Re: Mobile Apps: Authentication?

[Bob Doyle <bobdoyle () KELLOGG NORTHWESTERN EDU>]

We were able to rely on our school's existing authentication technology for our mobile app login, you can channel it 
through the browser and the risk model remains consistent.  The interesting problem lies with the session management, 
in our case we had multiple servers on and off campus and we weren't able to fully rely on our SSO solution to handle 
session management.  We're coding the app and the back-end web-services to handle that.

For review and design purposes, you're looking for the same kinds of things that you look for in web apps (no clear 
text passwords or session id's, time outs appropriate for the information at play). This is still an area of growth and 
still requires oversight especially in the design phase, authenticating content is still a problem that people are 
trying to solve very badly.  I'll link a Shmoocon talk from last month where the presenter spends roughly 30-40 minutes 
rattling off apps that are caching clear text passwords to handle session management (don't do this) or storing 
authenticated content locally on the device.

I'm not viewing mobile app/sec as a solved problem that can give you assurance from low security data to high security 
data, so we're watching things on a case by case basis.

Cheers,

Bob Doyle


Here's a link to the ShmooCon 2011 schedule: http://www.shmoocon.org/schedule Search for "Sarah Edwards"  (There's not 
a good direct link, and plenty of other great presentations there)

From: Theresa Rowe [mailto:rowe () OAKLAND EDU]
Sent: Tuesday, March 15, 2011 11:34 AM
Subject: Re: Mobile Apps: Authentication?

I'm interested in this too.  I am specifically separating mobile app from mobile web site in this discussion.  While we 
have supported development of mobile web sites that have logins to critical systems, we have not deployed apps yet that 
support logins to critical systems.  We have an app development project underway that will be consumer information in 
orientation, and we've specifically excluded anything involving authentication with our LDAP directory because we do 
not know enough about security implementation in that environment.  I think our first entries into this area will be 
with vendor supplied products.

Theresa Rowe
On Tue, Mar 15, 2011 at 12:04 PM, Martin Manjak <mm376 () albany edu<mailto:mm376 () albany edu>> wrote:
As the great mobile migration accelerates, I wonder if anyone has
deployed an app that has an authentication component.

I know certain schools have developed (or bought?) custom apps for their
campuses that provide maps, dining hall menus, etc.

I writing to the list to see if anyone has developed/deployed/purchased
a mobile app that integrates into a CMS, for example. Or any IT service
that requires authentication.

I realize that people can use the mobile phone browser to submit
credentials via the traditional portal or web-based authentication
methods. I don't think the security issues in those cases are any
different from using a laptop.

But it would be interesting to see if anyone has written a native app
for a mobile platform that addresses the authentication process.

Marty

--
Martin Manjak
Information Security Officer
University at Albany
CISSP, GSEC, GCWN

"What information consumes...is the attention of its recipients."
Herbert Simon, 1971



--
Theresa Rowe
Chief Information Officer
Oakland University