enisa-auth-iot-tool
This tool was created in the context of a traineeship research project at ENISA. It is a generic and customizable tool, which was created to evaluate the implementation of authentication measures within IoT mobile applications. Given the wide penetration of IoT and its cyber-physical nature, both safety and security risks emerge and need to be addressed. An important element in this direction is the use of strong authentication and authorisation processes in IoT environments, since they remain key to protect communications, privacy and access to resources.
Smartphones being the means by which users interact with IoT environment (e.g. smart devices, cloud), the need for secure implementation of IoT mobile applications becomes crucial. Two examples of using this tool will be presented, namely OAuth 2.0 in combination with Open ID Connect, a very popular framework for delegated authentication, and Bluetooth Low Energy pairing mechanisms, as BLE is one of the most widely used protocols for smartphone-to-smart thing communication.
The tool can be applied to the evaluation of any other security measure in mobile applications. Providing as input the API calls in bytecode form implementing authentication measures, the tool identifies instances among a given set of applications, and provides as output how many and which ones have implemented such measures, as well as the classes where they reside. This tool is adaptable and configurable, depending on the specific security measure to be investigated. It automates the process of evaluating and checking for the implementation of security by design principles, providing in addition meaningful statistics and insights. These results allow us to draw the big picture of the state of authentication concerning IoT mobile applications, and help us to identify the main gaps to tackle. By means of IoT mobile apps, users can not only access information, but also command and control smart devices that can influence the physical world. Consequently, authentication implementation is a must for app developers and designers. This tool will help them not only to evaluate the security of their existent applications, but also to apply security by design principles in the future.