Outsmarting Hackers before your App gets Hacked - iOSConf SG 2016

Transcript

1. Outsmarting Hackers before your App gets Hacked Subho Halder CoFounder

   & CTO Appknox iOS Conf Edition 5

2.  Securing iOS Mobile Apps Mobile Security Talk Introduction 

   Android vs iOS  Securing Your Mobile Apps  Secured Pasteboard  Application Snapshots  iOS Dataprotection API  Juice Jacking - Slurrp  Top 10 Mobile Security List  4 Myths About Mobile Security  Questions? Contact Me :)  2 About Me Co-Founder and CTO at , a mobile security company that helps developers and companies to build secure mobile application. I have presented many talks and conducted workshops at conferences like BlackHat, Defcon, ToorCon, SysCan, ClubHack, NullCon, OWASP AppSec, RSA Conference. Subho Halder / CoFounder & CTO

3. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

   Edition  3 Introduction  The Great Mobile Security Debate ! " # x $  ă Ć & ą r 5 8 1 ü Ĉ É ' Ġ Ä c h l [ j Å a ä n ‚ Z : è s o @ û ĥ p ö y Ç 9 é e W e B ù é ë 0 01 Fragmented Applications Multiple Applications for Multiple Platform and Multiple Architectures makes it difficult for App Developers to keep-up with security concerns 03 Personal & Social Information Mobile Devices holds your personal and social information, and applications has access to these information 02 Fragmented Platforms With multiple platforms and multiple versions of Mobile Operating System, the OEM faces challenges to keep Security up-to-date 04 Businesses & Enterprise Data With mobile getting adopted at workplaces, sensitive information are now accessible to applications

4. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

   Edition  4 Android vs iOS  With the dominance of iOS and the rising popularity of Android devices in the mobile marketplace, the security of these devices is a growing concern and focus for smartphone users. IMAGE 0 20 40 60 80 0 25 50 75 100 Vulnerable Apps Malwares Device Vulnerability Fragmentation 0 25 50 75 100 0 25 50 75 100 Vulnerable Apps Malwares Device Vulnerabilities Fragmentation Despite iOS being traditionally regarded as the safest platform, there are a number of reasons why that assumption may be becoming outdated. Firstly, occurrences of ransomware, malware, rotten apps on the iTunes store, and social engineering have been coming into the news far more often in recent times. The iOS Device Google’s Android platform has become a larger target for mobile malware writers than Apple iOS. This could be a result of Android’s popularity—with more than 1 million activations per day, Android smartphones command a 59% market share worldwide. The Android Device

5.  The goal of this is to raise awareness about

   application security by identifying some of the most critical risks facing organizations. Securing Your Mobile Apps

6.  Do you think Pasteboard can be used to steal

   information ? Secured Pasteboard

7. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

   Edition  7 Secured Pasteboard Vulnerabilities  Universal Clipboard changes for iOS 10 and macOS Sierra With the changes to the UIPasteboard iOS 10 API that introduce Universal Clipboard, it also opens a slight security vulnerability in that an end user could copy a sensitive piece of data and inadvertently make it available across all their devices Understanding the Clipboard Contents As a developer, you can either: 1. Flag a piece of data as “local only” in which it will not appear in the Universal Clipboard across devices, and 2. Set an expiration date on a piece of data such that it isn’t available after that date.

8. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

   Edition  8 Secured Pasteboard Vulnerabilities  Flag a piece of data as “local only” in which it will not appear in the Universal Clipboard across devices a In one line, you set the item in the UIPasteboard with an option localOnly as true.

9. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

   Edition  9 Secured Pasteboard Vulnerabilities  Set an expiration date on a piece of data such that it isn’t available after that date a Again, in one line you get to pass an expiration date for when the UIPasteboard item should expire. You can also use these together

10.  If an application goes into background, can the data

    be hacked ? Application Snapshot Vulnerability

11. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

    Edition  IMAGE 11 Application Snapshots  These screenshots can be accessed without jailbreaking iOS caches a screenshot of the last screen of the application and when you click on it the application resumes. This caching technique provides the user with the impression that their application has resumed immediately. This “feature” on its own is not vulnerability, and does exactly what it is supposed to do. So when does a feature become a vulnerability? As a developer, you can: blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot These screenshots can be accessed without jailbreaking using any free tool like ‘ifunbox’

12. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

    Edition  12 Application Snapshots  blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot a Need to write the code in Application life cycle methods, here we are putting an imageView while the app animate to background

13. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

    Edition  13 Application Snapshots  blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot a Here is the code to remove the imageView when the application comes to foreground

14.  Have you ever used this to secure your data

    ? iOS Dataprotection API: NSDataWritingFileProtection

15. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

    Edition  15 iOS Dataprotection API: NSFileProtection  Have you ever used this to secure your data ? NSFileProtectionNone NSDataWritingFileProtectionNone The file is not protected and can be read or written at any time. This is the default value. iOS provides hardware-level encryption of files. Files marked for protection are encrypted using a per-device key, which is encrypted using the user’s password or PIN. Ten seconds after the device is locked, the unencrypted per-device key is removed from memory. When the user unlocks the device, the password or personal identification number (PIN) is used to decrypt the per-device key again, which is then used to decrypt the files. NSFileProtectionComplete NSDataWritingFileProtectionComplete Any file with this setting is protected ten seconds after the device is locked. Files with this setting may not be available when your program is running in the background. When the device is unlocked, these files are unprotected.

16. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

    Edition  16 iOS Dataprotection API: NSFileProtection  Have you ever used this to secure your data ? iOS provides hardware-level encryption of files. Files marked for protection are encrypted using a per-device key, which is encrypted using the user’s password or PIN. Ten seconds after the device is locked, the unencrypted per-device key is removed from memory. When the user unlocks the device, the password or personal identification number (PIN) is used to decrypt the per-device key again, which is then used to decrypt the files. NSFileProtectionCompleteUnlessOpen NSDataWritingFileProtectionCompleteUnlessOpen Files with this setting are protected ten seconds after the device is locked unless they’re currently open. This allows your program to continue accessing the file while running in the background. When the file is closed, it will be protected if the device is locked. NSFileProtectionCompleteUntilFirstUserAuthentication NSDataWritingFileProtectionCompleteUntilFirstUserAuthentication Files with this setting are protected only between the time the device boots and the first time the user unlocks the device. The files are unprotected from that point until the device is rebooted. This allows your application to open existing files while running in the background.

17. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

    Edition  17 iOS Dataprotection API: NSFileProtection  Have you ever used this to secure your data ? Sample usages with NSData Sample usages with NSFileManager

18.  File protection is very easy, simple and hardware-optimised, you

    should use this in every project of yours, unless you have a good reason to not to.

19.  Juice jacking is a term used to describe a

    cyber attack where wherein a smart phone, tablet or other computer device using a charging port that doubles as a data connection, typically over USB. Juice Jacking - Slurrp

20. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

    Edition  20 Juice Jacking - Slurrp  A smart phone, tablet or other computer device using a charging port that doubles as a data connection, typically over USB. Sample charging Kiosks in Public Places Would you trust this Public USB Kiosk to charge your iPhone?

21.  The goal of this is to raise awareness about

    application security by identifying some of the most critical risks facing organizations. Top 10 Mobile Security List

22. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

    Edition  22 Top 10 Mobile Security List  The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations. Poor Authorization and Authentication Poor or missing authentication schemes allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app. ç Unintended Data Leakage Unintended data leakage occurs when a developer inadvertently places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device. ‚ Insufficient Transport Layer Protection If the application is coded poorly, threat agents can use techniques to view this sensitive data. Unfortunately, mobile applications frequently do not protect network traffic 0 Insecure Data Storage Many developers assume that storing data on client-side will restrict other users from having access to this data. : Weak Server Side Controls Most security experts might argue that server-side security falls outside of the area of mobile application security threats. Till last year, it was the second most important mobile security threat. Z 05 04 03 02 80% 43% 01 64% 72% 19% Source: https://blog.appknox.com/category/owasp-top-10-mobile/

23. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

    Edition  23 Top 10 Mobile Security List  The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations. 06  07  08  09  10  Client side injection results in the execution of malicious code on the client side which is the mobile device, via the mobile app. Client Side Injection As the name suggests, this issue is because session tokens are not handled in the best way. Improper Session Handling Broken Cryptography or insecure usage of cryptography is mostly common in mobile apps that leverage encryption. Broken Cryptography Developers generally use hidden fields and values or any hidden functionality to distinguish higher level users from lower level users. Security Decisions Via Untrusted Inputs A lack of binary protections within a mobile app exposes the application and it’s owner to a large variety of technical and business risks if the underlying application is insecure or exposes sensitive intellectual property. Lack of Binary Protections

24. Securing iOS Mobile Applications - Subho Halder iOS Conf SG

    Edition  24 4 Myths About Mobile Security  “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” – Gartner ĉ Ą 7 Ĉ Public app stores are safe because they have security filters Data encryption is not required for mobile devices PCs are more secure than mobile phones Two-factor authentication can be neglected for mobile security

25.  Questions ? @sunnyrockzzs [email protected] https://www.appknox.com