Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securely Storing Secrets (on iOS)

Securely Storing Secrets (on iOS)

A talk about my experience with storing secrets (such as tokens or user identities) on iOs, using the Tiqr (tiqr.org) project as an example of the technologies discussed. Delivered at iosdevuk 2012 in Aberystwyth.

B272216b76be8aacbfd11fad48196558?s=128

Ivo Jansch

July 10, 2012
Tweet

More Decks by Ivo Jansch

Other Decks in Technology

Transcript

  1. http://www.egeniq.com info@egeniq.com @egeniq iosdevuk, 10 July 2012 Ivo Jansch -

    @ijansch Securely Storing Secrets
  2. About Me @ijansch Developer Author Entreprenerd iOS/Android/PHP 2

  3. About Egeniq Mobile Development Knowledge Geeks Distributed Mdevcon (subliminal message:

    by the time you are wondering if your current job is still right for you, remember that at Egeniq we do awesome things with mobile technology and we don’t really care where you live as long as you are very talented.) 3
  4. Tiqr - Learning about Mobile Security 4 1 2 3

    4 5 6 http://www.tiqr.org
  5. Why is Mobile Security Important? ‣We deal with data ‣Apps

    run on our user’s hardware • Out of our control ‣Our users deal with third party services • Even more out of our control 5
  6. A Use Case 6 iPhone App Third Party Services Server

    backend
  7. OAuth 7 OAuth Consumer OAuth Provider

  8. Why do you need to protect keys? 8 8 OAuth

    Provider
  9. The iOS Security Model 9

  10. Sandboxing ‣Apps only have access to their own data ‣Access

    is based on OS user ID ‣Further protected by application signature 10
  11. So we don’t have to worry, right? ‣Can I securely

    store data? • Is sandboxing a solution? -> Not when device is rooted 11
  12. It’s a common question Stackoverflow search for ‘store secret iphone’:

    12
  13. With common answers 13

  14. With common answers - Huh? - Don’t store secrets! -

    Don’t use OAuth! 14
  15. Know what? I’ll just use a library 15

  16. Securing Data In Your Code 0. Obfuscation 16

  17. Obfuscation 17

  18. Securing Data In Your Code 1. Encryption 18

  19. Encryption 19

  20. Decryption 20

  21. What’s the problem with encryption? 21 We need another key

    to protect the secret
  22. Other Encryption gotchas ‣AppStore is US based: Encryption export •

    Requires NSA approval, basically • Process is documented, but time consuming • Unless it’s only for “authentication purposes” ‣Two flavours of US gov approval: • Self classification (if you use standard stuff for standard things) • Agency classification (non standard stuff and/or non standard things) 22
  23. Securing Data In Your Code 2. The KeyChain 23

  24. KeyChain Aspects ‣Hardware based encryption for secrets ‣Good: • Not

    too much code • No extra key/password required (device passcode) • Works well with (encrypted) iTunes Backup ‣Bad: • Not every user has a passcode set • Lower level functions, lots of C (complexity) • Doesn’t work across iCloud backup/restore 24
  25. More KeyChain So if I use the KeyChain and have

    a passcode, I’m safe, right? RIGHT? ‣4 digit passode can be brute forced in 9 minutes ‣6 digit passcode takes 1.5 years Source: Fraunhofer’s “iOS KeyChain Weakness FAQ” http://sit4.me/ios-keychain-faq 25
  26. Using the KeyChain 26

  27. Securing Data In Your Code 3. Server Side Solutions 27

  28. Retrieve key from API 28 iOS App OAuth Provider Your

    API ?
  29. Transparent Proxy 29 iOS App OAuth Provider Proxy

  30. Securing Data In Your Code 4. “All of the above”

    30
  31. What are we doing in Tiqr? ‣ Tiqr secrets are

    encrypted • The encryption key is a pincode • There’s no plain text to compare against, so breaking it is hard ‣ Encrypted identities are stored in keychain • So also protected by passcode lock, if present ‣ Secret is not communicated • Challenge/response for ‘proof of posession’ ‣ Requires server validation of decrypted secret • Server enforces temporary and permanent blocks to stop brute force 31
  32. Always Secure Your Code (Because data is not the only

    thing at risk) 32
  33. Buffers 33 ‣Especially when moving down to C level constructs,

    be wary...
  34. Conclusion 34

  35. Conclusion It’s all about awareness 35

  36. Recommended Reading ‣ ISBN: 2147483647 ‣ Authors: • Himanshu Dwivedi

    • Chris Clark • David Thiel ‣ Covers: • Android • Apple • WinMo 36
  37. Thank you! Questions? http://www.egeniq.com info@egeniq.com @egeniq http://www.egeniq.com (about us) http://tiqr.org

    (demo + code) http://nomopass.com (tiqr as a service) ivo@egeniq.com @ijansch
  38. Credits ‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/

    ‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/ travishasphotos/3481640534/ ‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/