How do we know the vulnerability is common? OWASP Mobile Top 10 CVE-List by MITRE Security tools/services vendors News and Twitter 🙂 Our own experience 😎
Improper Platform Usage UserDefaults Not encrypted, accessible on a locked device. Keychain Encrypted storage, becomes decrypted on unlock. If I want to store some data…
Improper Platform Usage UserDefaults Not encrypted, accessible on a locked device. Keychain Encrypted storage, becomes decrypted on unlock. Secure Enclave Stores keys that can be used to encrypt Keychain entries. If I want to store some data…
Improper Platform Usage kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleAfterFirstUnlock Or encrypt and decrypt on your own 🔐 Secure Enclave 🔐 CryptoKit 🔐 Themis 🔐
Improper Platform Usage kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleAfterFirstUnlock Or encrypt and decrypt on your own 🔐 Secure Enclave 🔐 CryptoKit 🔐 Themis 🔐 AND!
Insecure Data Storage Data generated by the app: 🔹 Logs 🔹 Databases 🔹 Caches 🔹 Other saved files Check if any sensitive data may appear there! (check the code, not the files)
Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration files 🔹 Executables Look for testing credentials and endpoints! (actually, any credentials and endpoints)
Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration files 🔹 Executables Look for testing credentials and endpoints! (actually, any credentials and endpoints) (config comments may not be removed)
Insecure Communication TLS Pinning Prevent MiTM It is just an Info.plist entry. I can bypass pinning by removing or changing it. Correct. But the main goal is to protect against MiTM when the attacked doesn’t have access to a physical device.
Insecure Communication TLS Pinning Prevent MiTM It is just an Info.plist entry. I can bypass pinning by removing or changing it. Correct. But the main goal is to protect against MiTM when the attacked doesn’t have access to a physical device.
Unintended Data Leakage Application Backgrounding What to protect? * * * * * Think of accidental sharing Sensitive data How to protect? Screen overlay Remove entered data Return to previous screen
Summary We’ve learned - where we can read about common vulnerabilities - examples of top vulnerabilities - keychain - app generated content - allowing HTTP - biometrics - data stored in .ipa - TLS pinning - backgrounging - screen overlay