Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iOS Security Deep Dive

Charles Lima
November 10, 2019
Programming
1
120

iOS Security Deep Dive

This deck covers some important security topics for an iOS app. These topics include http vs https, ssl/tls pinning and insecure data storage, for example. Moreover, it shows how an attacker may explore a few vulnerabilities in your apps and how to defend against them.

Charles Lima

November 10, 2019
Tweet

Other Decks in Programming

See All in Programming
最新TCAキャッチアップ
0si43
0
200
Jakarta EE meets AI
ivargrimstad
0
660
Better Code Design in PHP
afilina
PRO
0
130
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
1k
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k
Tauriでネイティブアプリを作りたい
tsucchinoko
0
370
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
910
C++でシェーダを書く
fadis
6
4.1k
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
340
Quine, Polyglot, 良いコード
qnighy
4
650
「今のプロジェクトいろいろ大変なんですよ、app/services とかもあって……」/After Kaigi on Rails 2024 LT Night
junk0612
5
2.2k
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
260

Featured

See All Featured
A designer walks into a library…
pauljervisheath
204
24k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Typedesign – Prime Four
hannesfritz
40
2.4k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Rails Girls Zürich Keynote
gr2m
94
13k
What's in a price? How to price your products and services
michaelherold
243
12k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Designing for Performance
lara
604
68k
Gamification - CAS2011
davidbonilla
80
5k

Transcript

  1. Security deep dive Charles Lima Rodrigo Guimarães

  2. Security as a Culture

  3. Why is security important?

  4. 71% Fraud transactions come from mobile apps & browsers

  5. Who might be interested in our data?

  6. Criminals Competitors Providers Family & Friends Who might be interested

    in our data?

  7. What are the likely damages?

  8. Financial Reputational Public exposure Intellectual Property Theft What are the

    likely damages?

  9. Security in Layers

  10. None

  11. Network Security

  12. None

  13. The Movie Database

  14. The Movie Database

  15. The Movie Database

  16. The Movie Database

  17. Intercepting HTTP requests

  18. Intercepting HTTP requests

  19. Intercepting HTTP requests

  20. None

  21. HTTP HTTPS

  22. HTTP HTTPS

  23. SSL and TLS

  24. How it works

  25. How it works Session Key

  26. Using HTTPS

  27. Not f*cking up the security defaults is actually a great

    start. Using HTTPS

  28. Intercepting HTTPS Requests

  29. End of the line? Intercepting HTTPS Requests

  30. Intercepting HTTPS Requests

  31. Intercepting HTTPS Requests

  32. What do we do? Intercepting HTTPS Requests

  33. SSL/TLS Pinning Making sure that the certificate you received is

    the exact same one you have in your bundle.

  34. Certificate ➜ ~ openssl s_client -connect api.themoviedb.org:443 </dev/null \ |

    /dev/null|openssl x509 -outform DER >themoviedb.cer

  35. Certificate ➜ ~ openssl s_client -connect api.themoviedb.org:443 </dev/null \ |

    /dev/null|openssl x509 -outform DER >themoviedb.cer

  36. import Moya import Alamofire class AlamofireSessionManagerBuilder { var policies: [String:

    ServerTrustPolicy]? var configuration = URLSessionConfiguration.default init() { let allPublicKeys = ServerTrustPolicy.pinPublicKeys( publicKeys: ServerTrustPolicy.publicKeys(), validateCertificateChain: true, validateHost: true ) self.policies = [ "api.themoviedb.org": allPublicKeys ] } func build() -> Manager { var serverTrustPolicyManager: ServerTrustPolicyManager? if let policies = self.policies { serverTrustPolicyManager = ServerTrustPolicyManager(policies: policies) } let manager = Manager(configuration: configuration, serverTrustPolicyManager: serverTrustPolicyManager) manager.startRequestsImmediately = false return manager } } Alamofire Implementation

  37. import Moya import Alamofire class AlamofireSessionManagerBuilder { var policies: [String:

    ServerTrustPolicy]? var configuration = URLSessionConfiguration.default init() { let allPublicKeys = ServerTrustPolicy.pinPublicKeys( publicKeys: ServerTrustPolicy.publicKeys(), validateCertificateChain: true, validateHost: true ) self.policies = [ "api.themoviedb.org": allPublicKeys ] } func build() -> Manager { var serverTrustPolicyManager: ServerTrustPolicyManager? if let policies = self.policies { serverTrustPolicyManager = ServerTrustPolicyManager(policies: policies) } let manager = Manager(configuration: configuration, serverTrustPolicyManager: serverTrustPolicyManager) manager.startRequestsImmediately = false return manager } } Alamofire Implementation

  38. import Moya import Alamofire class AlamofireSessionManagerBuilder { var policies: [String:

    ServerTrustPolicy]? var configuration = URLSessionConfiguration.default init() { let allPublicKeys = ServerTrustPolicy.pinPublicKeys( publicKeys: ServerTrustPolicy.publicKeys(), validateCertificateChain: true, validateHost: true ) self.policies = [ "api.themoviedb.org": allPublicKeys ] } func build() -> Manager { var serverTrustPolicyManager: ServerTrustPolicyManager? if let policies = self.policies { serverTrustPolicyManager = ServerTrustPolicyManager(policies: policies) } let manager = Manager(configuration: configuration, serverTrustPolicyManager: serverTrustPolicyManager) manager.startRequestsImmediately = false return manager } } Alamofire Implementation

  39. import Moya import Alamofire class AlamofireSessionManagerBuilder { var policies: [String:

    ServerTrustPolicy]? var configuration = URLSessionConfiguration.default init() { let allPublicKeys = ServerTrustPolicy.pinPublicKeys( publicKeys: ServerTrustPolicy.publicKeys(), validateCertificateChain: true, validateHost: true ) self.policies = [ "api.themoviedb.org": allPublicKeys ] } func build() -> Manager { var serverTrustPolicyManager: ServerTrustPolicyManager? if let policies = self.policies { serverTrustPolicyManager = ServerTrustPolicyManager(policies: policies) } let manager = Manager(configuration: configuration, serverTrustPolicyManager: serverTrustPolicyManager) manager.startRequestsImmediately = false return manager } } Alamofire Implementation

  40. import Moya class MovieServiceImpl: MovieService { private let provider: MoyaProvider<MovieRouter>

    init(provider: MoyaProvider<MovieRouter> = MoyaProvider<MovieRouter>(manager: AlamofireSessionManagerBuilder().build())) { self.provider = provider } @discardableResult func search(query: String, completion: @escaping Completion) -> Cancellable { return provider.request(.search(query: query), completion: completion) } } Moya Implementation

  41. import Moya class MovieServiceImpl: MovieService { private let provider: MoyaProvider<MovieRouter>

    init(provider: MoyaProvider<MovieRouter> = MoyaProvider<MovieRouter>(manager: AlamofireSessionManagerBuilder().build())) { self.provider = provider } @discardableResult func search(query: String, completion: @escaping Completion) -> Cancellable { return provider.request(.search(query: query), completion: completion) } } Moya Implementation

  42. class NSURLSessionPinningDelegate: NSObject, URLSessionDelegate { func urlSession(_ session: URLSession, didReceive

    challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) { if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) { if let serverTrust = challenge.protectionSpace.serverTrust { let isServerTrusted = SecTrustEvaluateWithError(serverTrust, nil) if(isServerTrusted) { if let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0) { let serverCertificateData = SecCertificateCopyData(serverCertificate) let data = CFDataGetBytePtr(serverCertificateData); let size = CFDataGetLength(serverCertificateData); let cert1 = NSData(bytes: data, length: size) let file_der = Bundle.main.path(forResource: "certificateFile", ofType: "der") if let file = file_der { if let cert2 = NSData(contentsOfFile: file) { if cert1.isEqual(to: cert2 as Data) { completionHandler(URLSession.AuthChallengeDisposition.useCredential, URLCredential(trust:serverTrust)) return } } } } } } } completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge, nil) } } URLSession Implementation

  43. class NSURLSessionPinningDelegate: NSObject, URLSessionDelegate { func urlSession(_ session: URLSession, didReceive

    challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) { if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) { if let serverTrust = challenge.protectionSpace.serverTrust { let isServerTrusted = SecTrustEvaluateWithError(serverTrust, nil) if(isServerTrusted) { if let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0) { let serverCertificateData = SecCertificateCopyData(serverCertificate) let data = CFDataGetBytePtr(serverCertificateData); let size = CFDataGetLength(serverCertificateData); let cert1 = NSData(bytes: data, length: size) let file_der = Bundle.main.path(forResource: "certificateFile", ofType: "der") if let file = file_der { if let cert2 = NSData(contentsOfFile: file) { if cert1.isEqual(to: cert2 as Data) { completionHandler(URLSession.AuthChallengeDisposition.useCredential, URLCredential(trust:serverTrust)) return } } } } } } } completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge, nil) } } URLSession Implementation

  44. class NSURLSessionPinningDelegate: NSObject, URLSessionDelegate { func urlSession(_ session: URLSession, didReceive

    challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) { if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) { if let serverTrust = challenge.protectionSpace.serverTrust { let isServerTrusted = SecTrustEvaluateWithError(serverTrust, nil) if(isServerTrusted) { if let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0) { let serverCertificateData = SecCertificateCopyData(serverCertificate) let data = CFDataGetBytePtr(serverCertificateData); let size = CFDataGetLength(serverCertificateData); let cert1 = NSData(bytes: data, length: size) let file_der = Bundle.main.path(forResource: "certificateFile", ofType: "der") if let file = file_der { if let cert2 = NSData(contentsOfFile: file) { if cert1.isEqual(to: cert2 as Data) { completionHandler(URLSession.AuthChallengeDisposition.useCredential, URLCredential(trust:serverTrust)) return } } } } } } } completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge, nil) } } URLSession Implementation

  45. class NSURLSessionPinningDelegate: NSObject, URLSessionDelegate { func urlSession(_ session: URLSession, didReceive

    challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) { if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) { if let serverTrust = challenge.protectionSpace.serverTrust { let isServerTrusted = SecTrustEvaluateWithError(serverTrust, nil) if(isServerTrusted) { if let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0) { let serverCertificateData = SecCertificateCopyData(serverCertificate) let data = CFDataGetBytePtr(serverCertificateData); let size = CFDataGetLength(serverCertificateData); let cert1 = NSData(bytes: data, length: size) let file_der = Bundle.main.path(forResource: "certificateFile", ofType: "der") if let file = file_der { if let cert2 = NSData(contentsOfFile: file) { if cert1.isEqual(to: cert2 as Data) { completionHandler(URLSession.AuthChallengeDisposition.useCredential, URLCredential(trust:serverTrust)) return } } } } } } } completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge, nil) } } URLSession Implementation

  46. class NSURLSessionPinningDelegate: NSObject, URLSessionDelegate { func urlSession(_ session: URLSession, didReceive

    challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) { if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) { if let serverTrust = challenge.protectionSpace.serverTrust { let isServerTrusted = SecTrustEvaluateWithError(serverTrust, nil) if(isServerTrusted) { if let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0) { let serverCertificateData = SecCertificateCopyData(serverCertificate) let data = CFDataGetBytePtr(serverCertificateData); let size = CFDataGetLength(serverCertificateData); let cert1 = NSData(bytes: data, length: size) let file_der = Bundle.main.path(forResource: "certificateFile", ofType: "der") if let file = file_der { if let cert2 = NSData(contentsOfFile: file) { if cert1.isEqual(to: cert2 as Data) { completionHandler(URLSession.AuthChallengeDisposition.useCredential, URLCredential(trust:serverTrust)) return } } } } } } } completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge, nil) } } URLSession Implementation

  47. class NSURLSessionPinningDelegate: NSObject, URLSessionDelegate { func urlSession(_ session: URLSession, didReceive

    challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) { if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) { if let serverTrust = challenge.protectionSpace.serverTrust { let isServerTrusted = SecTrustEvaluateWithError(serverTrust, nil) if(isServerTrusted) { if let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0) { let serverCertificateData = SecCertificateCopyData(serverCertificate) let data = CFDataGetBytePtr(serverCertificateData); let size = CFDataGetLength(serverCertificateData); let cert1 = NSData(bytes: data, length: size) let file_der = Bundle.main.path(forResource: "certificateFile", ofType: "der") if let file = file_der { if let cert2 = NSData(contentsOfFile: file) { if cert1.isEqual(to: cert2 as Data) { completionHandler(URLSession.AuthChallengeDisposition.useCredential, URLCredential(trust:serverTrust)) return } } } } } } } completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge, nil) } } URLSession Implementation

  48. Secure Storage

  49. var guestSessionIDPersistenceKey: String = "guestSessionIDPersistenceKey" var guestSessionID: String? { get

    { guard let sessionID = defaults.string(forKey: guestSessionIDPersistenceKey) else { return nil } return sessionID } set { defaults.set(newValue, forKey: guestSessionIDPersistenceKey) } } private func requestNewSession() { sessionRepository.new { (result) in guard case .success(let session) = result else { return } self.guestSessionID = session.guestSessionId self.guestSessionExpireDate = session.expiresAt } }

  50. var guestSessionIDPersistenceKey: String = "guestSessionIDPersistenceKey" var guestSessionID: String? { get

    { guard let sessionID = defaults.string(forKey: guestSessionIDPersistenceKey) else { return nil } return sessionID } set { defaults.set(newValue, forKey: guestSessionIDPersistenceKey) } } private func requestNewSession() { sessionRepository.new { (result) in guard case .success(let session) = result else { return } self.guestSessionID = session.guestSessionId self.guestSessionExpireDate = session.expiresAt } }

  51. var guestSessionIDPersistenceKey: String = "guestSessionIDPersistenceKey" var guestSessionID: String? { get

    { guard let sessionID = defaults.string(forKey: guestSessionIDPersistenceKey) else { return nil } return sessionID } set { defaults.set(newValue, forKey: guestSessionIDPersistenceKey) } } private func requestNewSession() { sessionRepository.new { (result) in guard case .success(let session) = result else { return } self.guestSessionID = session.guestSessionId self.guestSessionExpireDate = session.expiresAt } }
  52. None

  53. Keychain

  54. Data Attributes Encryption Item Keychain SecKeychainItem

  55. kSecClassGenericPassword kSecClassInternetPassword kSecClassCertificate kSecClassKey kSecClassIdentity kSecClass

  56. kSecClassGenericPassword kSecClassInternetPassword kSecClassCertificate kSecClassKey kSecClassIdentity /* Keychain CRUD */ kSecClass

    SecItemAdd(_:_:) SecItemCopyMatching(_:_:) SecItemUpdate(_:_:) SecItemDelete(_:)

  57. private let keychainWrapper: KeychainWrapper var guestSessionID: String? { get {

    guard let sessionID = keychainWrapper .string(forKey: guestSessionIDPersistenceKey) else { return nil } return sessionID } set { guard let newValue = newValue else { keychainWrapper.removeObject(forKey: guestSessionIDPersistenceKey) return } keychainWrapper.set(newValue, forKey: guestSessionIDPersistenceKey) } } import SwiftKeychainWrapper

  58. private let keychainWrapper: KeychainWrapper var guestSessionID: String? { get {

    guard let sessionID = keychainWrapper .string(forKey: guestSessionIDPersistenceKey) else { return nil } return sessionID } set { guard let newValue = newValue else { keychainWrapper.removeObject(forKey: guestSessionIDPersistenceKey) return } keychainWrapper.set(newValue, forKey: guestSessionIDPersistenceKey) } } import SwiftKeychainWrapper

  59. private let keychainWrapper: KeychainWrapper var guestSessionID: String? { get {

    guard let sessionID = keychainWrapper .string(forKey: guestSessionIDPersistenceKey) else { return nil } return sessionID } set { guard let newValue = newValue else { keychainWrapper.removeObject(forKey: guestSessionIDPersistenceKey) return } keychainWrapper.set(newValue, forKey: guestSessionIDPersistenceKey) } } import SwiftKeychainWrapper

  60. private let keychainWrapper: KeychainWrapper var guestSessionID: String? { get {

    guard let sessionID = keychainWrapper .string(forKey: guestSessionIDPersistenceKey) else { return nil } return sessionID } set { guard let newValue = newValue else { keychainWrapper.removeObject(forKey: guestSessionIDPersistenceKey) return } keychainWrapper.set(newValue, forKey: guestSessionIDPersistenceKey) } } import SwiftKeychainWrapper

  61. Keys Storage

  62. struct Constants { static let baseURL: String = "http://api.themoviedb.org/3" static

    let imageBaseURL: String = "http://image.tmdb.org/t/p/w500" static let apiKEY: String = "bfA26eca3aCe899c51739f5793de0cd4" }

  63. struct Constants { static let baseURL: String = "http://api.themoviedb.org/3" static

    let imageBaseURL: String = "http://image.tmdb.org/t/p/w500" static let apiKEY: String = "bfA26eca3aCe899c51739f5793de0cd4" }

  64. Cocoapods-keys

  65. ~/.cocoapods/ keys/ OS X App AppNameKeys.h Keys Values Scrambled bfA26eca3aCe89

    9c51739f5793de0 cd4 Compile Runtime Cocoapods-keys

  66. plugin 'cocoapods-keys', { :project => "AppName", :target => “TargetName", :keys

    => [ "apiKEY" ] } $ gem install cocoapods-keys $ pod install CocoaPods-Keys has detected a keys mismatch for your setup. What is the key for apiKEY "apiKEY" > | import Keys struct Constants { static let keys = TheVulnerableAppKeys() static let baseURL: String = "http://api.themoviedb.org/3" static let imageBaseURL: String = "http://image.tmdb.org/t/p/w500" static let apiKEY: String = keys.apiKEY }

  67. plugin 'cocoapods-keys', { :project => "AppName", :target => “TargetName", :keys

    => [ "apiKEY" ] } $ gem install cocoapods-keys $ pod install CocoaPods-Keys has detected a keys mismatch for your setup. What is the key for apiKEY "apiKEY" > | import Keys struct Constants { static let keys = TheVulnerableAppKeys() static let baseURL: String = "http://api.themoviedb.org/3" static let imageBaseURL: String = "http://image.tmdb.org/t/p/w500" static let apiKEY: String = keys.apiKEY }

  68. plugin 'cocoapods-keys', { :project => "AppName", :target => “TargetName", :keys

    => [ "apiKEY" ] } $ gem install cocoapods-keys $ pod install CocoaPods-Keys has detected a keys mismatch for your setup. What is the key for apiKEY "apiKEY" > | import Keys struct Constants { static let keys = TheVulnerableAppKeys() static let baseURL: String = "http://api.themoviedb.org/3" static let imageBaseURL: String = "http://image.tmdb.org/t/p/w500" static let apiKEY: String = keys.apiKEY }

  69. plugin 'cocoapods-keys', { :project => "AppName", :target => “TargetName", :keys

    => [ "apiKEY" ] } $ gem install cocoapods-keys $ pod install CocoaPods-Keys has detected a keys mismatch for your setup. What is the key for apiKEY "apiKEY" > | import Keys struct Constants { static let keys = TheVulnerableAppKeys() static let baseURL: String = "http://api.themoviedb.org/3" static let imageBaseURL: String = "http://image.tmdb.org/t/p/w500" static let apiKEY: String = keys.apiKEY }

  70. plugin 'cocoapods-keys', { :project => "AppName", :target => “TargetName", :keys

    => [ "apiKEY" ] } $ gem install cocoapods-keys $ pod install CocoaPods-Keys has detected a keys mismatch for your setup. What is the key for apiKEY "apiKEY" > | import Keys struct Constants { static let keys = TheVulnerableAppKeys() static let baseURL: String = "http://api.themoviedb.org/3" static let imageBaseURL: String = "http://image.tmdb.org/t/p/w500" static let apiKEY: String = keys.apiKEY }

  71. plugin 'cocoapods-keys', { :project => "AppName", :target => “TargetName", :keys

    => [ "apiKEY" ] } $ gem install cocoapods-keys $ pod install CocoaPods-Keys has detected a keys mismatch for your setup. What is the key for apiKEY "apiKEY" > | import Keys struct Constants { static let keys = TheVulnerableAppKeys() static let baseURL: String = "http://api.themoviedb.org/3" static let imageBaseURL: String = "http://image.tmdb.org/t/p/w500" static let apiKEY: String = keys.apiKEY }

  72. What if I don't use cocoapods?

  73. xcconfig files Mobile Secrets What if I don't use cocoapods?

  74. Where to Go From Here?

  75. None

  76. Open Web Application Security Project M1 - Improper Platform Usage

    M2 - Insecure Data Storage M3 - Insecure Communication M4 - Insecure Authentication M5 - Insufficient Cryptography M6 - Insecure Authorization M7 - Client Code Quality M8 - Code Tampering M9 - Reverse Engineering M10 - Extraneous Functionality

  77. Open Web Application Security Project

  78. Open Web Application Security Project

  79. Thank you! Rodrigo Longhi Guimarães Want to learn more? OWASP

    - Mobile Top 10 Apple - Security Guide github.com/RodrigoLGuimaraes/TheVulnerableApp Charles Lima careers.ebanx.com