Setup secure authentication with iOS privacyIDEA Push Token

In a previous post we explained how you can setup Push authentication with privacyIDEA. This gives you the basic configuration in privacyIDEA, sets up your Firebase project and works well with Android based smartphones.

However with iOS devices things are a bit more complicated and additional steps have to be taken. These additional steps are described in this blog post.

Apple push apps – different than Android

The Firebase service can not directly push to apple devices. Instead, the Firebase service pushes to the Apple Notification Service. While Android allows an app to be connected to different Firebase projects, an iOS app with it’s app identifier can only be connected to one Apple Push project.

What does this mean?

For the Android devices you created a Firebase project. Your own Firebase project. You configure the data in the privacyIDEA server and the information about the Firebase project is passed to the privacyIDEA Authenticator for Android during the rollout process. This means that a privacyIDEA installation running with organization A connects the push tokens to their own Firebase project and organization B will connect their push tokens to a totally different own Firebase project.

Unfortunately this is not possible with the Apple Notification Service. NetKnights, the company behind privacyIDEA, created one Apple Notification Service project. The secret push key of this project is connected to the app identifier “privacyidea.authenticator” of the privacyIDEA Authenticator App for iOS. The privacyIDEA installation in organization A sends the push notification for an iOS device to the organization’s own Firebase project, but then the Firebase project will forward the notification to the general Apple Notification Service project. This second step will be the same for all Push notifications to iOS devices connected to any privacyIDEA installation on this planet. This probably arises from Apples cloud-centric idea, that probably an app will only receive notifications from one central cloud service.

However, during enrollment of the iOS privacyIDEA Authenticator the app sends a random device identifier to your privacyIDEA server. Your privacyIDEA installation then uses this random identifier to send the push notification to this very device. It seems unlikely for another privacyIDEA installation to guess the device identifier of a foreign Apple device. If an attacker was able to guess a random device identifier the attacker could send arbitrary notifications to the iOS device. But in addition the iOS privacyIDEA Authenticator is also registered to your own Firebase project. This means, that the attacker indeed could send an arbitrary notification but such notification would not be processed by the privacyIDEA Authenticator.

If you do not like this (which we would understand) you need to recompile the privacyIDEA Authenticator for iOS with your own Apple Notification Service project, with your own Apple developer account, your own certificate and push notification key and with your own app identifier. Just like all other privacyIDEA code, the privacyidea-authenticator-ios is available on github.

NetKnights hopes to be able to provide customization services one day to create customer specific apps as part of a privacyIDEA Authenticator Enterprise Edition, to circumvent this problem.

After this lengthy disclaimer lets now connect Firebase with the Apple Notification Service especially with the privacyIDEA Authenticator.

Note: This howto discloses the secret project key, which is needed so that Firebase can send messages to the Apple Notification Service. This means, that an attacker could – after successfully guessing a device identifier – potentially spam messages to devices connected to the privacyIDEA Apple Notification Service. However, the impact on login security is none, since all messages are digitally signed in both directions. Again: This downside is due to the cloud-centric design or the Apple Notification Service and can only be avoided by compiling your own Authenticator app and publishing it to the Apple app store.

But let’s do the iOS device, now!

Add new Firebase App

In the Firebase console, you need to create a new App in your Firebase project. Do so so click the button “+ Add app”.

The new app you want to create, is an iOS app. So click the round button “iOS”.

In the app registration dialog you need to create an iOS bundle ID. Creating a nickname is optional. For the bundle ID you need to enter “privacyidea.authenticator”. Choose a nickname to your likings.

In the second step of the app registration you need to download the plist file. Save it for later, you need to enter the settings from within this file in your privacyIDEA policy.

In the third step you do not need to take any actions. You do not bother with the SDK, since the privacyIDEA Authenticator iOS app already exists!

Also in the next step you do not need to take any action. Simply press “Next”.

Now you are done registering your iOS app and you can “Continue to console”.

Adding the secret iOS Authentication key

After you have told the Firebase service, that also iOS devices are going to connect to it, you now need to tell Firebase, how it can talk to the Apple Notification Service. For this you need the secret key we talked about at the beginning of this article. If you do not want to compile your own app and publish it in the app store, you unfortunately have to share the “secret” key with all other default installations of privacyIDEA. Download the secret key file to your computer and save it for later.

Still in the Firebase console, first go to the “Project settings” in the upper left corner

In the “Settings” go to the tab “Cloud Messaging”.

In “Cloud Messaging” you will find the “iOS app configuration”. There you can hit “Upload” to upload the secret key file.

Now select the secret key file (AuthKey_2FZRBAT74S.p8) to upload it to the Firebase console.

Enter the Key ID (2FZRBAT74S) and Team ID (627QALYL3B) exactly as stated in the image below.

After hitting the “Upload” button you should be fine and your Firebase Push Service is connected to the Apple Notification Service for the privacyIDEA Authenticator iOS App.

Configure iOS Authenticator in privacyIDEA

Now open the plist file you saved earlier. Find the entries API_KEY and GOOGLE_APP_ID. It will look like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        ...
	<key>API_KEY</key>
	<string>example-key_value</string>
        ...
    	<key>GOOGLE_APP_ID</key>
	<string>1:example:ios:appid</string>
</dict>
</plist>

You need to enter the value “example-key_value” in apikeyios and the value “1:example:ios:appid” in appidios.

Now you are ready to register iOS devices with your privacyIDEA Push setup and use your iPhones to authenticate via Push notification.

If you want to stay tuned for the enterprise edition, please consider contacting the company NetKnights.

Start the discussion at community.privacyidea.org