The Ultimate Guide to Mobile API Security
2 likes2,239 views
The document is a comprehensive guide on mobile security, specifically focusing on authentication methods like basic, tokenization, cookie, and bearer authentication, along with their pros and cons. It emphasizes the use of JSON Web Tokens (JWT) for secure and scalable user authentication and provides links to relevant resources and tutorials for further learning. Additionally, it encourages interaction through support channels and social media follow-ups.
The Ultimate Guide to Mobile API Security
- 1. ULTIMATE GUIDE TO MOBILE SECURITY Edward Jiang
- 2. HI, I’M EDWARD! @EdwardStarcraft Developer Evangelist @goStormpath
- 3. DEVELOPER TOOLS FOR AUTHENTICATION • Stormpath — Authentication as a Service • Web Framework Integrations — Authentication in your web framework of choice • Apache Shiro — Java security framework • JWTK — JWT libraries for JavaScript & Java • Simplicity — Easy social login for iOS • Turnstile — Authentication framework for server-side Swift
- 5. A U T H E N T I C AT I O N H O W D O E S I T W O R K ?
- 6. A U T H E N T I C AT I O N I T ’ S A B O U T P R O V I N G T H AT Y O U A R E W H O Y O U S AY Y O U A R E
- 7. BASIC AUTHENTICATION GET / HTTP/1.1 Authorization: Basic Base64(username:password) • Easy and convenient, but insecure • Username / password needs to be stored on the device • Username / password are sent on every request
- 8. TOKENIZATION “myusername” and “mypassword” becomes “rCsspweTxMtz2sypA0PLGns6fkCA” • No risk of losing the username/password from the device • Device credentials can be independently revoked from the username/password
- 9. COOKIE AUTHENTICATION GET / HTTP/1.1 Cookie: sessionId=rCsspweTxMtz2sypA0PLGns6fkCA • Convenient: the server sets a cookie, and the HTTP Client automatically takes care of authentication • Server-side logic for authentication can be shared between mobile and web • Downside: hard to understand state
- 10. BEARER AUTHENTICATION GET / HTTP/1.1 Authorization: Bearer rCsspweTxMtz2sypA0PLGns6fkCA • Slightly more complicated: Need to write an endpoint, and a format for the client to understand • Need to deal with storing the token (use the iOS Keychain or Android SharedPreferences) • But ultimate control over token usage, and state. Preferred method
- 11. STATELESS TOKENS • Used at scale in larger APIs • Self contained, unlike “dumb” / opaque tokens • Can be validated easily without a round trip to a central database • Harder to use properly
- 12. JSON WEB TOKEN eyJrafea.eyJzdWIiopkIefwEWFd.dPPxume Header Body Signature { "sub": "1234567890", "name": "John Doe", "iat": 1487260586, "exp": 1487264186 } { "typ": "JWT", "alg": "HS256" }
- 13. STORMPATH MOBILE SDKS • Uses the Stormpath API to authenticate users & validate their identity • Authenticate to your APIs with Bearer Authentication • Use JWTs for scalability
- 14. LET’S SEE SOME CODE!
- 15. FINISHED RESULT • GitHub: https://github.com/stormpath/stormpath-ios-example • Review this tutorial: https://stormpath.com/blog/build-note-taking-app-swift-ios
- 16. WHAT NEXT? • Try the Android counterpart: https://stormpath.com/blog/build-user-authentication-for- android-app • Learn how to build a REST API for mobile: https://stormpath.com/blog/tutorial-build-rest- api-mobile-apps-using-node-js • Talk to us! Email [email protected], or [email protected] • Follow us @EdwardStarcraft and @goStormpath on Twitter
- 17. QUESTIONS?