feat: ui improvement and FIDO authentication integration

[duttarnab]

closes #5962

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request cover a wide range of functionality for the "Jans Chip" Android application, with a focus on improving the security and integrity of the application. The changes include updates to the Android Manifest, addition of new instrumented tests, enhancements to the README documentation, and significant updates to the application's build configuration and database implementation.

From an application security perspective, the key points to highlight are:

1. Reduced Attack Surface: The removal of specific login, registration, and splash screen activities in the Android Manifest reduces the attack surface of the application, which is a positive security measure.

2. Secure Authentication and Authorization: The application now includes features like Dynamic Client Registration (DCR), DPoP (Demonstration of Proof-of-Possession) access tokens, and the requirement to add an "Auth Challenge Script" to the Janssen Auth server, suggesting a focus on implementing secure authentication and authorization mechanisms.

3. Cryptographic Key Management: The changes introduce a KeyManager class that uses the Android Keystore to securely generate, store, and use cryptographic keys for signing data and generating JWTs.

4. Database Security: The introduction of various DAO (Data Access Object) classes for managing entities like OIDC clients, FIDO configurations, and app integrity data highlights the need to ensure proper input validation, access control, and secure storage of sensitive data.

5. Jetpack Compose Integration: The migration to Jetpack Compose, a modern UI toolkit for Android, introduces new security considerations that should be carefully reviewed, such as potential vulnerabilities in the Compose framework or in the way the application integrates with it.

Overall, the changes in this pull request demonstrate a strong focus on improving the security and integrity of the "Jans Chip" Android application. As an application security engineer, I would recommend thoroughly reviewing the implementation details, especially in areas related to authentication, authorization, cryptography, and data management, to ensure that the application follows best practices and mitigates potential security risks.

Files Changed:

1. demos/jans-chip/android/app/src/main/AndroidManifest.xml: Removal of specific login, registration, and splash screen activities, reducing the application's attack surface.
2. demos/jans-chip/android/app/src/androidTest/java/io/jans/chip/ExampleInstrumentedTest.kt: Addition of a new instrumented test file for the Android application.
3. demos/jans-chip/android/README.md: Significant updates to the README, including information about the authentication flow, the "Auth Challenge Script", and security-focused features like DCR and DPoP.
4. demos/jans-chip/android/app/build.gradle.kts: Major updates to the application's build configuration, including dependency version changes, Jetpack Compose integration, and cryptographic library additions.
5. demos/jans-chip/android/app/src/main/java/io/jans/chip/AppDatabase.kt: Implementation of a Room database for the application, with considerations for secure data storage and handling.
6. demos/jans-chip/android/app/src/main/java/io/jans/chip/PasswordTextField.kt: Introduction of a custom Jetpack Compose component for password input, with basic password validation.
7. demos/jans-chip/android/app/src/main/java/io/jans/chip/MainActivity.kt: Main activity implementation, handling application initialization, OIDC client registration, and app integrity checking.
8. demos/jans-chip/android/app/src/main/java/io/jans/chip/common/LocalCredentialSelector.kt: Addition of a utility class for selecting FIDO/WebAuthn credentials.
9. demos/jans-chip/android/app/src/main/java/io/jans/chip/dao/AppIntegrityDao.kt: Implementation of a Room DAO for managing app integrity data.
10. demos/jans-chip/android/app/src/main/java/io/jans/chip/common/AuthAdaptor.kt: Integration of FIDO/WebAuthn functionality for user authentication and credential management.
11. demos/jans-chip/android/app/src/main/java/io/jans/chip/dao/FidoConfigurationDao.kt: Introduction of a Room DAO for managing FIDO configurations.
12. `demos/jans-chip/

Powered by DryRun Security