Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iOS App Security Basics

Maciej Piotrowski
February 15, 2017
Technology
2
1.8k

iOS App Security Basics

Have you ever exposed your company to intellectual or financial loss? Have you ever written an app that doesn’t have security and privacy in mind? Join in the talk by our invited speaker from Poland, Maciej, to get to know iOS security basics and best practices to build secure apps!

https://www.meetup.com/CocoaHeads-Tricity/events/237364434/

Maciej Piotrowski

February 15, 2017
Tweet

More Decks by Maciej Piotrowski

See All by Maciej Piotrowski
How to use steve’s jobs to improve devel👩‍💻🧑‍💻pers’ experience
maciejpiotrowski89
0
44
iOS Conf SG - 2022 - Dependency Injection at scale
maciejpiotrowski89
0
150
Nowe Dependency Injection w aplikacji Allegro iOS
maciejpiotrowski89
0
57
Speeding up the build process of a monolithic application
maciejpiotrowski89
0
92
Watch your Bluetooth! - Singapore iOS Dev Scout May 2018 Meetup
maciejpiotrowski89
0
40
Locating the Yeti with iOS
maciejpiotrowski89
0
860
Review all the things! - Singapore iOS Dev Scout August 2017 Meetup
maciejpiotrowski89
0
58
Watch your Bluetooth!
maciejpiotrowski89
0
58
Review all the things!
maciejpiotrowski89
0
740

Other Decks in Technology

See All in Technology
web-application-security
matsuihidetoshi
1
190
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
220
Android Target SDK 35 (Android 15) 対応の概要
akkie76
0
140
Babylon.js JAPAN活動紹介 (2024/4)
limes2018
1
100
.NET Profiler in 2024.
kkamegawa
2
770
コードや知識を組み込む / Incorporate Code and knowledge
ks91
PRO
0
130
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.5k
AOAI をきっかけに​ 社内の Azure 管理を見直した話​
recruitengineers
PRO
1
430
今年のRubyKaigiはProfiler Year🤘
osyoyu
0
310
JSON攻略法.pdf
miyakemito
8
5.2k
開発生産性大幅アップ!Postman VS Code拡張機能
nagix
3
620
VSCodeの拡張機能を作っている話
ebarakazuhiro
1
740

Featured

See All Featured
BBQ
matthewcrist
80
8.8k
[RailsConf 2023] Rails as a piece of cake
palkan
27
4k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
For a Future-Friendly Web
brad_frost
172
9k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
Infographics Made Easy
chrislema
238
18k
Fantastic passwords and where to find them - at NoRuKo
philnash
38
2.5k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Visualization
eitanlees
137
14k
Writing Fast Ruby
sferik
622
60k
Atom: Resistance is Futile
akmur
260
25k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None

  8. codesign -dv --verbose=4 Xcode.app/

  9. None

  10. How secure iOS is?

  11. None

  12. iOS Security Pillars • opera&ng system • so$ware updates •

    building secure apps

  13. ! & OS • Secure Enclave • Passcode • TouchID

    • Secure Boot • Code Signing • Sandboxing

  14. Updates • 1.2% Android devices → Android 7.x Nougat [Feb

    6th, 2017] • 76% iOS devices → iOS 10 [Jan 4th, 2017]

  15. Building Secure Apps • Network • Data Protec.on • Inter-Process

    Communica.on (IPC) • Jailbreak - detec.on & ac.on

  16. Our apps can be under a-ack...

  17. Why apps can be a,acked? • !!! financial transac,ons •

    PCI - Personal Card Informa,on " • PII - Personal Iden,fiable Informa,on # • PHI - Personal Health Informa,on $
  18. None
  19. None
  20. None

  21. Who might be an a-acker? • ! Criminals • Business

    compe1tors " • # Internet Service Providers (ISP) • Governments $ • ❤ Roman1c partners, family, friends

  22. When can they a*ack? • Direct access • No passcode

    • Jailbroken • Malware • Zero-day device

  23. Building Secure Apps

  24. Network • Secure connec*on (HTTPS) • App Transport Security (ATS)

    • Cer*ficate pinning • Cer*ficate Transparency (new mechanism)

  25. Data Protec*on • FileProtec+onType → .complete or .completeUnlessOpen • Creden+als

    → Keychain • Default Snapshot → replaced • UIPasteboard → cleared • Custom keyboard extensions → disabled • Database files → exclude from backup

  26. Inter-Process Communica1on (IPC) • URL Schemes • ❌ application:handleOpenURL: •

    ✔ application:openURL:options: • validate Bundle ID & URL params

  27. Source code • @inline(__always) • class guard obfusca.on

  28. None

  29. Jailbreak • Cydia app • access outside sandbox • fork

    a process • method hooks & code injec1on • debugger a4ached • non-standard ports open

  30. Jailbreak - how to live? • slow down an a*acker

    • wipe out sensi3ve data • mark account as fraudolent on backend

  31. How secure your app is?

  32. None
  33. None
  34. None

  35. Materials Security @ swi-ing.io My Cards project Replace snapshot example

    Protect store example Disable keyboard extensions example Validate IPC example

  36. Materials Apple's iOS Security Guide Apple's Secure Coding Guide WWDC

    2016 - How iOS Security Really Works WWDC 2016 - What's New in Security XcodeGhost Bypassing Jailbreak DetecHon