20
Mobile app/API solution components
API Routing
API Brokering
OAuth Endpoints
- Access token
issuing
- OpenID Connect
Protected endpoints
Identity infrastructure
Secure API invocation libs
- User
prompts, redirections
- Handshake
- Share auth context
- Biometrics integration
- PKI/MDM integration
Backend Data/IdentityEdge API/OAuth GWClient-side framework
Layer 7 Confidential 21
Enabling Mobile Application Developer
API discovery
App registration
API key
provisioning
Client side libraries
Layer 7 Confidential 22
Layer 7 Mobile Access Gateway
Mobile API Delivery
Access Control, UXIncreased Developer
Velocity
• Secure Mobile Endpoint
• Manage permissions across
users, devices, apps
• Integration, Scaling
• Mobile PKI Provisioning
• Mobile app-to-app SSO
• Latest standards (OAuth,
OpenID Connect,
JWT/JWS/JWE)
• Mobile SDK for iOS and
Android
• Configure, not code
• Form factors, deployment
options
2.0
Thank you
For more information:
• http://www.layer7.com/products/mobile-access-gateway
• http://www.layer7.com/solutions/mobile-access-solutions-overview