Upload
francesco-petrungaro
View
533
Download
1
Tags:
Embed Size (px)
Citation preview
Questions
• What do you need to store?
• Where do you need to store it?
• How do you need to store it?
• Keep user personal data safe
• Treat untrusted files and data with care
• Protect data in transit
• Verify the authenticity
iOS Security Overview
• Keep user personal data safe
• Treat untrusted files and data with care
• Protect data in transit
• Verify the authenticity
iOS Security Overview
• Keep user personal data safe
• Treat untrusted files and data with care
• Protect data in transit
• Verify the authenticity
iOS Security Overview
• Keep user personal data safe
• Treat untrusted files and data with care
• Protect data in transit
• Verify the authenticity
iOS Security Overview
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
Data Protection• File Data Protection
• Data Protection
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Data Protection
• File Data Protection
• Data Protection
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Data Protection
• File Data Protection
• Data Protection classes
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Data Protection
• File Data Protection
• Data Protection
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Data Protection
• File Data Protection
• Data Protection
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Data Protection
• File Data Protection
• Data Protection
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Data Protection
• File Data Protection
• Data Protection
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Keychain
• Secure Storage Container
• Implemented as a SQLite database
• There is only one database
• Stored data are encrypted
• Information are stored outside app’s sandbox
Keychain
• Secure Storage Container
• Implemented as a SQLite database
• There is only one database
• Stored data are encrypted
• Information are stored outside app’s sandbox
Keychain
• Secure Storage Container
• Implemented as a SQLite database
• There is only one database
• Stored data are encrypted
• Information are stored outside app’s sandbox
Keychain
• Secure Storage Container
• Implemented as a SQLite database
• There is only one database
• Stored data are encrypted
• Information are stored outside app’s sandbox
Keychain
• Secure Storage Container
• Implemented as a SQLite database
• There is only one database
• Stored data are encrypted
• Information are stored outside appplication sandbox
Apps Security
• Signed
• Verified
• Sandboxed
• All Executable code is signed by Apple
App code signing
Apps Security
• Signed
• Verified
• Sandboxed
• All Executable code is signed by Apple
App code signing
Apps Security
• Third-Party apps are “sandboxed”
• Access control using entitlements
• ASLR
Runtime process security
Apps Security
• Third-Party apps are “sandboxed”
• Access control using entitlements
• ASLR
Runtime process security
Apps Security
• Third-Party apps are “sandboxed”
• Access control using entitlements
• ASLR
Runtime process security
Apps Security
• Sanboxed
• Run in their own address space
• Entitlements to restrict availability
• Extentions and apps do not share files and memory
Extensions
Apps Security
• Sanboxed
• Run in their own address space
• Entitlements to restrict availability
• Extentions and apps do not share files and memory
Extensions
Apps Security
• Sanboxed
• Run in their own address space
• Entitlements to restrict availability
• Extentions and apps do not share files and memory
Extensions
Apps Security
• Sanboxed
• Run in their own address space
• Entitlements to restrict availability
• Extentions and apps do not share files and memory
Extensions
Apps Security
• Shared on-disk container for storage
• Shared preferences
• Shared Keychain items
App Groups
Apps Security
• Shared on-disk container for storage
• Shared preferences
• Shared Keychain items
App Groups
Apps Security
• Shared on-disk container for storage
• Shared preferences
• Shared Keychain items
App Groups
Application Architecture
• Do we really need to store user credentials on device?
!
• What authentication protocol should we implement on top of REST?
Application Architecture
• Do we really need to store user credentials on device?
!
• What authentication protocol should we implement on top of our APIs?
Limit Data Collection
• Don’t access user data unless your app requires it
!
• Limit the amount of time sensitive data is linked with the user’s identifier
Limit Data Collection
• Don’t access user data unless your app requires it
!
• Limit the amount of time sensitive data is linked with the user
http://www.zdnet.com/article/anger-mounts-after-facebooks-shadow-profiles-leak-in-bug/
Retention Policy
• Have a data retention policy to get rid of user data that you no longer need
• Delete data that does not need to be kept for a clear business purpose
• Delete associated metadata or cross-references to deleted data
Retention Policy
• Have a data retention policy to get rid of user data that you no longer need
• Delete data that does not need to be kept for a clear business purpose
• Delete associated metadata or cross-references to deleted data
Retention Policy
• Have a data retention policy to get rid of user data that you no longer need
• Delete data that does not need to be kept for a clear business purpose
• Delete associated metadata or cross-references to deleted data
The Right Protection Class
• Use the strongest data protection class
!
• Never choose “ProtectionNone”
The Right Protection Class
• Use the strongest data protection class
!
• Never choose “ProtectionNone”
NSUserDefault
“Some applications also use this feature to save confidential information like the user’s access token so that the next time the application launches, they can just use that access token to authenticate the user again.”
http://www.macrumors.com/2012/04/06/facebook-and-dropbox-apps-for-ios-vulnerable-to-credential-theft/
CoreData
http://subhb.org/2013/04/24/mailbox-ios-app-is-a-security-fail/
http://9to5mac.com/2013/04/24/mailbox-app-leaves-contacts-email-content-and-attachments-exposed/
I would love to try my hands on a better Mailbox iOS app, that is more secure. !Until then I have deleted my accounts from Mailbox.
KeychainKeychainItemWrapper *wrapper = [[KeychainItemWrapper alloc]
initWithIdentifier:@“Identifier” accessGroup:nil];
Keychain
• Sharing Data Between Apps
KeychainItemWrapper *wrapper = [[KeychainItemWrapper alloc] initWithIdentifier:@“Identifier” accessGroup:nil];
@“YOUR_APP_ID_HERE.com.yourcompany.GenericKeychainSuite”
Keychain
• Sharing Data Between Apps
KeychainItemWrapper *wrapper = [[KeychainItemWrapper alloc] initWithIdentifier:@“Identifier” accessGroup:nil];
@“YOUR_APP_ID_HERE.com.yourcompany.GenericKeychainSuite”
• Same $AppIndetifierPrefix
Permission has to be granted in your Entitlements.plist
Touch ID
+ (BOOL)canEvaluatePolicy { LAContext *context = [[LAContext alloc] init]; NSError *error; BOOL success; success = [context canEvaluatePolicy: LAPolicyDeviceOwnerAuthenticationWithBiometrics
error:&error]; return success; }
Touch ID
+ (void)evaluatePolicy:(TouchIDCompletionHandler)touchIDCompletionHandler { LAContext *context = [[LAContext alloc] init]; context.localizedFallbackTitle = @"Use your password"; [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@“Access your data" reply: ^(BOOL success, NSError *authenticationError) { if (touchIDCompletionHandler) { touchIDCompletionHandler(success, authenticationError); } }]; }
Enable PIE
• Available for iOS 4.3 and later.
• Enabled only when main executable and it’s dependencies have been build as PIE
• Run otool -hv to verify your build
Enable PIE
• Available for iOS 4.3 and later.
• Enabled only when main executable and it’s dependencies have been build as PIE
• Run otool -hv to verify your build
Enable PIE
• Available for iOS 4.3 and later.
• Enabled only when main executable and it’s dependencies have been build as PIE
• Run otool -hv to verify your build
and also…
• Use TextFields with Secure Option
• Disable Autocorrection
• Clear the pasteboard once the app enters in background
• UIWebViews
• Cache Policies
and also…
• Use TextFields with Secure Option
• Disable Autocorrection
• Clear the pasteboard once the app enters in background
• UIWebViews
• Cache Policies
and also…
• Use TextFields with Secure Option
• Disable Autocorrection
• Clear the pasteboard once the app enters in background
• UIWebViews
• Cache Policies
and also…
• Use TextFields with Secure Option
• Disable Autocorrection
• Clear the pasteboard once the app enters in background
• UIWebViews
• Cache Policies
iOS pinning
• NSURLConnectionDelegate
• connection:canAuthenticateAgainstProtectionSpace
• connection:didReceiveAuthenticationChallenge
iOS pinning
• NSURLSessionDelegate
• URLSession:task:didReceiveChallenge: completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler
iOS pinning
• NSURLSessionDelegate
• URLSession:task:didReceiveChallenge: completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler
• AFNetworking supports pinning
Synopsis!-------------------------------------------------------------!
Winter 1482. La Esmeralda, a very young gipsy street dancer, is the hottest and most popular girl in Paris. Every man is in love with her -Gringoire the philosopher, Quasimodo the hunchback of Notre-Dame, Frollo the evil priest and Captain Phoebus the brave soldier. They are all fighting to win her love, but nobody can fully succeed. There is only one solution… Esmeralda must die!
A comic parody of Notre-Dame de Paris by Victor Hugo.