Android - SecureAuth

SecureAuth Corp
Dec 06, 2012
www.gosecureuath.com
SecureAuth IdP for Android
© 2012 SecureAuth. All rights reserved.

Welcome to the SecureAuth
Android DevCon IV Preso
Chris Hayes, SecureAuth Corporation
Sr. Sales Engineer
Garret Grajek, SecureAuth Corporation
CTO/COO
http://www.gosecureauth.com
2

AGENDA
1. SecureAuth IdP for Android
• Securing Existing Apps
• Web, SaaS, Mobile
• Portal
2. SecureAuth Idp for Mobile (Android)
• Securing NEW “Native” Mobile Apps
• Native App – IdP, Integration
• Q. & A.

Securing SaaS,
Web, VPN resources
on the Android
Platform

SecureAuth & Android: Access to the Enterprise
SIEMs
(Logging)
Directory
Web
Apps
Gateway
“Cloud”
Apps
End User
(Desktop or
Mobile)
5

What is Special about the
Android App Platform
• Android is Linux based
• Code is Java Based
• Most importantly:
– Has own Java Virtual Machine (Dalvik)
– Supports Interprocess Communication
– Supports embedded browsers
– Support Communication to External Browsers
6

Why this is relevant
• The Android OS is very conducive for
supporting apps the way desktop computers
have been deployed
• Apps have a fully available virtual machine
• With advanced libraries
• Including crypto libraries
• Code is in Java, then compiled to .DEX Files
7

SecureAuth Takes advantage of Android
• SecureAuth has a unique
– 2-Factor SSO Solution
• Based on:
– Target/Redirect WC3 WorkFlow
– Works for Web, VPN, SaaS
• Can conduct a 2-Factor Authentication based
on
– X.509, SMS, Tele, E-mail, KBA, HelpDesk
• Then Redirect to Target Application
8

SecureAuth Takes advantage of Android
All processes run in
the Dalvik Virtual
Machine
9

SecureAuth Takes Advantage of Android
With One Special Android Advantage:
– Coverts your pre-existing Web/SaaS app
• To a One-Touch Android App
– Downloadable APK
• Can be pre-configured with Destination Url
– User just clicks SecureAuth App
• To start configurable authentication
• One-Touch – no URL to configure
• Completely Server Side configurable Authentication
10

Lastly… SecureAuth Provides Bilateral
Authentication
• Bilateral Authentication (PKI)
– Server validates User
– User validates Server
Who are you
Who are you
• What Technology Conducts User/Server Authentication
– Public Key Infrastructure
– Private/Public keys – utilizing X.509 v3 Certificates
• SecureAuth has advantage on Android
– User does not need to understand PKI
– User is not burdened with Pop-ups
– Enterprise does not have to deal w/ Revocation Technology
11

• Turns Existing Web/SaaS App
– To a 1-Touch Android App
• Supports:
– Android 2.2, 2.3, 3.0, 3.1, 3.2, 4.0, 4.1, 4.2
• Secure
– Configurable Authentication (X.509, SMS, Telephony)
– Unique Bilateral Authentication
• PKI Based, Bilateral, Revocable
• Utilizing Existing Infrastructure
– Current Web Applications
– Current Data Stores
12

13
Demo

Securing Native
Android Apps

SecureAuth IdP for Mobile
Key Features:
1. Tie Identity to Enterprise Data Store
2. Conduct Relevant/Configurable Authentication
3. Log the Authentication
4. SSO into other apps (mobile and web)

SecureAuth IdP for Mobile
1. Tie Identity to identity Stores
User Native
Directory:
• AD, LDAP,
SQL, etc
• ID
• Password
• Profile Info
• Groups

SecureAuth IdP for Mobile
2. Configurable Authentication
Configurable
Authentication:
• X.509 Cert
• SMS
• Telephony
• E-mail OTP
• KBA/KBQ
• PIN
• Password

SecureAuth IdP for Mobile
3. Log the Authentication
Log the Auth:
• Local SIEM
• Syslog
• Reporting
• (full GUI)
• Auditing
• Text,
Syslog

SecureAuth IdP for Mobile
4a. SSO to Other Mobile Apps
SSO to other
mobile apps:
• Identity token
consume by
SA
• Can provide
SSO
• Or Step-up
Authentication
• No thick client

SecureAuth IdP for Mobile
4b. SSO to Browser Apps (Web/SaaS)
SSO to other
Browser Apps:
• Identity token
consume by
SA
• SSO to:
• Web Apps
• Browser
Apps
• Revocable
• Step-Up
Authentication

Demo
SecureAuth IdP for Mobile

SecureAuth IdP for Mobile
Workflow/Secret Sauce:
• Define a URL coding Scheme for you mobile
app (iOS, Android)
• Code for invoking/directing “native browser”
to SA for authentication
• SecureAuth IdP 2-Factor Authentication
• SMS, Telephony, e-mail, KBA, Help Desk, x509
• Implant UBC after authentication
• SecureAuth IdP Browser SSO (UBC)
• Read UBC before conducting auth
• SecureAuth IdP directs identity token back to
Native Mobile App

Define Coding URL Scheme for Native App
Android:
… …
iOS:
2

Launch an External Browser
Android:
@Overrideprotected void onCreate(Bundle savedInstanceState) {
{super.onCreate(savedInstanceState);
…
Button button = (Button)
findViewById(R.id.login_button); button.setOnClickListener(new OnClickListener()
{ @Override
public void onClick(View v) {
Intent i = new Intent(Intent.ACTION_VIEW,
"https://secureauth.mycompany.com/SecureAuth1/");
} }); …}
startActivity(i);
iOS:
24
- (IBAction) startLogin: (id)sender
{
}
NSURL *url = [NSURL
URLWithString:@"https://secureauth.mycompany.com/SecureAuth1/"];
[[UIApplication sharedApplication] openURL:url];

Return Identity Token back to App
Android:
@Override
protected void onNewIntent(Intent intent) {
Uri data = intent.getData();
if (data != null) {
String accessToken = data.getQueryParameter("UserID");
// Use the accessToken.
}
}
iOS:
- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url
{
for (NSString *param in [[url query] componentsSeparatedByString:@"&"])
{
NSArray *parts = [param componentsSeparatedByString:@"="];
2

SecureAuth Contacts
Contacts
Who Title E-mail Phone
Chris Hayes
Sr. Sales
Enginee
chayes@gosecureauth.com +1.860.383.5907
Garret Grajek CTO/COO ggrajek@gosecureauth.com +1.949.777.6970
John Kolesar V.P of Sales jk@gosecureauth.com +1.248.760.4040
SecureAuth Sales sales@gosecureauth.com +1.949.777.6959
http://www.GoSecureAuth.com
Thank you!

Additional Slides

HOW DOES
SECUREAUTH IdP
WORK
1. Consume Identity
• From varied resources, devices
• Desktop, Mobile, Web SSO, AD SSO
2. Map Identity
• From varied resources
• Map to relevant data store
3. Authenticate
• 2-Factor Authentication
• SMS, Tele, X.509, PIN, Yubikey
KBA, E-mail, Help Desk
4. Assert Identity
• X.509
• Web Identity
• VPN, Web, SaaS, Mobile
5. Log the event
• Text, Syslog
28

Passwords Solved: SecureAuth/Google Integration
SecureAuth
SecureAuth
protected site
Browser redirects
to enterprisehosted
SecureAuth URL
SecureAuth
2-Factor
authenticates
user
SecureAuth
creates SAML
token
SecureAuth
returns
encoded SAML
response to
browser
Enterprise
Directory
(AD, LDAP, etc)
http://code.google.com/apis/apps/sso/saml_reference_implementation.html

Secure IdP Construction
Item Home Grown SecureAuth
Build WebServer (IdP)
(Hardened Server, WebServer, Forms)
Manual
Automated
Identity Authentication (AD SSO) Manual Automated
SAML Assertion Manual Automated
SAML Attributes Manual Automated
X.509 Storage/Signed with Cert Manual Automated
SSO Portal (SaaS, Web) Manual Automated
Federate ID Mapping Manual Automated
2-Factor Integration Manual Automated
IdM tools (PWD reset, Help Desk, etc) Manual Automated
Log Authentication Manual Automated
30

Current Environment
© 31 2012 SecureAuth. All rights reserved.

SecureAuth IdP – Authentication “Volume Control”
32
© 2012 SecureAuth. All rights reserved.

SecureAuth IdP –
2F/SSO for Cloud/Enterprise/Mobile
SecureAuth Delivers:
1. Multi-Factor
Authentication
2. IdP (SSO to cloud,
web, gateways, mobile)
3. IdM (Identity
Management)
KBA
P

Solve You Cloud SSO w/ SecureAuth
IdP
Your Current Environment
With SecureAuth IdP
34