This presentation was made by by Rajneesh Khugsal (Staff Engineer, Citrix) as part of Mobile App Developer meetup on 24th March in BLR.
Introduction covers learnings from Citrix Android Receiver team:
1) What is it and Need for it
2) High Level Overview
3) Design Evolution/Learnings & its usefulness for writing advanced apps.
"Developing Secure Authentication using Chrome Custom Tabs" part covers:
1) What is the use case of having Third Party SSON and its advantages.
2) Chrome Custom Tabs and how they are beneficial.
3) Hands on to show how we can incorporate Custom Tabs in our existing apps.
4) Chrome Custom Tabs vs WebView.
5) Some precautions while using this approach.
4. Why Citrix Android Receiver? The need.
• One can use other Citrix Receiver on Android to launch
sessions, but the advantage Citrix Android Receiver gives is
capability to work with client side attached devices in
sessions
• The user experience is much more native and various form
factors have been considered for ease of use
• The capability to work with Samsung Dex and Second
Displays gives tremendous boost to productivity with
enhanced experience
5. Best Practices
• Use Design Pattern/Architectural Patterns like MVP and Clean Architecture to write an application.
• Write minimal code in Activity, that too related to UI only, no business case. Best for unit testing.
• Use Proguard and AllowBackup=false in Android Manifest
• Use annotations liberally, and put guarded fields behind asserts as safety net in Debug Builds
• Create instrumented builds as well, they help in code coverage with automation, and don’t hinder release
• In Debug Mode config, have StrictMode enabled, so that Main thread can not hog CPU, and remove in release
• Material Design UI gives really good designs and guidelines, though a little old, it gives UI professional look
• When the need is there to return empty collections, don’t new, rather call (use this pattern for your collections)
• Collections.emptyList() , Collections.emptySet(). Try to mimic this behavior for your classes as well.
• For OAuth workflows, use AppAuth for Android, rather than implementing from scratch
• When having branches in github, remember to use protected branches as well, this lets you control the branch
much better without worrying about accidental deletes and changes
6. Things to avoid
• Trying to get around Android Activity Lifecycle by using hacks
• Using Open Source libraries that are old and not updated or maintained, if something breaks in the production,
you’ll spend a lot of time trying to fix a problem which was not yours in the first place
• Writing your own encryption/decryption in an Enterprise app, until you are doing research in this field.
Secondly, many government organizations, want apps to be certified to pre defined standards, and custom
encryption/decryption, doesn’t fall in this category
• Trying to write important code in an Activity’s onDestroy() function. Android doesn’t guarantee it will be called
or when it would be called. Once, we were clearing the state of one our Model Repository in onDestroy, and it
was being called at the most inappropriate time, and that too in production and never internally
10. Why all this? The need.
• Enterprise/Corporates have many applications that require authentication before the apps can be used. Now
logging in again to every app is a tedious thing, Single Sign On (SSO) tries to address that. (Security Assertion
Markup Language) SAML is an open standard helps to address SSO
• SAML takes care of
• Authentication - Determining that the users are who they claim to be
• Authorization - Determining if users have the right to access certain systems or content
• SAML Provider : Server or other Computer providing/consuming SAML Services
• SAML Assertion : Document shared after Authentication and Authorization have been done
• Identity Provider : Primary objective is Authentication. E.g. Salesforce, LDAP or Active Directory
OAuth
OAuth is newer than SAML, developed by Google and Twitter. It was developed in part to compensate
for SAML's deficiencies on mobile platforms and is based on JSON rather than XML. OAuth only deals with
authorization. OpenID Connect is an even newer standard, developed in 2014, that provides authentication
services, and is layered on top of OAuth. OAuth2 is what is supported by Amazon, MS, Facebook, Instagram,
Paypal, Google, etc. OAuth is an open-standard authorization protocol that describes how unrelated servers and
services can safely allow authenticated access to their assets without actually sharing the initial, single logon
credential. In authentication parlance, this is known as secure, third-party, user-agent, delegated authorization.
13. Key Differences OAuth/OAuth2
OAuth OAuth2
Primary flows for browser based apps More flows to allow better support for
non browser apps
Requires client apps to have
cryptography and security protocols. It
is transport independent & a protocol
No such need, but depends on HTTPS
for security. It is a framework and not
protocol.
Signatures require special parsing,
sorting and encoding
Signatures are much less complex
Typically, access tokens could be
stored for a year
The access tokens are ‘short lived’
while refresh tokens could be long life
Clean Separation of roles between
server responsible for handling auth
requests and server handling user
authorization
Requires client to send two security
tokens for each API call, and use both
to generate the signature
Signatures are not required for the
actual API calls once the token has
been generated. It has only one
security token
Please Note: Diagrams are courtesy https://docs.spring.io/
14. Chrome Custom Tabs and their benefits
• Have been designed keeping in mind security, speed and
SAML integrations.
• In android, support library is present to support on older
versions of android going down to 1.6.
• Support is present for integration from flow control of
Browser to Native App giving a smoother look and feel
while transitioning
• Native App developers if they use Native Browser its heavy
in context in comparison to CCT
• Security: the browser uses Google's Safe Browsing to
protect the user and the device from dangerous sites
• Shared cookie jar and permissions model so users don't
have to log in to sites they are already connected to, or re-
grant permissions they have already granted
• If the user has turned on Data Saver, they will still benefit Please Note: Image courtesy google Link
15. How to use Chrome Custom Tab in Android App
Add Custom Tabs Support Library to Android Project:
In build.gradle :
dependencies {
...
compile 'com.android.support:customtabs:23.3.0'
}
Opening Chrome Custom Tab
Inside any activity :
Chrome Custom Tab customizations
// Use a CustomTabsIntent.Builder to configure CustomTabsIntent.
// Once ready, call CustomTabsIntent.Builder.build() to create a CustomTabsIntent
// and launch the desired Url with CustomTabsIntent.launchUrl()
String url = ¨https://go.citrix.com/¨;
CustomTabsIntent.Builder builder = new CustomTabsIntent.Builder();
CustomTabsIntent customTabsIntent = builder.build();
customTabsIntent.launchUrl(this, Uri.parse(url));
// Set Toolbar Color.
builder.setToolbarColor(colorInt);
// Set Action Button Image, Description, colorTint and Action.
builder.setActionButton(icon, description, pendingIntent, tint);
// Set Action Button Image, Description, colorTint and Action.
builder.setStartAnimations(this, R.anim.slide_in_right, R.anim.slide_out_left);
builder.setExitAnimations(this, R.anim.slide_in_left, R.anim.slide_out_right);
16. Differences between Chrome Custom Tabs and WebView
Chrome Custom Tabs WebView
When warming up is used, the speed of launch is much faster
for the page because of background load.
Speed lower than CCT, as can been seen in demo videos as well
Don’t allow direct manipulation of elements using exposed
JavaScript Interfaces, so more secure but less flexible.
Allows direct manipulation of elements using exposed Java
Interfaces, so less secure but more flexible.
CCT allows OAuth2 to be easily used for authorization and
granting access tokens through redirection field in url.
There have been reports where WebView is not allowing
OAuth2 to work properly for many customers. Google is not
allowing webview to their OAuth2 backed apis.
Customizations to the look and feel, leading to better
integration with native applications. Color modification,
Options Menu and Back Arrow allowed to be modified.
Animations for entry and exit are allowed.
Such customizations need to be written from scratch as
WebView is hosting the content without decorations as such.
The customer sees the URL they are reaching, which is not
modifiable and hence going somewhere and showing
something else doesn’t happen.
Such feature is not present. Fake apps could show a different
page and show a different URL to the user.
All Chrome Custom Tabs internal cookies are maintained by
System and not exposed, though shared under system control
using shared cookie jar
Each WebView has its sets of cookies that are not shared with
Browser Tabs and they don’t share state.
17. Hands on with OAuth2 with AppAuth and google API
• Open the link : https://codelabs.developers.google.com/codelabs/appauth-android-codelab/index.html .Step by Step instructions
are given how to do the authorization and use google APIs for the user. Its easy but takes a bit of time to get things done.
• Some of the things to remember:
• Client ID is specific to the app being written and is linked with the app developer’s google account. This is so that Google
can be sure, the right application is talking to it and later it can revoke the auth token if needed in future.
• For starting one can avoid the Managed Configuration (in above steps) as its not necessary to understand the concept
• Two endpoints are used, one for auth endpoint and second for token endpoint.
• The redirect uri is of the form
• Uri redirectUri = Uri.parse("com.google.codelabs.appauth:/oauth2callback");
• This redirectUri corresponds to the custom scheme registered in the AndroidManifest.xml
<activity android:name="net.openid.appauth.RedirectUriReceiverActivity">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:scheme="com.google.codelabs.appauth"/>
</intent-filter>
</activity>
19. Precautions
• OAuth2 RFC document has been in constant revision for a good time, please keep a track of it to see if new
things need to be looked into. Especially in mobile space.
• OAuth2 initial writer has recently backed out of the project saying its too complex and its not the way it should
have been. This is a good warning. https://hueniverse.com/oauth-2-0-and-the-road-to-hell-8eec45921529
• Facebook, Google have their own OAuth2 implementations which are slightly different so apps need to be
written to take care of these deviations when they need integrations
• Its still a good practice to use WebView if we are directing user to our own URL in our domain
• OAuth vulnerability: Oauth 2 relies on TLS for protection from outside. If Security and SSL are not properly done,
it will lead to security exploits so be careful and forewarned. It’s possible for a rogue website to phish a user’s
legitimate credentials during the part of the process where the user is being required to authenticate
themselves to the authorization provider. For example, a user is using the first service and chooses a feature
that forces an OAuth transaction to a second service. It’s possible for the first website to fake the second
website, where user authentication is often taking place. The rogue website can then collect the user’s
authentication credentials and react as if the OAuth transaction had successfully taken place. This is what
happened with Google in 2017 and millions of accounts were phished.
20. References / Docs / Recommendations
• Enterprise SSON with Chrome Custom Tabs
• https://www.youtube.com/watch?v=DdQTXrk6YTk
• Chrome Custom Tab Videos – How To(s) and details
• https://www.youtube.com/watch?v=OMSm9d9eNVU
• https://www.youtube.com/watch?v=YeTfOTUxOv4
• https://www.youtube.com/watch?v=QOxIdbNwpx0
• To learn about OAuth2
• https://tools.ietf.org/html/rfc6749
• https://oauth.net/2/
• https://developers.google.com/identity/protocols/OAuth2
• https://www.slideshare.net/aaronpk/an-introduction-to-oauth-2/
• Good Tool shared by google to learn about how OAuth2 needs to be implemented and play around
• https://developers.google.com/oauthplayground
• Citrix links to SAML integration with customer environments
• https://support.citrix.com/article/CTX218175
• https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-9/secure/federated-authentication-service.html