Educause Security Discussion mailing list archives
Re: Mobile Apps: Authentication?
From: Bob Doyle <bobdoyle () KELLOGG NORTHWESTERN EDU>
Date: Mon, 21 Mar 2011 17:31:11 +0000
We were able to rely on our school's existing authentication technology for our mobile app login, you can channel it through the browser and the risk model remains consistent. The interesting problem lies with the session management, in our case we had multiple servers on and off campus and we weren't able to fully rely on our SSO solution to handle session management. We're coding the app and the back-end web-services to handle that. For review and design purposes, you're looking for the same kinds of things that you look for in web apps (no clear text passwords or session id's, time outs appropriate for the information at play). This is still an area of growth and still requires oversight especially in the design phase, authenticating content is still a problem that people are trying to solve very badly. I'll link a Shmoocon talk from last month where the presenter spends roughly 30-40 minutes rattling off apps that are caching clear text passwords to handle session management (don't do this) or storing authenticated content locally on the device. I'm not viewing mobile app/sec as a solved problem that can give you assurance from low security data to high security data, so we're watching things on a case by case basis. Cheers, Bob Doyle Here's a link to the ShmooCon 2011 schedule: http://www.shmoocon.org/schedule Search for "Sarah Edwards" (There's not a good direct link, and plenty of other great presentations there) From: Theresa Rowe [mailto:rowe () OAKLAND EDU] Sent: Tuesday, March 15, 2011 11:34 AM Subject: Re: Mobile Apps: Authentication? I'm interested in this too. I am specifically separating mobile app from mobile web site in this discussion. While we have supported development of mobile web sites that have logins to critical systems, we have not deployed apps yet that support logins to critical systems. We have an app development project underway that will be consumer information in orientation, and we've specifically excluded anything involving authentication with our LDAP directory because we do not know enough about security implementation in that environment. I think our first entries into this area will be with vendor supplied products. Theresa Rowe On Tue, Mar 15, 2011 at 12:04 PM, Martin Manjak <mm376 () albany edu<mailto:mm376 () albany edu>> wrote: As the great mobile migration accelerates, I wonder if anyone has deployed an app that has an authentication component. I know certain schools have developed (or bought?) custom apps for their campuses that provide maps, dining hall menus, etc. I writing to the list to see if anyone has developed/deployed/purchased a mobile app that integrates into a CMS, for example. Or any IT service that requires authentication. I realize that people can use the mobile phone browser to submit credentials via the traditional portal or web-based authentication methods. I don't think the security issues in those cases are any different from using a laptop. But it would be interesting to see if anyone has written a native app for a mobile platform that addresses the authentication process. Marty -- Martin Manjak Information Security Officer University at Albany CISSP, GSEC, GCWN "What information consumes...is the attention of its recipients." Herbert Simon, 1971 -- Theresa Rowe Chief Information Officer Oakland University
Current thread:
- Mobile Apps: Authentication? Martin Manjak (Mar 15)
- Re: Mobile Apps: Authentication? Theresa Rowe (Mar 15)
- Re: Mobile Apps: Authentication? Kevin Shalla (Mar 15)
- Re: Mobile Apps: Authentication? Valdis Kletnieks (Mar 15)
- Re: Mobile Apps: Authentication? Kevin Shalla (Mar 15)
- <Possible follow-ups>
- Re: Mobile Apps: Authentication? Bob Doyle (Mar 21)
- Re: Mobile Apps: Authentication? Theresa Rowe (Mar 15)