Previously in this blog series I have defined what a DIL environment is and I have described some of the key technical problems a DIL environment imposes on a mobile application that relies on web services for data and other functionality. Now it is time to begin looking at implementing specific solutions to some of these problems. In this article I will focus on solving the problem of how to implement a secure login for an application while in a DIL environment.
DIL User Login Authentication Sequence
In a normal connected environment a user (User A) enters their name and password into the mobile application. The mobile app then sends those credentials to the backend web service for verification. If valid, the user is logged into the application and gains access to its resources. But what happens when the device is disconnected from the network? How can User A’s credentials be validated? The mobile application must be designed to support DIL login. This can be accomplished by securely storing user credentials locally whenever a new user on a device successfully logs in to the application while the device and application is connected to its web service. Now that User A has already successfully logged in to the application on a specific device in a connected environment, User A can now login to the application on that same device when it enters a DIL environment.
What if another user (User B) also wants to login to the application on the same device in a DIL environment, except User B has not previously logged in on that device when it was connected. Unfortunately User B will be unable to login, even if she/he has valid credentials. It is impractical to store all valid user credentials for the application locally on a mobile device. The only way a user can login to the application on any given device is if they have previously logged in to the application while the device is connected. This sequence is illustrated in the chart below:
What do we need in order to implement a DIL login? The first step is to find a way to securely store verified user credentials. The Xamarin stack includes an SDK that provides a simple and secure cross-platform solution for local user credential storage and user authentication. Xamarin.Auth also includes OAuth authenticators with built in support for identity providers including Google, Microsoft, Facebook, and Twitter. Additionally, Xamarin.Auth provides support for presenting the sign-in user interface. For more information on these features check out the official Xamarin developer documentation here. The aspect of Xamarin.Auth that we are going to focus on here is the secure local storage of user credentials.
Securely Store User Credentials
To make a DIL login possible a user must first have a successful login on the device while the device is connected. After the credentials provided by the user have been authenticated by the web service the verified credential data can then be passed to an Account object derived from the Xamarin.Auth SDK. The Account object can then be saved securely using the Xamarin.Auth AccountStore class. Below is an example of how this can be implemented.
The AccountStore class maps to Keychain services in iOS and KeyStore in Android. This makes it an excellent cross-platform solution for secure storage for verified user credentials that can be used to authenticate user logins when the device enters a DIL environment. The verified credentials stored locally through the AccountStore class can be retrieved and used to verify a DIL login as shown in a simple example below:
Once the user’s credentials are verified against previously authenticated credentials, the user can be allowed access to the application’s functionality and data. If the credentials cannot be verified against the locally stored credentials the user should be denied access.
In a DIL environment secure login is an issue that needs to be addressed. When developing applications using Xamarin, the Xamarin.Auth SDK contains an effective, efficient, and secure way to store verified user credentials across mobile platforms. That locally stored credential data can then be used to authenticate users that have previously logged in on a specific device when that device is offline. This gives users the ability to login and access application features at any time, regardless of network status.