Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Kanstantsin Charnukha, Yury Vasileuski 
Sharing credentials between native apps and Safari 
Mobile Camp, 2 August, 2014 
i...
Content 
Credentials 
Sharing credentials and iOS 7 
Sharing credentials and iOS 8
5 
Credentials
6 
Credentials lifecycle
7 
UI and memory 
•Secure text entry 
•Dump memory with GDB and Jailbreak
8 
Network 
•HTTPS 
•Man in The Middle (MiTM)
9 
MiTM 
•HTTPS is vulnerable to MiTM 
•Credentials may leak
10 
SSL Pinning 
•Protection against MiTM 
•Connection only to known server
11 
Storing and sharing credentials
12 
Storing credentials on disk 
•NSUserDefaults 
–Backup 
–Jailbreak 
–No ability to share between apps 
•NSFileManager 
...
13 
Keychain 
•Keychain is sqlite DB 
•/private/var/Keychains/keychain-2.db 
•Hardware specific key encryption 
•Key is un...
14 
Keychain is vulnerable 
•Physical access 
•Jailbreak 
•Connect over ssh 
•Copy and run keychain_dumper 
•Examine all o...
Keychain allows to share credentials 
Access group
Sharing with keychain 
•Same access group in entitlements 
•$(AppIdentifierPrefix) is the first part of group ID 
•$(AppId...
Options to store credentials 
•No credentials storage 
•Store authorization token 
•Store passwords in keychain 
•Store x-...
No credentials storage 
•User enters credentials each launch 
•Secure 
•No credentials storage
Store authorization token 
•Credentials on token expiration 
•High security level
Store passwords in keychain 
•User enters credentials only once 
•Common approach 
•Low security level
Store x-token in keychain 
•User enters credentials only once 
•High security level
Store x-token in keychain 
•Can be used by other apps
X-Token and credentials sharing 
•Password is exchanged with x-token. 
•Each app saves x-token to keychain. 
•Secure. Pass...
Credentials and Safari 
?
Safari credentials in iOS 7
Safari credentials in iOS 7 
•Saves passwords 
•No access to keychain data 
•No access to cookies
28 
Safari credentials in iOS 7
WWDC 2014 topics of interest 
•Shared web credentials API in Safari 
session 506: Your App, Your Website, and Safari 
•Sup...
31 
Safari credentials in iOS 8
32 
Sharing credentials with Safari, iOS 8 
Shared web credentials API: 
•Direct export to app 
•Direct import from app 
A...
Safari and native app 
Safari 
Native app
34 
Safari shared web credentials
Shared shared web credentials API 
void SecAddSharedWebCredential( 
CFStringRef fqdn, 
CFStringRef account, 
CFStringRef p...
Shared web credentials API 
void SecAddSharedWebCredential( 
CFStringRef fqdn, 
CFStringRef account, 
CFStringRef password...
Account and password 
•Raw credentials 
•Easy to use and understand 
•Easy to import from Safari to any app 
•Difficult to...
Shared web credentials API 
void SecAddSharedWebCredential( 
CFStringRef fqdn, 
CFStringRef account, 
CFStringRef password...
fqdn or Fully qualified domain name 
@function SecRequestSharedWebCredential 
@param fqdn (Optional) Fully qualified domai...
Associated domains 
Domains are listed at Safari AutoFill Settings.
41 
Safari and native app 
Safari 
Native app
42 
Associating app and web site 
app #5 
yandex.ru 
gmail.com 
facebook.com 
twitter.com 
app #4 
facebook.com
43 
Associating app and web site 
app #5 
yandex.ru 
gmail.com 
facebook.com 
twitter.com 
app #4 
facebook.com
44 
Associating app and web site 
app #5 
yandex.ru 
gmail.com 
facebook.com 
twitter.com 
yandex.ru 
app #1 
app #2 
face...
45 
Associating app and web site 
app #5 
yandex.ru 
gmail.com 
facebook.com 
twitter.com 
yandex.ru 
app #1 
app #2 
face...
46 
Associating app and web site 
app #5 
yandex.ru 
gmail.com 
facebook.com 
twitter.com 
yandex.ru 
app #1 
app #2 
face...
Test server setup with node.js 
// missing node.js common setup 
app.all('/apple-app-site-association', function(req, res,...
Test server setup with node.js 
// missing node.js common setup 
app.all('/apple-app-site-association', function(req, res,...
49 
Notes on server setup 
•Certificate is verified by iOS itself 
•Not available on simulator 
•No way to use self-signed...
50 
•Multiple app prefixes (AppStore, AdHoc, Debug) 
•Multiple bundles (AppStore, inhouse) 
•Different certificates for ev...
User control and credential access
52 
Usage drawbacks 
1.User-side security but poor user experience 
2.User asked on every single credential access 
3.No m...
53 
Actions and Safari
54 
Actions 
Action is an extension point that helps users to manipulate or view content within the context of another app...
55 
Empty login page within Safari
56 
Safari actions bar
57 
Custom actions within Safari
58 
•UIActivityViewController 
•NSURL 
NSString *stringURL = @"https://yandex.ru"; 
NSURL *pageURL = [NSURL URLWithString:...
59 
NSExtension setup to handle Safari 
•NSExtensionActivationRule 
•NSExtensionActivationSupportsWebURLWithMaxCount
Native app keychain credentials
61 
Completed login page
62 
NSExtension setup to access DOM 
•NSExtensionAttributes 
•NSExtensionJavaScriptPreprocessingFile
63 
•ExtensionPreprocessingJS 
// PasswordHandler.js 
var PasswordHandler = function() {}; 
PasswordHandler.prototype = { ...
64 
run: function(arguments) { 
var loginInput = document.getElementsByName("login")[0] 
var loginInputText = loginInput.v...
65 
run: function(arguments) { 
var loginInput = document.getElementsByName("login")[0] 
var loginInputText = loginInput.v...
66 
•NSExtensionJavaScriptFinalizeArgumentKey 
•kUTTypePropertyList 
NSDictionary *js = 
@{NSExtensionJavaScriptFinalizeAr...
Differences 
Pros: 
•No server setup by default 
•Custom credentials support 
•Any browser and web view support 
Cons: 
•N...
Summary 
•Credentials 
•Sharing credentials and iOS 7 
•Sharing credentials and iOS 8
Kanstantsin Charnukha, 
xardas@yandex-team.ru 
iOS authorization development team 
Thanks 
Yury Vasileuski, 
vasileuski@ya...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, Юрий Василевский
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, Юрий Василевский
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, Юрий Василевский
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, Юрий Василевский
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, Юрий Василевский
Upcoming SlideShare
Loading in …5
×

Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, Юрий Василевский

1,027 views

Published on

Речь пойдёт о том, как реализовать обмен учётными данными пользователя между iOS-приложениями и вебом с учётом особенностей iOS 8.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, Юрий Василевский

  1. 1. Kanstantsin Charnukha, Yury Vasileuski Sharing credentials between native apps and Safari Mobile Camp, 2 August, 2014 iOS authorization development team
  2. 2. Content Credentials Sharing credentials and iOS 7 Sharing credentials and iOS 8
  3. 3. 5 Credentials
  4. 4. 6 Credentials lifecycle
  5. 5. 7 UI and memory •Secure text entry •Dump memory with GDB and Jailbreak
  6. 6. 8 Network •HTTPS •Man in The Middle (MiTM)
  7. 7. 9 MiTM •HTTPS is vulnerable to MiTM •Credentials may leak
  8. 8. 10 SSL Pinning •Protection against MiTM •Connection only to known server
  9. 9. 11 Storing and sharing credentials
  10. 10. 12 Storing credentials on disk •NSUserDefaults –Backup –Jailbreak –No ability to share between apps •NSFileManager –NSFileProtectionComplete –No passcode –Brute force –Jailbreak –No ability to share between apps •Keychain –Jailbreak –Sharing between apps of the vendor
  11. 11. 13 Keychain •Keychain is sqlite DB •/private/var/Keychains/keychain-2.db •Hardware specific key encryption •Key is unique per device
  12. 12. 14 Keychain is vulnerable •Physical access •Jailbreak •Connect over ssh •Copy and run keychain_dumper •Examine all of the keychain data More info here: http://www.securitylearn.net/tag/dump-passwords- from-iphone-keychain/
  13. 13. Keychain allows to share credentials Access group
  14. 14. Sharing with keychain •Same access group in entitlements •$(AppIdentifierPrefix) is the first part of group ID •$(AppIdentifierPrefix) may be retrieved programmatically by getting or adding any item in keychain
  15. 15. Options to store credentials •No credentials storage •Store authorization token •Store passwords in keychain •Store x-token in keychain
  16. 16. No credentials storage •User enters credentials each launch •Secure •No credentials storage
  17. 17. Store authorization token •Credentials on token expiration •High security level
  18. 18. Store passwords in keychain •User enters credentials only once •Common approach •Low security level
  19. 19. Store x-token in keychain •User enters credentials only once •High security level
  20. 20. Store x-token in keychain •Can be used by other apps
  21. 21. X-Token and credentials sharing •Password is exchanged with x-token. •Each app saves x-token to keychain. •Secure. Password is not stored on device. •Sharing between apps. •Each app can exchange it for token with special permissions.
  22. 22. Credentials and Safari ?
  23. 23. Safari credentials in iOS 7
  24. 24. Safari credentials in iOS 7 •Saves passwords •No access to keychain data •No access to cookies
  25. 25. 28 Safari credentials in iOS 7
  26. 26. WWDC 2014 topics of interest •Shared web credentials API in Safari session 506: Your App, Your Website, and Safari •Support of actions by Safari session 217: Creating Extensions for iOS and OS X, Part Two
  27. 27. 31 Safari credentials in iOS 8
  28. 28. 32 Sharing credentials with Safari, iOS 8 Shared web credentials API: •Direct export to app •Direct import from app Actions support: •Indirect import to Safari •Indirect export from Safari •Support of specific credentials
  29. 29. Safari and native app Safari Native app
  30. 30. 34 Safari shared web credentials
  31. 31. Shared shared web credentials API void SecAddSharedWebCredential( CFStringRef fqdn, CFStringRef account, CFStringRef password, void (^completionHandler)( CFErrorRef error)); void SecRequestSharedWebCredential( CFStringRef fqdn, CFStringRef account, void (^completionHandler)( CFArrayRef credentials, CFErrorRef error));
  32. 32. Shared web credentials API void SecAddSharedWebCredential( CFStringRef fqdn, CFStringRef account, CFStringRef password, void (^completionHandler)( CFErrorRef error)); void SecRequestSharedWebCredential( CFStringRef fqdn, CFStringRef account, void (^completionHandler)( CFArrayRef credentials, CFErrorRef error));
  33. 33. Account and password •Raw credentials •Easy to use and understand •Easy to import from Safari to any app •Difficult to export from “token-based” app to Safari
  34. 34. Shared web credentials API void SecAddSharedWebCredential( CFStringRef fqdn, CFStringRef account, CFStringRef password, void (^completionHandler)( CFErrorRef error)); void SecRequestSharedWebCredential( CFStringRef fqdn, CFStringRef account, void (^completionHandler)( CFArrayRef credentials, CFErrorRef error));
  35. 35. fqdn or Fully qualified domain name @function SecRequestSharedWebCredential @param fqdn (Optional) Fully qualified domain name of the website for which passwords are being requested. If NULL is passed in this argument, the domain name(s) listed in the calling application's 'com.apple.developer.associated-domains' entitlement are searched implicitly.
  36. 36. Associated domains Domains are listed at Safari AutoFill Settings.
  37. 37. 41 Safari and native app Safari Native app
  38. 38. 42 Associating app and web site app #5 yandex.ru gmail.com facebook.com twitter.com app #4 facebook.com
  39. 39. 43 Associating app and web site app #5 yandex.ru gmail.com facebook.com twitter.com app #4 facebook.com
  40. 40. 44 Associating app and web site app #5 yandex.ru gmail.com facebook.com twitter.com yandex.ru app #1 app #2 facebook.com app #4 facebook.com https://domain/apple-app-site-association gmail.com twitter.com app #3 app #4
  41. 41. 45 Associating app and web site app #5 yandex.ru gmail.com facebook.com twitter.com yandex.ru app #1 app #2 facebook.com app #3 app #4 facebook.com gmail.com twitter.com app #4
  42. 42. 46 Associating app and web site app #5 yandex.ru gmail.com facebook.com twitter.com yandex.ru app #1 app #2 facebook.com app #3 app #4 facebook.com gmail.com twitter.com app #4
  43. 43. Test server setup with node.js // missing node.js common setup app.all('/apple-app-site-association', function(req, res, next) { res.setHeader('Content-Type', 'application/pkcs7-mime'); next(); }); var PORT = 8000; var HOST = ’test.host.on.private.network.net'; var sshKey = fs.readFileSync('./certs/key.pem'); var sshCert = fs.readFileSync('./certs/cert.pem') var https_options = {key: sshKey, cert: sshCert}; https.createServer(https_options, app).listen(PORT, HOST);
  44. 44. Test server setup with node.js // missing node.js common setup app.all('/apple-app-site-association', function(req, res, next) { res.setHeader('Content-Type', 'application/pkcs7-mime'); next(); }); var PORT = 8000; var HOST = ’test.host.on.private.network.net'; var sshKey = fs.readFileSync('./certs/key.pem'); var sshCert = fs.readFileSync('./certs/cert.pem') var https_options = {key: sshKey, cert: sshCert}; https.createServer(https_options, app).listen(PORT, HOST);
  45. 45. 49 Notes on server setup •Certificate is verified by iOS itself •Not available on simulator •No way to use self-signed certificate •Self-installed certificates impacts Safari, but not verification process •Provide certificate signed by iOS trusted CA •Use static domains, no local IPs. •Apply to multiple domains
  46. 46. 50 •Multiple app prefixes (AppStore, AdHoc, Debug) •Multiple bundles (AppStore, inhouse) •Different certificates for every domain // apps.json content {"webcredentials":{"apps":["APPSTORE_PREFIX.ru.yandex.app1", "APPSTORE_PREFIX.ru.yandex.app2"]}} cat apps.json | openssl smime -sign –inkey certs/key.pem – signer certs/cert.pem -noattr -nodetach -outform DER > apple- app-site-association apple-app-site-association
  47. 47. User control and credential access
  48. 48. 52 Usage drawbacks 1.User-side security but poor user experience 2.User asked on every single credential access 3.No method to check account existence 4.Difficult to sync account addition and removal
  49. 49. 53 Actions and Safari
  50. 50. 54 Actions Action is an extension point that helps users to manipulate or view content within the context of another app, e.g. transforming DOM within Safari.
  51. 51. 55 Empty login page within Safari
  52. 52. 56 Safari actions bar
  53. 53. 57 Custom actions within Safari
  54. 54. 58 •UIActivityViewController •NSURL NSString *stringURL = @"https://yandex.ru"; NSURL *pageURL = [NSURL URLWithString:stringURL]; UIActivityViewController *activityVC = [[UIActivityViewController alloc] initWithActivityItems:@[pageURL, stringURL] applicationActivities:nil]; [mainVC presentViewController:activityVC animated:YES completion:nil]; Displaying activities within Safari
  55. 55. 59 NSExtension setup to handle Safari •NSExtensionActivationRule •NSExtensionActivationSupportsWebURLWithMaxCount
  56. 56. Native app keychain credentials
  57. 57. 61 Completed login page
  58. 58. 62 NSExtension setup to access DOM •NSExtensionAttributes •NSExtensionJavaScriptPreprocessingFile
  59. 59. 63 •ExtensionPreprocessingJS // PasswordHandler.js var PasswordHandler = function() {}; PasswordHandler.prototype = { run: function(arguments) { ... }, finalize: function(arguments) { ... } }; var ExtensionPreprocessingJS = new PasswordHandler JavaScript preprocessing file
  60. 60. 64 run: function(arguments) { var loginInput = document.getElementsByName("login")[0] var loginInputText = loginInput.value var passwdInput = document.getElementsByName("passwd")[0] var passwdInputText = passwdInput.value arguments.completionFunction({ ”login" : loginInputText, ”passwd" : passwdInputText}) } finalize: function(arguments) { var loginInput = document.getElementsByName("login")[0] var loginInputText = arguments["login"] loginInput.value = loginInputText; var passwdInput = document.getElementsByName("passwd")[0] var passwdInputText = arguments["passwd"] passwdInput.value = passwdInputText } Getting values from DOM
  61. 61. 65 run: function(arguments) { var loginInput = document.getElementsByName("login")[0] var loginInputText = loginInput.value var passwdInput = document.getElementsByName("passwd")[0] var passwdInputText = passwdInput.value arguments.completionFunction({ ”login" : loginInputText, ”passwd" : passwdInputText}) } finalize: function(arguments) { var loginInput = document.getElementsByName("login")[0] var loginInputText = arguments["login"] loginInput.value = loginInputText; var passwdInput = document.getElementsByName("passwd")[0] var passwdInputText = arguments["passwd"] passwdInput.value = passwdInputText } Getting values from DOM
  62. 62. 66 •NSExtensionJavaScriptFinalizeArgumentKey •kUTTypePropertyList NSDictionary *js = @{NSExtensionJavaScriptFinalizeArgumentKey: @{@"login" : self.login, @"passwd": self.passwd}}; NSItemProvider *pItem = [[NSItemProvider alloc] initWithItem:js typeIdentifier:(NSString *)kUTTypePropertyList]; NSExtensionItem *eItem = [[NSExtensionItem alloc] init]; eItem.attachments = @[providerItem]; [self.extensionContext completeRequestReturningItems:@[eItem] completionHandler:nil]; Setting values to DOM
  63. 63. Differences Pros: •No server setup by default •Custom credentials support •Any browser and web view support Cons: •Not available on device by default •More difficult to implement on client side •No server side control by default •Security is developer responsibility
  64. 64. Summary •Credentials •Sharing credentials and iOS 7 •Sharing credentials and iOS 8
  65. 65. Kanstantsin Charnukha, xardas@yandex-team.ru iOS authorization development team Thanks Yury Vasileuski, vasileuski@yandex-team.ru

×