Upgrade to Pro — share decks privately, control downloads, hide ads and more …

X Things you need to know before implementing cryptography

X Things you need to know before implementing cryptography

Originally posted here: https://speakerdeck.com/vixentael/x-things-you-need-to-know-before-implementing-cryptography

This talk includes:

1. Handling user secrets with care (showing, storing, logging).
2. Input validation and password rules.
3. Handling transport connection.
4. And some tips and tricks that will confuse attackers.
--------------------------------------

If you can't tap on the link inside slides, please open as pdf (button on the right).

--------------------------------------

Before we get deep into protocols vulnerabilities: things you should remember designing your app flow from a security point of view.

This talk will focus on copybook headings of infosec: what you need to know before exciting stuff like cryptography and AI-assisted incident detection. Like, choice of data you show in the background mode, choice of 3rd party SDKs, which logs we send and where...

Even when developers create apps with security in minds, protect user secrets, and don’t reveal unencrypted data, attackers can find ways to bypass these security measures by exploiting architectural weaknesses and unobvious, yet very simple vulnerabilities. We will talk about all the tiny bits and pieces are necessary to make your app secure against simple attacks way before focusing on the hard things (like crypto).

This talk was made for CocoaHeads Kyiv #14 which took place Oct 6 2018.

CocoaHeads Ukraine

October 06, 2018
Tweet

More Decks by CocoaHeads Ukraine

Other Decks in Programming

Transcript

  1. X THINGS
    YOU NEED TO KNOW
    before Implementing Cryptography
    @vixentael

    View Slide

  2. @vixentael Product Engineer
    Feel free to reach me with
    security questions.
    I do check my inbox :)

    View Slide

  3. View Slide

  4. https://habr.com/post/418851/

    View Slide

  5. https://habr.com/post/418851/
    https://www.troyhunt.com/controlling-vehicle-features-of-nissan/

    View Slide

  6. https://habr.com/post/418851/
    https://www.troyhunt.com/controlling-vehicle-features-of-nissan/
    https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/

    View Slide

  7. https://habr.com/post/418851/
    https://www.troyhunt.com/controlling-vehicle-features-of-nissan/
    https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/
    and so on!
    @vixentael

    View Slide

  8. RISKS TO DATA
    reputation risks (Equifax)
    legal responsibility (GDPR)
    competitors
    operations (Facebook)
    https://www.cossacklabs.com/blog/gdpr-for-engineers.html

    View Slide


  9. financial damage




    View Slide

  10. mln records
    0
    200
    400
    600
    800
    1,000
    February March April May June July August September
    https://www.itgovernance.co.uk/blog/category/cyber-security/
    MILLION OF RECORDS LEAKED PER MONTH
    @vixentael

    View Slide

  11. https://globalnews.ca/news/4298279/hacker-hits-
    local-mattress-store-with-ransomware/ @vixentael

    View Slide

  12. @vixentael
    https://www.wired.com/story/2018-worst-hacks-so-far/
    credentials
    geo-locations
    health data
    financial data
    kids locations
    cars remote control
    sex toys remote control

    View Slide

  13. @vixentael
    WHO TELLS YOU
    TO MAKE SECURE APPS?
    – NO ONE.

    View Slide

  14. @vixentael
    1. Follow best practices.
    2. Talk to professionals.

    View Slide

  15. LET’S GO!

    View Slide

  16. Attackers can
    find ways
    to bypass
    security
    measures.
    @vixentael

    View Slide

  17. Encryption –
    walls & gates.
    @vixentael

    View Slide

  18. "
    @vixentael

    View Slide

  19. Harden all
    the things!
    @vixentael

    View Slide

  20. protecting privacy
    passwords & auth
    plaintext secrets
    transport
    dependencies

    View Slide

  21. gdpr-info.eu/art-4-gdpr/
    SENSITIVE DATA
    @vixentael

    View Slide

  22. developer.apple.com/app-store/review/rejections/
    Caring about
    user data
    prevents
    rejections.
    @vixentael

    View Slide

  23. @vixentael
    http://headway.io/blog/apple-app-store-
    new-privacy-policy-what-you-need-to-know/
    NEW APP STORE PRIVACY POLICY
    - minimize the data you collect
    - be transparent on how you use the data
    - protect stored and transit data
    - remove data fully and quickly

    View Slide

  24. PROTECTING
    PRIVACY

    View Slide

  25. Avoid
    sensitive data
    on screenshots.
    @vixentael

    View Slide

  26. developer.apple.com @vixentael

    View Slide

  27. screenshieldkit.com
    There’s a lib
    for that!
    @vixentael

    View Slide

  28. krausefx.com/blog/ios-privacy-watchuser-access-both-
    iphone-cameras-any-time-your-app-is-running
    UNHEALTHY PERMISSIONS
    hello, Felix!
    @vixentael

    View Slide

  29. twitter.com/Viss/status/987028660585578496
    Minimize amount
    of data your app
    works with.

    @vixentael

    View Slide

  30. PASSWORD
    RULES

    View Slide

  31. littlemaninmyhead.wordpress.com/2018/02/18/secure-coding-
    understanding-input-validation/
    INPUT VALIDATION
    check length
    ✋ escape SQL
    validate on both sides
    @vixentael

    View Slide

  32. from twitter
    (not like this)
    @vixentael
    USE GOOD PASSWORD RULES

    View Slide

  33. from twitter
    (not like this)
    USE GOOD PASSWORD RULES
    @vixentael

    View Slide

  34. (not like this)
    USE GOOD PASSWORD RULES
    @vixentael

    View Slide

  35. MORE LIKE THESE:
    Use long phrase (16+).
    Disallow typical passwords.
    Promote password managers usage.
    well_known_comics_about_horse.png
    owasp.org/index.php/
    Talk:Password_length_&_complexity @vixentael

    View Slide

  36. AUTHORIZATION &
    AUTHENTICATION

    View Slide

  37. krausefx.com/blog/ios-privacy-
    stealpassword-easily-get-the-users-
    apple-id-password-just-by-asking
    DARK AUTH PATTERNS
    Avoid asking
    user password
    all the time.

    View Slide

  38. TouchID/FaceID & 2FA
    owasp.org/index.php/Mobile_Top_10_2016-M4-
    Insecure_Authentication
    michael-brown.net/2018/touch-id-
    and-face-id-on-ios
    BETTER AUTH

    View Slide

  39. twitter.com/ay8s/status/885230327441915904
    developer.apple.com/documentation/
    safariservices/sfauthenticationsession
    SFAuthenticationSession
    BETTER AUTH

    View Slide

  40. Password Autofill
    BETTER AUTH
    medium.com/@abhimuralidharan/password-autofill-
    for-ios-apps-for-faster-login-ios-11-1d9f77deb35a

    View Slide

  41. BETTER AUTH
    iOS12
    https://nshipster.com/ios-12/
    textField.textContentType = .newPassword
    textField.passwordRules = .init(descriptor:
    "allowed: ascii-printable; minlength: 8;"
    )
    textField.textContentType = . oneTimeCode

    View Slide

  42. Password Autofill
    MAKE AUTH BETTER!
    Single Sign-On
    SFAuthenticationSession
    Ask pass on sensitive screens
    TouchID/FaceID & 2FA
    @vixentael

    View Slide

  43. objective-see.com/blog/blog_0x24.html
    AUTH BUGS: DOUBLE SPACE
    Test your
    login flow
    @vixentael

    View Slide

  44. PLAINTEXT
    SECRETS

    View Slide

  45. facebook.com/vstyran/posts/10156368247887372
    rabota.ua stored
    all passwords
    ‘very well
    encrypted’.
    @vixentael
    STORING SECRETS IN PLAINTEXT

    View Slide

  46. Avoid storing
    sensitive plaintext.
    passwords
    document pictures
    license plates
    SSNs
    credit cards
    health data
    home address
    passport num
    phone num
    @vixentael

    View Slide

  47. mac4n6.com/blog/2018/3/30/omg-seriously-apfs-encrypted-plaintext-
    password-found-in-another-more-persistent-macos-log-file
    /var/log/install.log
    @vixentael
    LOGGING SECRETS IN PLAINTEXT

    View Slide

  48. LOGGING SECRETS IN PLAINTEXT
    @vixentael

    View Slide

  49. CHECK YOUR SOURCE CODE
    cfpb/clouseau
    Automate
    checking code
    for forgotten
    secrets.
    @vixentael

    View Slide

  50. motherboard.vice.com/en_us/article/a34g9j/iphone-
    source-code-iboot-ios-leak
    NOT ALL CODE SHOULD BE PUBLISHED
    @vixentael

    View Slide

  51. medium.com/@AyunasCode/how-to-hide-your-api-keys-367ef6589949
    shanirivers.me/posts/hiding-your-api-keys-for-ios-projects
    orta/cocoapods-keys
    awslabs/git-secrets
    Avoid
    publishing
    keys.
    DO NOT COMMIT KEYS
    keys.plist → .gitignore
    @vixentael

    View Slide

  52. TRANSPORT
    SECURITY

    View Slide

  53. NSAppTransportSecurity

    NSAllowsArbitraryLoads


    NSAppTransportSecurity

    NSAllowsArbitraryLoadsInWebContent


    agostini.tech/2018/04/01/ios-application-security-part-five-
    app-transport-security-ats/ @vixentael

    View Slide

  54. github.com/ssllabs/research/wiki/SSL-and-TLS-
    Deployment-Best-Practices
    private keys RSA-2048, ECDSA-256
    obtain certificate from reliable CA
    use TLS v1.3-v1.2
    use secure cipher suites
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    ✅ enable Forward Secrecy
    ✅ enable HSTS (web)
    WELL-CONFIGURED SSL
    @vixentael

    View Slide

  55. owasp.org/index.php/Pinning_Cheat_Sheet @vixentael
    SSL PINNING

    View Slide

  56. infinum.co/the-capsized-eight/ssl-pinning-revisited
    let serverTrustPolicies: [String: ServerTrustPolicy] = [
    “mydomain.com”: .pinPublicKeys(
    publicKeys: ServerTrustPolicy.publicKeys(),
    validateCertificateChain: true,
    validateHost: true
    )
    ]
    let sessionManager = SessionManager(
    serverTrustPolicyManager: ServerTrustPolicyManager(
    policies: serverTrustPolicies
    )
    )
    SSL PINNING
    @vixentael

    View Slide

  57. schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-
    certificate-for-github-com @vixentael
    SSL IS NOT ENOUGH: WOSIGN STORY

    View Slide

  58. security.googleblog.com/2016/10/
    distrusting-wosign-and-startcom.html
    support.apple.com/en-us/HT204132
    @vixentael
    SSL IS NOT ENOUGH: WOSIGN STORY

    View Slide

  59. @vixentael
    BREAKING SSL PINNING
    https://habr.com/post/424485/
    https://medium.com/@kennethpoon/lets-write-swift-code-to-
    intercept-ssl-pinning-https-requests-12446303cc9d

    View Slide

  60. transport = Transport()
    transport?.setupKeys(serverId, serverPublicKey: serverPublicKey)
    session = TSSession(userId: clientIdData, privateKey:
    clientPrivateKeyData, callbacks: transport!)
    startSession(clientId: clientId, message: connectionMessage)
    github.com/cossacklabs/themis/wiki/Swift-Howto#secure-session
    ENCRYPT OVER SSL
    @vixentael

    View Slide

  61. 3RD PARTY
    CODE

    View Slide

  62. krausefx.com/blog/trusting-sdks
    DOWNLOAD LIBS / IDE
    use HTTPS / VPN
    ✅ check certificate
    2 check hash-sum
    clone & build from source
    Do you really
    need that lib?
    GDPR
    @vixentael

    View Slide

  63. CHECK 3RD PARTY LIBRARIES
    Monitor & fix critical bugs
    Update if any security patch
    Update if any privacy change (GDPR)
    Automate all the checks
    @vixentael

    View Slide

  64. snyk.io/
    whitesourcesoftware.com/
    @vixentael

    View Slide

  65. OTHER THINGS
    TO DO
    #uikonf @vixentael

    View Slide

  66. store as HEX
    replace chars
    rename files to .mp3 combine from pieces
    OBFUSCATION
    .xib / .nib
    inline keys
    API urls
    pjebs/Obfuscator-iOS
    rename important
    methods / constants
    preemptive/PPiOS-Rename
    @vixentael

    View Slide

  67. DO NOT FORGET ABOUT

    firewalls
    9
    IDS

    SIEM

    fake targets /
    honey pots

    poison records
    @vixentael

    View Slide

  68. View Slide

  69. Now, after easy things are done,
    cryptography!
    it’s time for
    @vixentael

    View Slide

  70. cryptography!

    storage
    encryption

    transport
    encryption

    key
    management
    @vixentael

    View Slide

  71. Storage Transport
    Multi-
    platform
    themis
    libsodium
    tink
    TLS

    themis
    libsodium
    OTRKit
    Works with 

    iOS/macOS only
    CryptoSwift
    RNCryptor
    CommonCrypto
    @vixentael
    https://www.cossacklabs.com/choose-your-ios-crypto.html

    View Slide

  72. LAST BUT
    NOT LEAST

    View Slide

  73. twitter.com/c_pellegrino/status/981409466242486272
    DON’T SAY THAT YOUR SECURITY
    IS AMAZINGLY GOOD :)

    View Slide

  74. twitter.com/c_pellegrino/status/981409466242486272
    DON’T SAY THAT YOUR SECURITY
    IS AMAZINGLY GOOD :)

    View Slide

  75. twitter.com/fabricio_giglio/status/982362735924137984 @vixentael

    View Slide

  76. twitter.com/fabricio_giglio/status/982362735924137984 @vixentael

    View Slide

  77. KEY POINTS
    Keep an eye on the sensitive
    data during the whole data
    flow.
    do not
    store
    do not
    collect
    remove
    fast

    View Slide

  78. https://www.digitalinterruption.com/secure-mobile-development
    Secure mobile development
    LINKS
    https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
    Mobile security testing guide
    https://github.com/forter/security-101-for-saas-startups/blob/english/security.md
    Organization security for startups
    https://agostini.tech/2017/11/20/ios-application-security-part-1-setting-up-a-
    testing-environment-for-ios-platform/
    Series of posts about security testing

    View Slide

  79. My other security slides
    github.com/vixentael/
    my-talks

    View Slide

  80. Security
    Basics
    SECURITY
    WORKSHOPS
    Enterprise Secure
    Architecture
    Secure Web apps
    Secure Software
    Development
    Secure Mobile apps

    View Slide

  81. @vixentael Product Engineer
    Feel free to reach me with
    security questions.
    I do check my inbox :)

    View Slide

  82. IMAGE CREDITS
    www.flaticon.com
    freepik, linector, switficons, pixelperfect, smashicons, icon pond,
    dinosoftlabs
    Authors:

    View Slide