Security and the Bungie.net Destiny API

UPDATE: This post is no longer up to date. Ishtar Commander now has a new secure login. See here.

Since releasing Ishtar Commander a steady stream of feedback has been received asking why the app needs Playstation or Xbox account credentials (username and password) to access Bungie's official API. This is accompanied by a request to add some form of secure login 'just like the other Destiny apps out there'. Yet there is no secure login for the Destiny API, only a mistaken idea one exists.

login.jpg

Above Ishtar Commander can be seen on the left and the official Destiny companion on the right. Both need your login credentials to work, but is one safer than the other? The correct answer is NO! Based on the comments on Reddit and emails this is a topic where some important details are missing and it leading people to think the visuals of an app can magically make it more secure.

The following post lays out why your details are needed, why there are security implications and why there is nothing 3rd parties can do till Bungie provide an alternative. I have tried to write it to be accessible by anyone that plays Destiny. You don't need to be a technically minded or a software developer.

Some Destiny apps don't need any passwords, why is Ishtar Commander different?
Bungie provide a web platform which has two types of end points, public and private. End points are just a way of getting specific data. For example there is a public end point that will show you your kill/death ratio in the crucible. Private end points need you to be logged in and offer things such as seeing the contents of your vault and the ability to transfer items to different characters. This is to stop mischievous people seeing and moving all your items around just by knowing your username. Private end points can only be accessed with your PSN/Xbox credentials.

Why do I have to type them into this app, isn't it possible it could be capturing my details?
To access your Bungie account Ishtar Commander needs 3 web cookies called bungled, bungleatk and bungledid. These do not have your PSN or Xbox details in them. They are just secure tokens so the next time Ishtar Commander connects it does not need your credentials, it just needs the cookies. So how does Ishtar get the cookies?

The only way to get the cookie values is to read them from the web browser’s cookie database after it has logged into bungie.net. The only way to log in to Bungie.net is with your PSN/Xbox credentials. So all mobile apps have to have some way of logging into Bungie.net that gives them access to this cookie database. Ishtar Commander has a custom view, while others use a built in browser view. As they are 'inside' the app that means your username and password could be captured by the app. There is no difference between a custom UI and a built in browser they can both be manipulated to capture your details.

This is rubbish, I know PSN and others offer a secure Oauth login.
Oauth login is only secure if used from start to finish. For the Destiny API access this breaks down at the point where the cookies are needed. To capture these cookies some form of built in browser/cookie database is needed. Sorry to repeat myself, but it seems many people see the words 'oauth' in a web browser URL and think that automagically makes everything secure. Bungie could and hopefully will add something like oauth in the future. But they don't. Instead the only way to access the api is with 3 cookies that cannot be grabbed without using your PSN/Xbox credentials.

What about using mobile Safari?
In the past you may have used other apps that would bounce you over to mobile safari and after logging in they bounce you back to the app. This is a secure system based on trusting Apple and mobile Safari. This cannot work for the Destiny API. 3rd party apps are not allowed access to mobile Safaris cookie database and therefore cannot grab the 3 cookies. Even if they could Apple now reject all apps that bounce via Mobile Safari under the claim they offer a poor user experience.

What about the new Safari View Controller?
In iOS 9 Apple offer apps a way to embed the secure safari browser. However being secure the app cannot access the cookie database. It cannot get the cookies. This is not an option. You may have seen Instagram and others can use this. That is because they have a true oauth solution. The Destiny API does not.

I have read all this and even though I understand it isn't secure I would like an inbuilt web browser to give me a false sense of security.
An inbuilt browser UI may come later. But the reasons for this are for useful functionality such as being able to accept the Bungie.net user agreement. Currently Ishtar won't work if you never logged in and accepted it. 

Does Ishtar Commander store my PSN/Xbox credentials?
No. The instant you login to Bungie and Ishtar gets the 3 cookies your username and password are discarded by the app. These cookies are then used to access the Destiny API. They cannot be used to access anything else. After about 19 days the bungleatk cookie expires at which point you are asked for your username/password again to get a fresh set of cookies.

Does Ishtar Commander use my PSN/Xbox credentials in a secure way to get the cookies?
Yes. All communication uses HTTPS and nothing is sent as plain text.

How do I know this is true?
It is simply a question of trust. If you trust the author then use the app. If you don't then don't use the app. But the same goes for all the apps that use the Destiny API. They can all capture your details if the author is evil as explained above.

What about if you support 1Password or some other password manager plugins?
These plugins just paste your credentials into the app. There is no extra security here. As the paste happens the credentials can be captured.

Could you open source the network code?
I could, but I am not going to as there is no way for anyone to validate the same code is in the app on the App Store. It would just be security theatre. The look of security without giving anything real.

So this all comes down to implicit trust?
Yes. If you are worried then don't use the app. If you do understand the issues and can see that this is the only way for an item manger to work then please do use and enjoy the app. Hopefully Bungie will offer something better in the future, but right now they don't.