0

Background

Building a mobile App for product X which is currently hosted as a SaaS solution. The product X does not support OAuth currently, implements basic authentication and generates Session token after authentication. Product X also implements SSO supporting native SAML 2.0.

Use Case

Mobile App also implements SSO using existing SSO framework. In this mobile app calls SSO URL and on authentication IDP redirects back to SaaS application, which on receiving SAML token issues session token which is passed to mobile app. Then mobile app calls Product X APIs (hosted along with SaaS application) using session token

Problem

As per organisation security recommendation session token storage on mobile is not secure. They recommend OAuth/JWT tokens.

Probable Solutions

  1. Product X implements OAuth - which is not feasible in given time frame
  2. AWS Cognito as federated cloud proxy - Did some research on this, found that this is used to facilitate authentication for AWS services

Any recommendations?

  1. For storing session token on mobile app securely. Which can be used to convince security team
  2. For using any other federated cloud proxy to get OAuth/JWT tokens
lennon310
  • 3,132
  • 6
  • 16
  • 33
anuragal
  • 109
  • 3

1 Answers1

1

Store them as Shared preference . Those are by default private, and other apps cannot access them. On a rooted devices, if the user explicitly allows access to some app that is trying to read them, the app might be able to use them, but you cannot protect against that. As for encryption, you have to either require the user to enter the decrypt passphrase every time (thus defeating the purpose of caching credentials), or save the key to a file, and you get the same problem.

There are a few benefits of storing tokens instead of the actual username password:

  1. Third party apps don't need to know the password and the user can be sure that they only send it to the original site (Facebook, Twitter, Gmail, etc.)
  2. Even if someone steals a token, the don't get to see the password (which the user might be using on other sites too)
  3. Tokens generally have a lifetime and expire after a certain time
  4. Tokens can be revoked if you suspect they have been compromised
Ishan Shah
  • 339
  • 1
  • 9
  • 1
    Are you talking about OAuth tokens? If yes then I say that the SaaS application is not generating OAuth tokens yet, it only implements basic auth and issues session token. – anuragal Apr 28 '20 at 13:23
  • 1
    If you are talking about session tokens, I am aware about these but org security guidelines does not allow to save session token on mobile device – anuragal Apr 28 '20 at 13:24