Click here to load reader

Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016

  • View
    1.357

  • Download
    2

Embed Size (px)

Text of Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016

  • Outsmarting Hackers before your App gets Hacked

    Subho Halder

    CoFounder & CTO Appknox iOS Conf Edition

    5

  • Securing iOS Mobile AppsMobile Security Talk

    Introduction

    Android vs iOS

    Securing Your Mobile Apps

    Secured Pasteboard

    Application Snapshots

    iOS Dataprotection API

    Juice Jacking - Slurrp

    Top 10 Mobile Security List

    4 Myths About Mobile Security

    Questions? Contact Me :)

    2

    About Me

    Co-Founder and CTO at , a mobile security company that

    helps developers and companies to build secure mobile application. I have presented many talks and

    conducted workshops at conferences like BlackHat, Defcon,

    ToorCon, SysCan, ClubHack, NullCon, OWASP AppSec, RSA Conference.

    Subho Halder / CoFounder & CTO

  • Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 3

    Introduction The Great Mobile Security Debate

    !

    "

    #

    x

    $

    &

    r

    5

    8

    1

    '

    c

    h

    l

    [j

    a

    n

    Z

    :

    s

    [email protected]

    p

    y

    9

    eW

    e

    B

    0

    01Fragmented Applications

    Multiple Applications for Multiple Platform and Multiple Architectures makes it difficult for App Developers to keep-up with security concerns

    03Personal & Social Information

    Mobile Devices holds your personal and social information, and applications has access to these information

    02Fragmented Platforms

    With multiple platforms and multiple versions of Mobile Operating

    System, the OEM faces challenges to keep Security up-to-date

    04Businesses & Enterprise Data

    With mobile getting adopted at workplaces, sensitive information

    are now accessible to applications

  • Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 4

    Android vs iOS

    With the dominance of iOS and the rising popularity of Android devices in the mobile marketplace, the security of these devices is a growing concern and focus for smartphone users.

    IMAGE

    0

    20

    40

    60

    80

    0

    25

    50

    75

    100

    Vulnerable Apps MalwaresDevice Vulnerability Fragmentation

    0

    25

    50

    75

    100

    0

    25

    50

    75

    100

    Vulnerable Apps MalwaresDevice Vulnerabilities Fragmentation

    Despite iOS being traditionally regarded as the safest platform, there are a number of reasons why that assumption may be becoming outdated. Firstly, occurrences of ransomware, malware, rotten apps on the iTunes store, and social engineering have been coming into the news far more often in recent times.

    The iOS Device Googles Android platform has become a larger target for mobile malware writers than Apple iOS. This could

    be a result of Androids popularitywith more than 1 million activations per day, Android smartphones

    command a 59% market share worldwide.

    The Android Device

  • The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations.

    Securing Your Mobile Apps

  • Do you think Pasteboard can be used to steal information ?Secured Pasteboard

  • Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 7

    Secured Pasteboard Vulnerabilities Universal Clipboard changes for iOS 10 and macOS Sierra

    With the changes to the UIPasteboard iOS 10 API that introduce Universal Clipboard, it also opens a slight security vulnerability in that an end user could copy a sensitive piece of data and inadvertently make it available across all their devices

    Understanding the Clipboard Contents As a developer, you can either:

    1. Flag a piece of data as local only in which it will not appear in the Universal Clipboard across devices, and

    2. Set an expiration date on a piece of data such that it isnt available after that date.

  • Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 8

    Secured Pasteboard Vulnerabilities Flag a piece of data as local only in which it will not appear in the Universal Clipboard across devices

    a In one line, you set the item in the UIPasteboard with an option localOnly as true.

  • Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 9

    Secured Pasteboard Vulnerabilities Set an expiration date on a piece of data such that it isnt available after that date

    a Again, in one line you get to pass an expiration date for when the UIPasteboard item should expire. You can also use these together

  • If an application goes into background, can the data be hacked ?Application Snapshot Vulnerability

  • Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition

    IMAGE

    11

    Application Snapshots These screenshots can be accessed without jailbreaking

    iOS caches a screenshot of the last screen of the application and when you click on it the application resumes. This caching technique provides the user with the impression that their application has resumed immediately. This feature on its own is not vulnerability, and does exactly what it is supposed to do.

    So when does a feature become a vulnerability?

    As a developer, you can:

    blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot

    These screenshots can be accessed without jailbreaking using any free tool like ifunbox

  • Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 12

    Application Snapshots blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot

    a Need to write the code in Application life cycle methods, here we are putting an imageView while the app animate to background

  • Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 13

    Application Snapshots blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot

    a Here is the code to remove the imageView when the application comes to foreground

  • Have you ever used this to secure your data ?

    iOS Dataprotection API: NSDataWritingFileProtection

  • Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 15

    iOS Dataprotection API: NSFileProtection Have you ever used this to secure your data ?

    NSFileProtectionNone NSDataWritingFileProtectionNone

    The file is not protected and can be read or written at any

    time. This is the default value.

    iOS provides hardware-level encryption of files. Files marked for protection are encrypted using a per-device key, which is encrypted using the users password or PIN. Ten seconds after the device is locked, the unencrypted per-device key is removed from memory. When the user unlocks the device, the password or personal identification number (PIN) is used to decrypt the per-device key again, which is then used to decrypt the files.

    NSFileProtectionComplete NSDataWritingFileProtectionComplete

    Any file with this setting is protected ten seconds after the device is locked. Files with

    this setting may not be available when your program is running in the background. When

    the device is unlocked, these files are unprotected.

  • Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 16

    iOS Dataprotection API: NSFileProtection Have you ever used this to secure your data ?

    iOS provides hardware-level encryption of files. Files marked for protection are encrypted using a per-device key, which is encrypted using the users password or PIN. Ten seconds after the device is locked, the unencrypted per-device key is removed from memory. When the user unlocks the device, the password or personal identification number (PIN) is used to decrypt the per-device key again, which is then used to decrypt the files.

    NSFileProtectionCompleteUnlessOpen NSDataWritingFileProtectionCompleteUnlessOpen

    Files with this setting are protected ten seconds after the device is locked unless theyre currently open. This allows your

    program to continue accessing the file while running in the background. When the file is closed, it will be protected if the device is

    locked.

    NSFileProtectionCompleteUntilFirstUserAuthentication NSDataWritingFileProtectionCompleteUntilFirstUserAuthentication

    Files with this setting are protected only between the time the device boots and the first time the user unlocks the

    device. The files are unprotected from that point until the device is rebooted. This allows your application to open

    existing files while running in the background.

  • Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 17

    iOS Dataprotection API: NSFileProtection Have you ever used this to secure your data ?

    Sample usages with NSData

    Sample usages with NSFileManager

  • File protection is very easy, simple and hardware-optimised, you should use this in every project of yours, unless you have a good reason to not to.

  • Juice jacking is a term used to describe a cyber attack where wherein a smart phone, tablet or other computer device using a charging port that doubles as a data connection, typically over USB.

    Juice Jacking - Slurrp

  • Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 20

    Juice Jacking - Slurrp A smart phone, tablet or other computer device using a charging port that doubles as a data connection, typically over USB.

    Sample charging Kio

Search related