Enhancement #22195

[CSMS 15993 ][iOS][Device Binding Pentest] Device Binding Login Bypass

Added by Feerman Yusoff 26 days ago. Updated 23 days ago.

Status:ClosedStart date:11 June 2025
Priority:HighDue date:
Assignee:Feerman Yusoff% Done:

100%

Category:-Spent time:3.00 hours
Target version:-

Description

Device Binding Updated flow:
1. Backend generates an RSA key pair (public/private) and pass the public key value to FE through loginInternetPin API response
new tag param eg: alias.
2. Frontend retrieves the public key from the backend from loginInternetPin API response.
3. Frontend generates a random AES key (for that session or request).
4. Frontend encrypt device ID|transactionDate (or any other unique values) using AES key.
5. Frontend encrypt AES key using RSA public key.
6. Frontend send encrypted device ID and encrypted AES key to backend.
7. Backend decrypt AES key using RSA private key.
8. Backend decrypt device ID using the decrypted AES key and omit the symbol | and transactionDate values.
9. Backend compare the decrypted and omitted value with MIB DB.

History

#1 Updated by Yeow Yui Chuang 26 days ago

  • Assignee changed from Yeow Yui Chuang to Feerman Yusoff
  • % Done changed from 0 to 100

r237763 | yeowyc | 2025-06-13 09:15:47 +0000 | 1 line
Changed paths:
A /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.14.2_CSMS_15993/BIBD Components/CryptoHelper
A /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.14.2_CSMS_15993/BIBD Components/CryptoHelper/CryptoHelper.h
A /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.14.2_CSMS_15993/BIBD Components/CryptoHelper/CryptoHelper.m
A /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.14.2_CSMS_15993/BIBD Components/CryptoKitWrapper.swift
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.14.2_CSMS_15993/PasswordScreenController.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.14.2_CSMS_15993/TabBarApp.xcodeproj/project.pbxproj
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.14.2_CSMS_15993/TabBarApp/LoginViewController.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.14.2_CSMS_15993/TabBarApp/RegistrationCreatePassword.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.14.2_CSMS_15993/TabBarApp/TabBarAppAppDelegate.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.14.2_CSMS_15993/TabBarApp/TabBarAppAppDelegate.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.14.2_CSMS_15993/TabBarApp/TokenScreenController.m

Enhancement #22195 Device Binding Login Bypass

#2 Updated by Feerman Yusoff 23 days ago

  • Status changed from New to Closed

Tested good for BAU device binding, UAT provided

Also available in: Atom PDF