Embed Size (px)
Citation preview
iOS App SecurityCommon Mistakes and Best Practices
Why?
Questions
• What do you need to store?
• Where do you need to store it?
• How do you need to store it?
Questions
• What do I need to store?
• Where do I need to store it?
• How do I need to store it?
iOS Security Overview
• Keep user personal data safe
• Treat untrusted files and data with care
• Protect data in transit
• Verify the authenticity
iOS Security Overview
• Keep user personal data safe
• Treat untrusted files and data with care
• Protect data in transit
• Verify the authenticity
iOS Security Overview
• Keep user personal data safe
• Treat untrusted files and data with care
• Protect data in transit
• Verify the authenticity
iOS Security Overview
• Keep user personal data safe
• Treat untrusted files and data with care
• Protect data in transit
• Verify the authenticity
iOS Security Overview
iOS Security Layers
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
iOS Security Layers
• System Security
• Encryption and Data Protection
• App Security
• Network Security
!
• Apple Pay
• Internet Services
• Device Control
• Privacy Control
System Security
• Secure boot chain
• Secure Enclave
• Touch ID
System Security
• Secure boot chain
• Secure Enclave
• Touch ID
System Security
• Secure boot chain
• Secure Enclave
• Touch ID
Data Protection• File Data Protection
• Data Protection
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Data Protection
• File Data Protection
• Data Protection
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Data Protection
• File Data Protection
• Data Protection classes
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Data Protection
• File Data Protection
• Data Protection
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Data Protection
• File Data Protection
• Data Protection
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Data Protection
• File Data Protection
• Data Protection
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Data Protection
• File Data Protection
• Data Protection
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
Data Protection in Action
Data Protection in Action
Data Protection in Action
Law Enforcement
Keychain
Keychain
• Secure Storage Container
• Implemented as a SQLite database
• There is only one database
• Stored data are encrypted
• Information are stored outside app’s sandbox
Keychain
• Secure Storage Container
• Implemented as a SQLite database
• There is only one database
• Stored data are encrypted
• Information are stored outside app’s sandbox
Keychain
• Secure Storage Container
• Implemented as a SQLite database
• There is only one database
• Stored data are encrypted
• Information are stored outside app’s sandbox
Keychain
• Secure Storage Container
• Implemented as a SQLite database
• There is only one database
• Stored data are encrypted
• Information are stored outside app’s sandbox
Keychain
• Secure Storage Container
• Implemented as a SQLite database
• There is only one database
• Stored data are encrypted
• Information are stored outside appplication sandbox
Keychain
Keychain
Keychain
Apps Security
• Signed
• Verified
• Sandboxed
• All Executable code is signed by Apple
App code signing
Apps Security
• Signed
• Verified
• Sandboxed
• All Executable code is signed by Apple
App code signing
Apps Security
• Third-Party apps are “sandboxed”
• Access control using entitlements
• ASLR
Runtime process security
Apps Security
• Third-Party apps are “sandboxed”
• Access control using entitlements
• ASLR
Runtime process security
Apps Security
• Third-Party apps are “sandboxed”
• Access control using entitlements
• ASLR
Runtime process security
Apps Security
• Sanboxed
• Run in their own address space
• Entitlements to restrict availability
• Extentions and apps do not share files and memory
Extensions
Apps Security
• Sanboxed
• Run in their own address space
• Entitlements to restrict availability
• Extentions and apps do not share files and memory
Extensions
Apps Security
• Sanboxed
• Run in their own address space
• Entitlements to restrict availability
• Extentions and apps do not share files and memory
Extensions
Apps Security
• Sanboxed
• Run in their own address space
• Entitlements to restrict availability
• Extentions and apps do not share files and memory
Extensions
Apps SecurityApp Groups
Apps Security
• Shared on-disk container for storage
• Shared preferences
• Shared Keychain items
App Groups
Apps Security
• Shared on-disk container for storage
• Shared preferences
• Shared Keychain items
App Groups
Apps Security
• Shared on-disk container for storage
• Shared preferences
• Shared Keychain items
App Groups
Apps Security
• NSFileManager
• CoreData
• NSData
Data Protection in Apps
Network Security
• SSL
• TLS v1.0, TLS v1.1, TLS v1.2
• VPN
• WIFI
• Bluetooth
Network Security
• SSL
• TLS
• VPN
• WIFI
• Bluetooth
Network Security
• SSL
• TLS
• VPN
• WIFI
• Bluetooth
Network Security
Premises
• Jailbreaking
!
• Swizelling
Premises
• Jailbreaking
!
• Swizzling
Premises
Premises
• Debug
• Decrypt
• Disassemble
• Reconstruct CoreData files
• Traffic Sniffing
VSBest Practices
Common Mistakes
Development Process
Application Architecture
• Do we really need to store user credentials on device?
!
• What authentication protocol should we implement on top of REST?
Application Architecture
• Do we really need to store user credentials on device?
!
• What authentication protocol should we implement on top of our APIs?
Limit Data Collection
• Don’t access user data unless your app requires it
!
• Limit the amount of time sensitive data is linked with the user’s identifier
Limit Data Collection
• Don’t access user data unless your app requires it
!
• Limit the amount of time sensitive data is linked with the user
http://www.zdnet.com/article/anger-mounts-after-facebooks-shadow-profiles-leak-in-bug/
Retention Policy
• Have a data retention policy to get rid of user data that you no longer need
• Delete data that does not need to be kept for a clear business purpose
• Delete associated metadata or cross-references to deleted data
Retention Policy
• Have a data retention policy to get rid of user data that you no longer need
• Delete data that does not need to be kept for a clear business purpose
• Delete associated metadata or cross-references to deleted data
Retention Policy
• Have a data retention policy to get rid of user data that you no longer need
• Delete data that does not need to be kept for a clear business purpose
• Delete associated metadata or cross-references to deleted data
The Right Protection Class
• Use the strongest data protection class
!
• Never choose “ProtectionNone”
The Right Protection Class
• Use the strongest data protection class
!
• Never choose “ProtectionNone”
Local Storage Data
Where?
• NSUserDefault
• Plist
• CoreData
• Keychain
NSUserDefault
• Not Encrypted
!
• Stored in a .plist file
NSUserDefault
• Not Encrypted
!
• Stored in a .plist file
NSUserDefault
NSUserDefault
NSUserDefault
“Some applications also use this feature to save confidential information like the user’s access token so that the next time the application launches, they can just use that access token to authenticate the user again.”
Plist Files
• Not Encrypted
Plist Files
• Not Encrypted
Plist Files
• Not Encrypted
http://www.macrumors.com/2012/04/06/facebook-and-dropbox-apps-for-ios-vulnerable-to-credential-theft/
CoreData
CoreData
http://subhb.org/2013/04/24/mailbox-ios-app-is-a-security-fail/
http://9to5mac.com/2013/04/24/mailbox-app-leaves-contacts-email-content-and-attachments-exposed/
I would love to try my hands on a better Mailbox iOS app, that is more secure. !Until then I have deleted my accounts from Mailbox.
Keychain
Jailbreak
Keychain &
Jailbreak
Keychain &
Keychain
Keychain
KeychainKeychainItemWrapper *wrapper = [[KeychainItemWrapper alloc]
initWithIdentifier:@“Identifier” accessGroup:nil];
Keychain
• Sharing Data Between Apps
KeychainItemWrapper *wrapper = [[KeychainItemWrapper alloc] initWithIdentifier:@“Identifier” accessGroup:nil];
@“YOUR_APP_ID_HERE.com.yourcompany.GenericKeychainSuite”
Keychain
• Sharing Data Between Apps
KeychainItemWrapper *wrapper = [[KeychainItemWrapper alloc] initWithIdentifier:@“Identifier” accessGroup:nil];
@“YOUR_APP_ID_HERE.com.yourcompany.GenericKeychainSuite”
• Same $AppIndetifierPrefix
Permission has to be granted in your Entitlements.plist
Touch ID
+ (BOOL)canEvaluatePolicy { LAContext *context = [[LAContext alloc] init]; NSError *error; BOOL success; success = [context canEvaluatePolicy: LAPolicyDeviceOwnerAuthenticationWithBiometrics
error:&error]; return success; }
Touch ID
+ (void)evaluatePolicy:(TouchIDCompletionHandler)touchIDCompletionHandler { LAContext *context = [[LAContext alloc] init]; context.localizedFallbackTitle = @"Use your password"; [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@“Access your data" reply: ^(BOOL success, NSError *authenticationError) { if (touchIDCompletionHandler) { touchIDCompletionHandler(success, authenticationError); } }]; }
Enable PIE
• Available for iOS 4.3 and later.
• Enabled only when main executable and it’s dependencies have been build as PIE
• Run otool -hv to verify your build
Enable PIE
• Available for iOS 4.3 and later.
• Enabled only when main executable and it’s dependencies have been build as PIE
• Run otool -hv to verify your build
Enable PIE
• Available for iOS 4.3 and later.
• Enabled only when main executable and it’s dependencies have been build as PIE
• Run otool -hv to verify your build
and also…
• Use TextFields with Secure Option
• Disable Autocorrection
• Clear the pasteboard once the app enters in background
• UIWebViews
• Cache Policies
and also…
• Use TextFields with Secure Option
• Disable Autocorrection
• Clear the pasteboard once the app enters in background
• UIWebViews
• Cache Policies
and also…
• Use TextFields with Secure Option
• Disable Autocorrection
• Clear the pasteboard once the app enters in background
• UIWebViews
• Cache Policies
and also…
• Use TextFields with Secure Option
• Disable Autocorrection
• Clear the pasteboard once the app enters in background
• UIWebViews
• Cache Policies
and also…
• Snapshots
!
• NSURLScheme
!
• Encryption
and also…
• Snapshots
!
• NSURLScheme
!
• Encryption
and also…
• Snapshots
!
• NSURLScheme
!
• Encryption (RNCryptor)
Obfuscation
https://gist.github.com/aras-p/6224951
Normal Connection
MITM Attack
What's the problem?
• End-to-end Security
!
• Possible solution
• Certificate Pinning
Normal Connection
MITM Attack
http://www.infosecurity-magazine.com/news/china-man-in-the-middle-attack/
https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle
What's the problem?
• End-to-end Security
!
• Possible defense
• Certificate Pinning
Certificate
• What's inside?
!
• It expires and it can be revoked
Certificate
• What's inside?
!
• It expires and it can be revoked
Pinning
• What’s the pinning?
!
• What should be pinned?
!
• When do you pin?
Pinning
• What’s the pinning?
!
• What should be pinned?
!
• When do you pin?
Pinning
• What’s the pinning?
!
• What should be pinned?
!
• When do you pin?
iOS pinning
• NSURLConnectionDelegate
• connection:canAuthenticateAgainstProtectionSpace
• connection:didReceiveAuthenticationChallenge
iOS pinning
• NSURLSessionDelegate
• URLSession:task:didReceiveChallenge: completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler
iOS pinning
• NSURLSessionDelegate
• URLSession:task:didReceiveChallenge: completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler
• AFNetworking supports pinning
ONE MORE THING
Synopsis!-------------------------------------------------------------!
Winter 1482. La Esmeralda, a very young gipsy street dancer, is the hottest and most popular girl in Paris. Every man is in love with her -Gringoire the philosopher, Quasimodo the hunchback of Notre-Dame, Frollo the evil priest and Captain Phoebus the brave soldier. They are all fighting to win her love, but nobody can fully succeed. There is only one solution… Esmeralda must die!
A comic parody of Notre-Dame de Paris by Victor Hugo.
