Hi Gayan, I would also prefer the 3rd option. Different vendors provide different methodologies to secure information in the mobile devices as in Android, AccountManaer[1] class provides secured access to the centralized registry and applications use this class to store it's secured credentials.
Regards, Firzhan email: [email protected] mobile: (+94) 77 9785674 <%28%2B94%29%2071%205247551>*| blog: http://firzhanblogger.blogspot.com/ <http://firzhanblogger.blogspot.com/> <http://suhothayan.blogspot.com/>* *twitter: https://twitter.com/firzhan007 <https://twitter.com/firzhan007> | linked-in: **https://www.linkedin.com/in/firzhan <https://www.linkedin.com/in/firzhan>* On Mon, Dec 18, 2017 at 3:07 PM, Godwin Shrimal <[email protected]> wrote: > Hi Gayan, > > +1 for option 3. Securing data in the mobile device is a vendor-specific > thing. You can find some information in [1] about android data security. > > [1] https://developer.android.com/training/articles/security-tips.html > > Thanks > Godwin > > On Mon, Dec 18, 2017 at 2:50 PM, Gayan Gunawardana <[email protected]> wrote: > >> Hi All, >> >> In Identity Server DCR endpoints are secured with pluggable security >> layer where we can use Basic Authentication, Oauth, Certificate based >> authentication and any custom authentication. We have below evaluation on >> each method >> >> 1. Basic Authentication: From security perspective its clearly not >> applicable to embed super tenant or tenant credentials into native >> application. What is feasible here is to take end user credentials in run >> time and invoke DCR end point with end user credentials (need to set >> correct user permission to invoke DCR end point) >> >> 2. Certificate based Authentication: This is a good option but have few >> problems how to distribute certificate and also other application can >> access key chain which will be a security vulnerability (need to check with >> mobile expert) >> >> 3. Oauth based Authentication: Securing DCR endpoint with initial access >> token is a practice coming from DCR specification but the problem is how to >> store this initial access token securely in mobile application. >> >> WDYT? >> >> Thanks, >> Gayan >> >> -- >> Gayan Gunawardana >> Senior Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: [email protected] >> Mobile: +94 (71) 8020933 >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > *Godwin Amila Shrimal* > Associate Technical Lead > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > > mobile: *+94772264165* > linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ > <https://www.linkedin.com/in/godwin-amila-2ba26844/>* > twitter: https://twitter.com/godwinamila > <http://wso2.com/signature> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
