Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iOS App Security Basics - Mobile Warsaw, January 23rd 2017

Maciej Piotrowski
January 23, 2017
Technology
0
87

iOS App Security Basics - Mobile Warsaw, January 23rd 2017

Have you ever exposed your company to intellectual or financial loss? Have you ever written an app that doesn’t have security and privacy in mind? Join in the talk by our invited speaker from Poland, Maciej, to get to know iOS security basics and best practices to build secure apps!

Meetup: https://www.meetup.com/Mobile-Warsaw/events/237011962/
Recording: https://www.youtube.com/watch?v=kcH24P6uVOA

Maciej Piotrowski

January 23, 2017
Tweet

More Decks by Maciej Piotrowski

See All by Maciej Piotrowski
How to use steve’s jobs to improve devel👩‍💻🧑‍💻pers’ experience
maciejpiotrowski89
0
44
iOS Conf SG - 2022 - Dependency Injection at scale
maciejpiotrowski89
0
150
Nowe Dependency Injection w aplikacji Allegro iOS
maciejpiotrowski89
0
57
Speeding up the build process of a monolithic application
maciejpiotrowski89
0
92
Watch your Bluetooth! - Singapore iOS Dev Scout May 2018 Meetup
maciejpiotrowski89
0
40
Locating the Yeti with iOS
maciejpiotrowski89
0
860
Review all the things! - Singapore iOS Dev Scout August 2017 Meetup
maciejpiotrowski89
0
58
Watch your Bluetooth!
maciejpiotrowski89
0
58
Review all the things!
maciejpiotrowski89
0
740

Other Decks in Technology

See All in Technology
How to Lead? Testimonial of a Lead Android Engineer
oleur
1
110
障害対応をちょっとずつよくしていくための 演習の作りかた
heleeen
1
1.7k
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
8
630
EM完全に理解した と思ったけど、 やっぱり何も分からなかった話 / EM Night Fukuoka #1
hirutas
0
280
生産性向上チームの紹介
cybozuinsideout
PRO
1
930
【基本】データベース設計
oracle4engineer
PRO
2
190
アクセス制御にまつわる改善 / Improving access control
itkq
0
590
モーダル間の変換後の一致性とジャンル表を用いた解釈可能性の考察 ~Text-to-MusicとText-To-ImageかつImage-to-Musicを例に~
otanet
0
310
【SORACOM UG 東海】あらゆるモノがつながる社会へ、IoT と SORACOM
soracom
PRO
1
150
web-application-security
matsuihidetoshi
1
190
Documentação de Produtos: Artefatos essenciais na prática
rigolon
1
140
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
400

Featured

See All Featured
Building Flexible Design Systems
yeseniaperezcruz
320
37k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
228
16k
Faster Mobile Websites
deanohume
300
30k
Optimizing for Happiness
mojombo
370
69k
Web development in the modern age
philhawksworth
203
10k
Imperfection Machines: The Place of Print at Facebook
scottboms
261
12k
The Invisible Side of Design
smashingmag
294
49k
YesSQL, Process and Tooling at Scale
rocio
165
13k
How STYLIGHT went responsive
nonsquared
92
4.8k
In The Pink: A Labor of Love
frogandcode
138
21k
Statistics for Hackers
jakevdp
790
220k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None

  8. codesign -dv --verbose=4 Xcode.app/

  9. None

  10. How secure iOS is?

  11. None

  12. iOS Security Pillars • opera&ng system • so$ware updates •

    building secure apps

  13. ! & OS • Secure Enclave • Passcode • TouchID

  14. Updates • 0.7% Android devices → Android 7 Nougat [Jan

    9th, 2017] • 76% iOS devices → iOS 10 [Jan 4th, 2017]

  15. Building Secure Apps • Network • Data Protec.on • Inter-Process

    Communica.on (IPC) • Jailbreak - detec.on & ac.on

  16. Our apps can be under a-ack...

  17. Why apps can be a,acked? • !!! financial transac,ons •

    PCI - Personal Card Informa,on " • PII - Personal Iden,fiable Informa,on # • PHI - Personal Health Informa,on $
  18. None
  19. None
  20. None

  21. Who might be an a-acker? • ! Criminals • Business

    compe1tors " • # Internet Service Providers (ISP) • Governments $ • ❤ Roman1c partners, family, friends

  22. When can they a*ack? • Direct access • No passcode

    • Jailbroken • Malware • Zero-day device

  23. Building Secure Apps

  24. Network • Secure connec*on (HTTPS) • App Transport Security (ATS)

    • Cer*ficate pinning • Cer*ficate Transparency (new mechanism)

  25. Data Protec*on • FileProtec+onType → .complete or .completeUnlessOpen • Creden+als

    → Keychain • Default Snapshot → replaced • UIPasteboard → cleared • Custom keyboard extensions → disabled

  26. Inter-Process Communica1on (IPC) • URL Schemes • ❌ application:handleOpenURL: •

    ✔ application:openURL:options: • validate Bundle ID & URL params

  27. Source code • @inline(__always) • class guard obfusca.on

  28. None

  29. Jailbreak • Cydia app • access outside sandbox • fork

    a process • method hooks & code injec1on • debugger a4ached • non-standard ports open

  30. Jailbreak - how to live? • slow down an a*acker

    • wipe out sensi3ve data • mark account as fraudolent on backend

  31. How secure your app is?

  32. None
  33. None
  34. None

  35. Materials Security @ swi-ing.io My Cards project Replace snapshot example

    Protect store example Disable keyboard extensions example Validate IPC example

  36. Materials Apple's iOS Security Guide Apple's Secure Coding Guide WWDC

    2016 - How iOS Security Really Works WWDC 2016 - What's New in Security XcodeGhost Bypassing Jailbreak DetecHon