Foren

Liferay Screens - Security Considerations

thumbnail
Corné Aussems, geändert vor 8 Jahren.

Liferay Screens - Security Considerations

Liferay Legend Beiträge: 1313 Beitrittsdatum: 03.10.06 Neueste Beiträge
Hi Guys,

We are thinking of using Liferay Screens and Liferay Mobile SDK for our next Mobile Project.

In essence it has simple functionality but security requirements are high because of personal health information will being shared.

So i have some questions related to security:
- How secure is Liferay screens / Liferay Mobile SDK in authentication?
- How secure is Liferay screens / Liferay Mobile SDK in other json calls?
- How secure is cached data persisted in a device?
- How would it be possible to integrate a SAML IdP (Shibbolet)?

It would be nice if someone could share us some in depth knowledge on how everything actually works and what has been done to secure the frameworks.

Regards,
Corné
thumbnail
Javier Gamarra, geändert vor 8 Jahren.

RE: Liferay Screens - Security Considerations

Expert Beiträge: 348 Beitrittsdatum: 12.02.15 Neueste Beiträge
I'll try to respond to your questions (for others I need Jose and Juan) and we can do a skype call on monday to answer live to all your doubts emoticon

The main focus of the 2.0 version will be Liferay 7 support and security, so we are currently working on this issues (and accepting suggestions emoticon). We are going to provide several security features as encrypted database storage, lock/pin screens in timeouts, password policies...

- How secure is Liferay screens / Liferay Mobile SDK in authentication?

Currently, you can use OAuth and all the portal authentication methods. Some clients have also used directly the Liferay Session via cookie. The session is stored in the secure storage provided by the platform (SharedPreferences in Android, only available if phone is rooted and Keychain in iOS). The storage mechanism is pluggable and there is a Account Storage Provider for Android in progress and we have talked about offering the new Android 4.3+ security storage if needed.

- How secure is Liferay screens / Liferay Mobile SDK in other json calls?

Follows the same behaviour as the login, as all the json calls are authenticated sending the authentication stored in the secure storages of each device.

- How secure is cached data persisted in a device?

In 2.0 the cached data is stored in a local database only accesible by the app or a rooted phone. In Screens 2.0, the cached data can be encrypted (Android task) with the most popular solution, SQLCypher. This task is finished in both platforms (pending release).

- How would it be possible to integrate a SAML IdP (Shibbolet)?

We should look into it, as SAML integration is a very requested feature. I don't personally know so I'll leave this one for Juan or Jose emoticon
thumbnail
Corné Aussems, geändert vor 8 Jahren.

RE: Liferay Screens - Security Considerations

Liferay Legend Beiträge: 1313 Beitrittsdatum: 03.10.06 Neueste Beiträge
Hi Javier,

Javier Gamarra:
I'll try to respond to your questions (for others I need Jose and Juan) and we can do a skype call on monday to answer live to all your doubts emoticon


Thanks for the swift answer, before we set up a call i am gathering information and the right persons for it.

Javier Gamarra:

The main focus of the 2.0 version will be Liferay 7 support and security, so we are currently working on this issues (and accepting suggestions emoticon). We are going to provide several security features as encrypted database storage, lock/pin screens in timeouts, password policies...

I know you Liferay inc people treat me as one of your own, but i have no access to this board ;)


Of course Liferay's focus is on Liferay 7.0 but it will be a long time before 6.2 EE will be upgraded.

For those following this discussion:
Release notes 1.2
Release notes 2.0

Javier Gamarra:

- How secure is Liferay screens / Liferay Mobile SDK in authentication?

Currently, you can use OAuth and all the portal authentication methods. Some clients have also used directly the Liferay Session via cookie. The session is stored in the secure storage provided by the platform (SharedPreferences in Android, only available if phone is rooted and Keychain in iOS). The storage mechanism is pluggable and there is a Account Storage Provider for Android in progress and we have talked about offering the new Android 4.3+ security storage if needed.

We are very much interested in discussion the best most secure way of authenticating and communicating against Liferay.

Javier Gamarra:

- How secure is cached data persisted in a device?
In 2.0 the cached data is stored in a local database only accessible by the app or a rooted phone. In Screens 2.0, the cached data can be encrypted (Android task) with the most popular solution, SQLCypher. This task is finished in both platforms (pending release).

So this suggest that in version 1.3 it is not secured, as in we have to do it our selves.


- How would it be possible to integrate a SAML IdP (Shibbolet)?
We should look into it, as SAML integration is a very requested feature. I don't personally know so I'll leave this one for Juan or Jose emoticon

We are now thinking of building a custom service on the IdP that we authenticate against and that returns us a token of some kind that we can use in our Liferay service calls. But something more generic/integrated would be better of course.

We would be really glad setting up a telecall with IdP specialists and you to see whether we can come up with a multi purpose generic solution we all can share.
please contact me directly .

Regards,
Corné