Upgrade to Pro — share decks privately, control downloads, hide ads and more …

X Things you need to know before implementing cryptography

CocoaHeads Ukraine
October 06, 2018
Programming
1
100

X Things you need to know before implementing cryptography

Originally posted here: https://speakerdeck.com/vixentael/x-things-you-need-to-know-before-implementing-cryptography

This talk includes:

1. Handling user secrets with care (showing, storing, logging).
2. Input validation and password rules.
3. Handling transport connection.
4. And some tips and tricks that will confuse attackers.
--------------------------------------

If you can't tap on the link inside slides, please open as pdf (button on the right).

--------------------------------------

Before we get deep into protocols vulnerabilities: things you should remember designing your app flow from a security point of view.

This talk will focus on copybook headings of infosec: what you need to know before exciting stuff like cryptography and AI-assisted incident detection. Like, choice of data you show in the background mode, choice of 3rd party SDKs, which logs we send and where...

Even when developers create apps with security in minds, protect user secrets, and don’t reveal unencrypted data, attackers can find ways to bypass these security measures by exploiting architectural weaknesses and unobvious, yet very simple vulnerabilities. We will talk about all the tiny bits and pieces are necessary to make your app secure against simple attacks way before focusing on the hard things (like crypto).

This talk was made for CocoaHeads Kyiv #14 which took place Oct 6 2018.

CocoaHeads Ukraine

October 06, 2018
Tweet

More Decks by CocoaHeads Ukraine

See All by CocoaHeads Ukraine
Hacking iOS Simulator
cocoaheadsukraine
1
150
Dig into Value types. It's really obvious when to use them. Or not?!
cocoaheadsukraine
0
300
Классифицируем текст в iOS без CoreML: как и зачем?
cocoaheadsukraine
0
84
Managed side effects
cocoaheadsukraine
3
110
10 lines of encryption, 1500 lines of key management
cocoaheadsukraine
1
92
Мифический full-stack разработчик
cocoaheadsukraine
2
190
Анализ текста на скриншотах с Vision и CoreML
cocoaheadsukraine
0
80
Автоматизация регрессии аналитики
cocoaheadsukraine
0
57
Implementation of Clean Architecture using FRP
cocoaheadsukraine
0
65

Other Decks in Programming

See All in Programming
Jetpack Compose Debugging to fix performance problems
yucamm124
0
200
Kotlin 2.0을 통해 알아보는 코틀린의 미래
dalinaum
1
1.6k
フロントエンド刷新をプロジェクトとして進める際に気をつけていること
koba04
1
1.2k
フロントエンドエンジニアの友人と“型”で話がすれ違った原因 YUMEMI.grow合同LT会in横浜 @Kaito-Dogi
doggy
1
360
Load gem from browser
ledsun
2
510
若者とGPTのすべて
pyama86
0
200
Firebase A/B TestingとRemote Config
を最大限に活用する方法
mukky620
1
340
Semantic Kernel(C#)でAzure OpenAI ServiceのGPT-4を使ってみる
tomokusaba
1
140
新人PHPer向け 圧倒的に差をつける仕事の進め方 #phpstudy
77web
2
550
Modern and Lightweight Cloud Application Development with Jakarta EE 10
ivargrimstad
0
630
Goのメモリ管理 / Memory management in Go
ymotongpoo
4
2.9k
Information Schemaから自動生成する型付きORM spannent
khmer495
0
110

Featured

See All Featured
Unsuck your backbone
ammeep
660
56k
Fantastic passwords and where to find them - at NoRuKo
philnash
33
2k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.3k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
Building Your Own Lightsaber
phodgson
96
5k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6k
Building Flexible Design Systems
yeseniaperezcruz
315
35k
What's in a price? How to price your products and services
michaelherold
234
10k
In The Pink: A Labor of Love
frogandcode
133
21k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.4k

Transcript

  1. X THINGS
    YOU NEED TO KNOW
    before Implementing Cryptography
    @vixentael

    View Slide

  2. @vixentael Product Engineer
    Feel free to reach me with
    security questions.
    I do check my inbox :)

    View Slide

  3. View Slide

  4. https://habr.com/post/418851/

    View Slide

  5. https://habr.com/post/418851/
    https://www.troyhunt.com/controlling-vehicle-features-of-nissan/

    View Slide

  6. https://habr.com/post/418851/
    https://www.troyhunt.com/controlling-vehicle-features-of-nissan/
    https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/

    View Slide

  7. https://habr.com/post/418851/
    https://www.troyhunt.com/controlling-vehicle-features-of-nissan/
    https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/
    and so on!
    @vixentael

    View Slide

  8. RISKS TO DATA
    reputation risks (Equifax)
    legal responsibility (GDPR)
    competitors
    operations (Facebook)
    https://www.cossacklabs.com/blog/gdpr-for-engineers.html

    View Slide


  9. financial damage




    View Slide

  10. mln records
    0
    200
    400
    600
    800
    1,000
    February March April May June July August September
    https://www.itgovernance.co.uk/blog/category/cyber-security/
    MILLION OF RECORDS LEAKED PER MONTH
    @vixentael

    View Slide

  11. https://globalnews.ca/news/4298279/hacker-hits-
    local-mattress-store-with-ransomware/ @vixentael

    View Slide

  12. @vixentael
    https://www.wired.com/story/2018-worst-hacks-so-far/
    credentials
    geo-locations
    health data
    financial data
    kids locations
    cars remote control
    sex toys remote control

    View Slide

  13. @vixentael
    WHO TELLS YOU
    TO MAKE SECURE APPS?
    – NO ONE.

    View Slide

  14. @vixentael
    1. Follow best practices.
    2. Talk to professionals.

    View Slide

  15. LET’S GO!

    View Slide

  16. Attackers can
    find ways
    to bypass
    security
    measures.
    @vixentael

    View Slide

  17. Encryption –
    walls & gates.
    @vixentael

    View Slide

  18. "
    @vixentael

    View Slide

  19. Harden all
    the things!
    @vixentael

    View Slide

  20. protecting privacy
    passwords & auth
    plaintext secrets
    transport
    dependencies

    View Slide

  21. gdpr-info.eu/art-4-gdpr/
    SENSITIVE DATA
    @vixentael

    View Slide

  22. developer.apple.com/app-store/review/rejections/
    Caring about
    user data
    prevents
    rejections.
    @vixentael

    View Slide

  23. @vixentael
    http://headway.io/blog/apple-app-store-
    new-privacy-policy-what-you-need-to-know/
    NEW APP STORE PRIVACY POLICY
    - minimize the data you collect
    - be transparent on how you use the data
    - protect stored and transit data
    - remove data fully and quickly

    View Slide

  24. PROTECTING
    PRIVACY

    View Slide

  25. Avoid
    sensitive data
    on screenshots.
    @vixentael

    View Slide

  26. developer.apple.com @vixentael

    View Slide

  27. screenshieldkit.com
    There’s a lib
    for that!
    @vixentael

    View Slide

  28. krausefx.com/blog/ios-privacy-watchuser-access-both-
    iphone-cameras-any-time-your-app-is-running
    UNHEALTHY PERMISSIONS
    hello, Felix!
    @vixentael

    View Slide

  29. twitter.com/Viss/status/987028660585578496
    Minimize amount
    of data your app
    works with.

    @vixentael

    View Slide

  30. PASSWORD
    RULES

    View Slide

  31. littlemaninmyhead.wordpress.com/2018/02/18/secure-coding-
    understanding-input-validation/
    INPUT VALIDATION
    check length
    ✋ escape SQL
    validate on both sides
    @vixentael

    View Slide

  32. from twitter
    (not like this)
    @vixentael
    USE GOOD PASSWORD RULES

    View Slide

  33. from twitter
    (not like this)
    USE GOOD PASSWORD RULES
    @vixentael

    View Slide

  34. (not like this)
    USE GOOD PASSWORD RULES
    @vixentael

    View Slide

  35. MORE LIKE THESE:
    Use long phrase (16+).
    Disallow typical passwords.
    Promote password managers usage.
    well_known_comics_about_horse.png
    owasp.org/index.php/
    Talk:Password_length_&_complexity @vixentael

    View Slide

  36. AUTHORIZATION &
    AUTHENTICATION

    View Slide

  37. krausefx.com/blog/ios-privacy-
    stealpassword-easily-get-the-users-
    apple-id-password-just-by-asking
    DARK AUTH PATTERNS
    Avoid asking
    user password
    all the time.

    View Slide

  38. TouchID/FaceID & 2FA
    owasp.org/index.php/Mobile_Top_10_2016-M4-
    Insecure_Authentication
    michael-brown.net/2018/touch-id-
    and-face-id-on-ios
    BETTER AUTH

    View Slide

  39. twitter.com/ay8s/status/885230327441915904
    developer.apple.com/documentation/
    safariservices/sfauthenticationsession
    SFAuthenticationSession
    BETTER AUTH

    View Slide

  40. Password Autofill
    BETTER AUTH
    medium.com/@abhimuralidharan/password-autofill-
    for-ios-apps-for-faster-login-ios-11-1d9f77deb35a

    View Slide

  41. BETTER AUTH
    iOS12
    https://nshipster.com/ios-12/
    textField.textContentType = .newPassword
    textField.passwordRules = .init(descriptor:
    "allowed: ascii-printable; minlength: 8;"
    )
    textField.textContentType = . oneTimeCode

    View Slide

  42. Password Autofill
    MAKE AUTH BETTER!
    Single Sign-On
    SFAuthenticationSession
    Ask pass on sensitive screens
    TouchID/FaceID & 2FA
    @vixentael

    View Slide

  43. objective-see.com/blog/blog_0x24.html
    AUTH BUGS: DOUBLE SPACE
    Test your
    login flow
    @vixentael

    View Slide

  44. PLAINTEXT
    SECRETS

    View Slide

  45. facebook.com/vstyran/posts/10156368247887372
    rabota.ua stored
    all passwords
    ‘very well
    encrypted’.
    @vixentael
    STORING SECRETS IN PLAINTEXT

    View Slide

  46. Avoid storing
    sensitive plaintext.
    passwords
    document pictures
    license plates
    SSNs
    credit cards
    health data
    home address
    passport num
    phone num
    @vixentael

    View Slide

  47. mac4n6.com/blog/2018/3/30/omg-seriously-apfs-encrypted-plaintext-
    password-found-in-another-more-persistent-macos-log-file
    /var/log/install.log
    @vixentael
    LOGGING SECRETS IN PLAINTEXT

    View Slide

  48. LOGGING SECRETS IN PLAINTEXT
    @vixentael

    View Slide

  49. CHECK YOUR SOURCE CODE
    cfpb/clouseau
    Automate
    checking code
    for forgotten
    secrets.
    @vixentael

    View Slide

  50. motherboard.vice.com/en_us/article/a34g9j/iphone-
    source-code-iboot-ios-leak
    NOT ALL CODE SHOULD BE PUBLISHED
    @vixentael

    View Slide

  51. medium.com/@AyunasCode/how-to-hide-your-api-keys-367ef6589949
    shanirivers.me/posts/hiding-your-api-keys-for-ios-projects
    orta/cocoapods-keys
    awslabs/git-secrets
    Avoid
    publishing
    keys.
    DO NOT COMMIT KEYS
    keys.plist → .gitignore
    @vixentael

    View Slide

  52. TRANSPORT
    SECURITY

    View Slide

  53. NSAppTransportSecurity

    NSAllowsArbitraryLoads


    NSAppTransportSecurity

    NSAllowsArbitraryLoadsInWebContent


    agostini.tech/2018/04/01/ios-application-security-part-five-
    app-transport-security-ats/ @vixentael

    View Slide

  54. github.com/ssllabs/research/wiki/SSL-and-TLS-
    Deployment-Best-Practices
    private keys RSA-2048, ECDSA-256
    obtain certificate from reliable CA
    use TLS v1.3-v1.2
    use secure cipher suites
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    ✅ enable Forward Secrecy
    ✅ enable HSTS (web)
    WELL-CONFIGURED SSL
    @vixentael

    View Slide

  55. owasp.org/index.php/Pinning_Cheat_Sheet @vixentael
    SSL PINNING

    View Slide

  56. infinum.co/the-capsized-eight/ssl-pinning-revisited
    let serverTrustPolicies: [String: ServerTrustPolicy] = [
    “mydomain.com”: .pinPublicKeys(
    publicKeys: ServerTrustPolicy.publicKeys(),
    validateCertificateChain: true,
    validateHost: true
    )
    ]
    let sessionManager = SessionManager(
    serverTrustPolicyManager: ServerTrustPolicyManager(
    policies: serverTrustPolicies
    )
    )
    SSL PINNING
    @vixentael

    View Slide

  57. schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-
    certificate-for-github-com @vixentael
    SSL IS NOT ENOUGH: WOSIGN STORY

    View Slide

  58. security.googleblog.com/2016/10/
    distrusting-wosign-and-startcom.html
    support.apple.com/en-us/HT204132
    @vixentael
    SSL IS NOT ENOUGH: WOSIGN STORY

    View Slide

  59. @vixentael
    BREAKING SSL PINNING
    https://habr.com/post/424485/
    https://medium.com/@kennethpoon/lets-write-swift-code-to-
    intercept-ssl-pinning-https-requests-12446303cc9d

    View Slide

  60. transport = Transport()
    transport?.setupKeys(serverId, serverPublicKey: serverPublicKey)
    session = TSSession(userId: clientIdData, privateKey:
    clientPrivateKeyData, callbacks: transport!)
    startSession(clientId: clientId, message: connectionMessage)
    github.com/cossacklabs/themis/wiki/Swift-Howto#secure-session
    ENCRYPT OVER SSL
    @vixentael

    View Slide

  61. 3RD PARTY
    CODE

    View Slide

  62. krausefx.com/blog/trusting-sdks
    DOWNLOAD LIBS / IDE
    use HTTPS / VPN
    ✅ check certificate
    2 check hash-sum
    clone & build from source
    Do you really
    need that lib?
    GDPR
    @vixentael

    View Slide

  63. CHECK 3RD PARTY LIBRARIES
    Monitor & fix critical bugs
    Update if any security patch
    Update if any privacy change (GDPR)
    Automate all the checks
    @vixentael

    View Slide

  64. snyk.io/
    whitesourcesoftware.com/
    @vixentael

    View Slide

  65. OTHER THINGS
    TO DO
    #uikonf @vixentael

    View Slide

  66. store as HEX
    replace chars
    rename files to .mp3 combine from pieces
    OBFUSCATION
    .xib / .nib
    inline keys
    API urls
    pjebs/Obfuscator-iOS
    rename important
    methods / constants
    preemptive/PPiOS-Rename
    @vixentael

    View Slide

  67. DO NOT FORGET ABOUT

    firewalls
    9
    IDS

    SIEM

    fake targets /
    honey pots

    poison records
    @vixentael

    View Slide

  68. View Slide

  69. Now, after easy things are done,
    cryptography!
    it’s time for
    @vixentael

    View Slide

  70. cryptography!

    storage
    encryption

    transport
    encryption

    key
    management
    @vixentael

    View Slide

  71. Storage Transport
    Multi-
    platform
    themis
    libsodium
    tink
    TLS

    themis
    libsodium
    OTRKit
    Works with 

    iOS/macOS only
    CryptoSwift
    RNCryptor
    CommonCrypto
    @vixentael
    https://www.cossacklabs.com/choose-your-ios-crypto.html

    View Slide

  72. LAST BUT
    NOT LEAST

    View Slide

  73. twitter.com/c_pellegrino/status/981409466242486272
    DON’T SAY THAT YOUR SECURITY
    IS AMAZINGLY GOOD :)

    View Slide

  74. twitter.com/c_pellegrino/status/981409466242486272
    DON’T SAY THAT YOUR SECURITY
    IS AMAZINGLY GOOD :)

    View Slide

  75. twitter.com/fabricio_giglio/status/982362735924137984 @vixentael

    View Slide

  76. twitter.com/fabricio_giglio/status/982362735924137984 @vixentael

    View Slide

  77. KEY POINTS
    Keep an eye on the sensitive
    data during the whole data
    flow.
    do not
    store
    do not
    collect
    remove
    fast

    View Slide

  78. https://www.digitalinterruption.com/secure-mobile-development
    Secure mobile development
    LINKS
    https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
    Mobile security testing guide
    https://github.com/forter/security-101-for-saas-startups/blob/english/security.md
    Organization security for startups
    https://agostini.tech/2017/11/20/ios-application-security-part-1-setting-up-a-
    testing-environment-for-ios-platform/
    Series of posts about security testing

    View Slide

  79. My other security slides
    github.com/vixentael/
    my-talks

    View Slide

  80. Security
    Basics
    SECURITY
    WORKSHOPS
    Enterprise Secure
    Architecture
    Secure Web apps
    Secure Software
    Development
    Secure Mobile apps

    View Slide

  81. @vixentael Product Engineer
    Feel free to reach me with
    security questions.
    I do check my inbox :)

    View Slide

  82. IMAGE CREDITS
    www.flaticon.com
    freepik, linector, switficons, pixelperfect, smashicons, icon pond,
    dinosoftlabs
    Authors:

    View Slide