All geek questions in one place

API Authentication Using Mobile Application (SMS)

Currently, we are entrusted with the implementation of a (preferably simple) authentication system for communicating with a mobile application with a RESTful API. The backend has user data identified by the user's phone number. I am trying to understand more about security in general, about the various methods and why they work the way they work.

I thought of a simple authentication system:

  • The client sends a verification request to the api, which includes their phone number and the generated pointer.
  • The server sends an SMS message to a phone number with a confirmation code.
  • The client checks his device by sending his unique address, phone number and verification code.
  • The server responds with some kind of access token, which the client can use for further requests.

I have the following questions:

Are there any serious flaws in this approach? Assuming we are using HTTPS, is it secure enough to send data in unencrypted form? Can access tokens be stored on mobile devices safely so that only our application can read them? Anything else we didn't think about?

We already realized that when a mobile phone is stolen or otherwise compromised, the data is no longer protected, but it is a risk that is difficult to overcome. Access currents may be valid temporarily to minimize this risk.

I assume that this approach is the path to the simple, and somewhere there is a huge flaw :) Can you enlighten me?

+6
source share
2 answers

There is a flaw. The system is subject to brute force attack.

Suppose I am an attacker. I will create a manual for myself and send it along with an arbitrary phone number.

Next, I’ll just learn my way through possible SMS codes - if it's 6 digits, there are only 10 ^ 6 combinations. Brutfors will be in a matter of seconds, and then I will get access to the data of the person who has this phone.

In addition, as pointed out in the commentary to Phil, you can force you to send you an arbitrary number of SMS messages, which will actually lead to financial losses at no cost.

There is also no valid defense against this attack:

  • If there is a limited amount of (N) attempts for a given UID, I will re-generate a guid every N attempts.
  • If the number of phone requests for a certain amount of time is limited, I can perform a DoS / DDoS attack, inducing all possible numbers with fake requests - therefore, no one will be able to fulfill any requests.

Before an SMS message, authentication of a username / password or certificate is required . Also:

  • Never use things like a GUID in cryptography / security protocols. GUIDs are deterministic (that is, knowing one value, you can predict the future). Using the built-in crypto library functions to generate random streams
  • Never try to develop security protocols yourself. Never. There are an awful lot of reservations, even the creators of SSL 1.0 fell - and they were sharp guys, mind you. It’s better to copy generic and proven schemas (a great example of Google auth).
+4
source

The approach you signed will work just fine. The client initiates a request with a phone number and a random identifier, the server returns a check token to the device. The token is used only once with expiration. Then, the client will send the phone number, the random token used previously, and the verification token that the server checks. If it is valid, the server sends a session token (or authentication token) or the like, which can be used for authentication. A session token can timeout from the server.
You did not mention if this is a web application or not. If this is a web application, you can set https only session cookies from the server. Otherwise, you can save it locally in the local application store. In the normal case, applications cannot read personal data belonging to other applications.
All communications must be performed using HTTPS. Otherwise, the whole scheme can be compromised by sniffing traffic, because in the end you use an authentication token.

0
source

Source: https://habr.com/ru/post/949992/

More articles:


All Articles