Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ULTIMATE GUIDE TO MOBILE
SECURITY
Edward Jiang
HI, I’M
EDWARD!
@EdwardStarcraft
Developer Evangelist @goStormpath
DEVELOPER TOOLS FOR AUTHENTICATION
• Stormpath — Authentication as a Service
• Web Framework Integrations — Authentication...
USERS STORMPATH INTEGRATIONS
A U T H E N T I C AT I O N
H O W D O E S I T W O R K ?
A U T H E N T I C AT I O N
I T ’ S A B O U T P R O V I N G T H AT Y O U A R E
W H O Y O U S AY Y O U A R E
BASIC AUTHENTICATION
GET / HTTP/1.1
Authorization: Basic Base64(username:password)
• Easy and convenient, but insecure
• U...
TOKENIZATION
“myusername” and “mypassword” becomes “rCsspweTxMtz2sypA0PLGns6fkCA”
• No risk of losing the username/passwor...
COOKIE AUTHENTICATION
GET / HTTP/1.1
Cookie: sessionId=rCsspweTxMtz2sypA0PLGns6fkCA
• Convenient: the server sets a cookie...
BEARER AUTHENTICATION
GET / HTTP/1.1
Authorization: Bearer rCsspweTxMtz2sypA0PLGns6fkCA
• Slightly more complicated: Need ...
STATELESS TOKENS
• Used at scale in larger APIs
• Self contained, unlike “dumb” / opaque tokens
• Can be validated easily ...
JSON WEB TOKEN
eyJrafea.eyJzdWIiopkIefwEWFd.dPPxume
Header Body Signature
{
"sub": "1234567890",
"name": "John Doe",
"iat"...
STORMPATH MOBILE SDKS
• Uses the Stormpath API to authenticate users & validate their identity
• Authenticate to your APIs...
LET’S SEE SOME CODE!
FINISHED RESULT
• GitHub: https://github.com/stormpath/stormpath-ios-example
• Review this tutorial: https://stormpath.com...
WHAT NEXT?
• Try the Android counterpart: https://stormpath.com/blog/build-user-authentication-for-
android-app
• Learn ho...
QUESTIONS?
Upcoming SlideShare
Loading in …5
×

The Ultimate Guide to Mobile API Security

933 views

Published on

Join Stormpath Developer Evangelist Edward Jiang to learn more about the common ways developers authenticate users in their mobile apps, what to watch out for when building your backend API and mobile apps, and how to integrate a secure user datastore to manage your users and authentication.

Published in: Technology

The Ultimate Guide to Mobile API Security

  1. 1. ULTIMATE GUIDE TO MOBILE SECURITY Edward Jiang
  2. 2. HI, I’M EDWARD! @EdwardStarcraft Developer Evangelist @goStormpath
  3. 3. DEVELOPER TOOLS FOR AUTHENTICATION • Stormpath — Authentication as a Service • Web Framework Integrations — Authentication in your web framework of choice • Apache Shiro — Java security framework • JWTK — JWT libraries for JavaScript & Java • Simplicity — Easy social login for iOS • Turnstile — Authentication framework for server-side Swift
  4. 4. USERS STORMPATH INTEGRATIONS
  5. 5. A U T H E N T I C AT I O N H O W D O E S I T W O R K ?
  6. 6. A U T H E N T I C AT I O N I T ’ S A B O U T P R O V I N G T H AT Y O U A R E W H O Y O U S AY Y O U A R E
  7. 7. BASIC AUTHENTICATION GET / HTTP/1.1 Authorization: Basic Base64(username:password) • Easy and convenient, but insecure • Username / password needs to be stored on the device • Username / password are sent on every request
  8. 8. TOKENIZATION “myusername” and “mypassword” becomes “rCsspweTxMtz2sypA0PLGns6fkCA” • No risk of losing the username/password from the device • Device credentials can be independently revoked from the username/password
  9. 9. COOKIE AUTHENTICATION GET / HTTP/1.1 Cookie: sessionId=rCsspweTxMtz2sypA0PLGns6fkCA • Convenient: the server sets a cookie, and the HTTP Client automatically takes care of authentication • Server-side logic for authentication can be shared between mobile and web • Downside: hard to understand state
  10. 10. BEARER AUTHENTICATION GET / HTTP/1.1 Authorization: Bearer rCsspweTxMtz2sypA0PLGns6fkCA • Slightly more complicated: Need to write an endpoint, and a format for the client to understand • Need to deal with storing the token (use the iOS Keychain or Android SharedPreferences) • But ultimate control over token usage, and state. Preferred method
  11. 11. STATELESS TOKENS • Used at scale in larger APIs • Self contained, unlike “dumb” / opaque tokens • Can be validated easily without a round trip to a central database • Harder to use properly
  12. 12. JSON WEB TOKEN eyJrafea.eyJzdWIiopkIefwEWFd.dPPxume Header Body Signature { "sub": "1234567890", "name": "John Doe", "iat": 1487260586, "exp": 1487264186 } { "typ": "JWT", "alg": "HS256" }
  13. 13. STORMPATH MOBILE SDKS • Uses the Stormpath API to authenticate users & validate their identity • Authenticate to your APIs with Bearer Authentication • Use JWTs for scalability
  14. 14. LET’S SEE SOME CODE!
  15. 15. FINISHED RESULT • GitHub: https://github.com/stormpath/stormpath-ios-example • Review this tutorial: https://stormpath.com/blog/build-note-taking-app-swift-ios
  16. 16. WHAT NEXT? • Try the Android counterpart: https://stormpath.com/blog/build-user-authentication-for- android-app • Learn how to build a REST API for mobile: https://stormpath.com/blog/tutorial-build-rest- api-mobile-apps-using-node-js • Talk to us! Email support@stormpath.com, or edward@stormpath.com • Follow us @EdwardStarcraft and @goStormpath on Twitter
  17. 17. QUESTIONS?

×