X Things you need to know before implementing cryptography

Transcript

1. X THINGS YOU NEED TO KNOW before Implementing Cryptography @vixentael

2. @vixentael Product Engineer Feel free to reach me with security

   questions. I do check my inbox :)
3. None

4. https://habr.com/post/418851/

5. https://habr.com/post/418851/ https://www.troyhunt.com/controlling-vehicle-features-of-nissan/

6. https://habr.com/post/418851/ https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/

7. https://habr.com/post/418851/ https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/ and so on! @vixentael

8. RISKS TO DATA reputation risks (Equifax) legal responsibility (GDPR) competitors

   operations (Facebook) https://www.cossacklabs.com/blog/gdpr-for-engineers.html

9. financial damage

10. mln records 0 200 400 600 800 1,000 February March

    April May June July August September https://www.itgovernance.co.uk/blog/category/cyber-security/ MILLION OF RECORDS LEAKED PER MONTH @vixentael

11. https://globalnews.ca/news/4298279/hacker-hits- local-mattress-store-with-ransomware/ @vixentael

12. @vixentael https://www.wired.com/story/2018-worst-hacks-so-far/ credentials geo-locations health data financial data kids locations

    cars remote control sex toys remote control

13. @vixentael WHO TELLS YOU TO MAKE SECURE APPS? – NO

    ONE.

14. @vixentael 1. Follow best practices. 2. Talk to professionals.

15. LET’S GO!

16. Attackers can find ways to bypass security measures. @vixentael

17. Encryption – walls & gates. @vixentael

18. " @vixentael

19. Harden all the things! @vixentael

20. protecting privacy passwords & auth plaintext secrets transport dependencies

21. gdpr-info.eu/art-4-gdpr/ SENSITIVE DATA @vixentael

22. developer.apple.com/app-store/review/rejections/ Caring about user data prevents rejections. @vixentael

23. @vixentael http://headway.io/blog/apple-app-store- new-privacy-policy-what-you-need-to-know/ NEW APP STORE PRIVACY POLICY - minimize

    the data you collect - be transparent on how you use the data - protect stored and transit data - remove data fully and quickly

24. PROTECTING PRIVACY

25. Avoid sensitive data on screenshots. @vixentael

26. developer.apple.com @vixentael

27. screenshieldkit.com There’s a lib for that! @vixentael

28. krausefx.com/blog/ios-privacy-watchuser-access-both- iphone-cameras-any-time-your-app-is-running UNHEALTHY PERMISSIONS hello, Felix! @vixentael

29. twitter.com/Viss/status/987028660585578496 Minimize amount of data your app works with. @vixentael

30. PASSWORD RULES

31. littlemaninmyhead.wordpress.com/2018/02/18/secure-coding- understanding-input-validation/ INPUT VALIDATION check length ✋ escape SQL validate

    on both sides @vixentael

32. from twitter (not like this) @vixentael USE GOOD PASSWORD RULES

33. from twitter (not like this) USE GOOD PASSWORD RULES @vixentael

34. (not like this) USE GOOD PASSWORD RULES @vixentael

35. MORE LIKE THESE: Use long phrase (16+). Disallow typical passwords.

    Promote password managers usage. well_known_comics_about_horse.png owasp.org/index.php/ Talk:Password_length_&_complexity @vixentael

36. AUTHORIZATION & AUTHENTICATION

37. krausefx.com/blog/ios-privacy- stealpassword-easily-get-the-users- apple-id-password-just-by-asking DARK AUTH PATTERNS Avoid asking user password

    all the time.

38. TouchID/FaceID & 2FA owasp.org/index.php/Mobile_Top_10_2016-M4- Insecure_Authentication michael-brown.net/2018/touch-id- and-face-id-on-ios BETTER AUTH

39. twitter.com/ay8s/status/885230327441915904 developer.apple.com/documentation/ safariservices/sfauthenticationsession SFAuthenticationSession BETTER AUTH

40. Password Autofill BETTER AUTH medium.com/@abhimuralidharan/password-autofill- for-ios-apps-for-faster-login-ios-11-1d9f77deb35a

41. BETTER AUTH iOS12 https://nshipster.com/ios-12/ textField.textContentType = .newPassword textField.passwordRules = .init(descriptor:

    "allowed: ascii-printable; minlength: 8;" ) textField.textContentType = . oneTimeCode

42. Password Autofill MAKE AUTH BETTER! Single Sign-On SFAuthenticationSession Ask pass

    on sensitive screens TouchID/FaceID & 2FA @vixentael

43. objective-see.com/blog/blog_0x24.html AUTH BUGS: DOUBLE SPACE Test your login flow @vixentael

44. PLAINTEXT SECRETS

45. facebook.com/vstyran/posts/10156368247887372 rabota.ua stored all passwords ‘very well encrypted’. @vixentael STORING

    SECRETS IN PLAINTEXT

46. Avoid storing sensitive plaintext. passwords document pictures license plates SSNs

    credit cards health data home address passport num phone num @vixentael

47. mac4n6.com/blog/2018/3/30/omg-seriously-apfs-encrypted-plaintext- password-found-in-another-more-persistent-macos-log-file /var/log/install.log @vixentael LOGGING SECRETS IN PLAINTEXT

48. LOGGING SECRETS IN PLAINTEXT @vixentael

49. CHECK YOUR SOURCE CODE cfpb/clouseau Automate checking code for forgotten

    secrets. @vixentael

50. motherboard.vice.com/en_us/article/a34g9j/iphone- source-code-iboot-ios-leak NOT ALL CODE SHOULD BE PUBLISHED @vixentael

51. medium.com/@AyunasCode/how-to-hide-your-api-keys-367ef6589949 shanirivers.me/posts/hiding-your-api-keys-for-ios-projects orta/cocoapods-keys awslabs/git-secrets Avoid publishing keys. DO NOT COMMIT

    KEYS keys.plist → .gitignore @vixentael

52. TRANSPORT SECURITY

53. <key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <false/> </dict> <key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoadsInWebContent</key> <true/> </dict>

    agostini.tech/2018/04/01/ios-application-security-part-five- app-transport-security-ats/ @vixentael

54. github.com/ssllabs/research/wiki/SSL-and-TLS- Deployment-Best-Practices private keys RSA-2048, ECDSA-256 obtain certificate from reliable

    CA use TLS v1.3-v1.2 use secure cipher suites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ✅ enable Forward Secrecy ✅ enable HSTS (web) WELL-CONFIGURED SSL @vixentael

55. owasp.org/index.php/Pinning_Cheat_Sheet @vixentael SSL PINNING

56. infinum.co/the-capsized-eight/ssl-pinning-revisited let serverTrustPolicies: [String: ServerTrustPolicy] = [ “mydomain.com”: .pinPublicKeys( publicKeys:

    ServerTrustPolicy.publicKeys(), validateCertificateChain: true, validateHost: true ) ] let sessionManager = SessionManager( serverTrustPolicyManager: ServerTrustPolicyManager( policies: serverTrustPolicies ) ) SSL PINNING @vixentael

57. schrauger.com/the-story-of-how-wosign-gave-me-an-ssl- certificate-for-github-com @vixentael SSL IS NOT ENOUGH: WOSIGN STORY

58. security.googleblog.com/2016/10/ distrusting-wosign-and-startcom.html support.apple.com/en-us/HT204132 @vixentael SSL IS NOT ENOUGH: WOSIGN STORY

59. @vixentael BREAKING SSL PINNING https://habr.com/post/424485/ https://medium.com/@kennethpoon/lets-write-swift-code-to- intercept-ssl-pinning-https-requests-12446303cc9d

60. transport = Transport() transport?.setupKeys(serverId, serverPublicKey: serverPublicKey) session = TSSession(userId: clientIdData,

    privateKey: clientPrivateKeyData, callbacks: transport!) startSession(clientId: clientId, message: connectionMessage) github.com/cossacklabs/themis/wiki/Swift-Howto#secure-session ENCRYPT OVER SSL @vixentael

61. 3RD PARTY CODE

62. krausefx.com/blog/trusting-sdks DOWNLOAD LIBS / IDE use HTTPS / VPN ✅

    check certificate 2 check hash-sum clone & build from source Do you really need that lib? GDPR @vixentael

63. CHECK 3RD PARTY LIBRARIES Monitor & fix critical bugs Update

    if any security patch Update if any privacy change (GDPR) Automate all the checks @vixentael

64. snyk.io/ whitesourcesoftware.com/ @vixentael

65. OTHER THINGS TO DO #uikonf @vixentael

66. store as HEX replace chars rename files to .mp3 combine

    from pieces OBFUSCATION .xib / .nib inline keys API urls pjebs/Obfuscator-iOS rename important methods / constants preemptive/PPiOS-Rename @vixentael

67. DO NOT FORGET ABOUT firewalls 9 IDS ⚠ SIEM fake

    targets / honey pots poison records @vixentael
68. None

69. Now, after easy things are done, cryptography! it’s time for

    @vixentael

70. cryptography! storage encryption transport encryption key management @vixentael

71. Storage Transport Multi- platform themis libsodium tink TLS
 themis libsodium

    OTRKit Works with 
 iOS/macOS only CryptoSwift RNCryptor CommonCrypto @vixentael https://www.cossacklabs.com/choose-your-ios-crypto.html

72. LAST BUT NOT LEAST

73. twitter.com/c_pellegrino/status/981409466242486272 DON’T SAY THAT YOUR SECURITY IS AMAZINGLY GOOD :)

74. twitter.com/c_pellegrino/status/981409466242486272 DON’T SAY THAT YOUR SECURITY IS AMAZINGLY GOOD :)

75. twitter.com/fabricio_giglio/status/982362735924137984 @vixentael

76. twitter.com/fabricio_giglio/status/982362735924137984 @vixentael

77. KEY POINTS Keep an eye on the sensitive data during

    the whole data flow. do not store do not collect remove fast

78. https://www.digitalinterruption.com/secure-mobile-development Secure mobile development LINKS https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide Mobile security testing guide

    https://github.com/forter/security-101-for-saas-startups/blob/english/security.md Organization security for startups https://agostini.tech/2017/11/20/ios-application-security-part-1-setting-up-a- testing-environment-for-ios-platform/ Series of posts about security testing

79. My other security slides github.com/vixentael/ my-talks

80. Security Basics SECURITY WORKSHOPS Enterprise Secure Architecture Secure Web apps

    Secure Software Development Secure Mobile apps

81. @vixentael Product Engineer Feel free to reach me with security

    questions. I do check my inbox :)

82. IMAGE CREDITS www.flaticon.com freepik, linector, switficons, pixelperfect, smashicons, icon pond,

    dinosoftlabs Authors: