iOS App Security Basics - Singapore, iOS Dev Scout Meetup, January 17th 2017

How secure iOS is?

Security Pillars • iOS pla$orm security • so.ware updates •
building secure apps

Passcode • 80 unlocks per day • 49% people used
in the past • 89% people use now (Touch ID)

Updates • 0.7% people use Android 7.0 - 7.1 Nougat
[Jan 9th, 2017] • 76% people use iOS 10 [Jan 4th, 2017]

Building Secure Apps • Network • Data Protec.on • Inter-Process
Communica.on (IPC) • Jailbreak - detec.on & ac.on

Our apps can be under a-ack...

Why apps can be a,acked? • PII - Personal Iden.ﬁable
Informa.on • PCI - Personal Card Informa.on • PHI - Personal Health Informa.on • ﬁnancial transac.ons

Who might be an a-acker? • Criminals • Business compe1tors
• Internet Service Providers (ISP) • Governments • Roman1c partners, family, friends

When can they a*ack? • Direct access • No passcode
• Jailbroken • Malware • Zero-day device

Building Secure Apps

Network • Secure connec'on (HTTPS) • App Transport Security (ATS)
• Cer'ﬁcate pinning • Cer'ﬁcate Transparency (new mechanism)

Data Protec*on • FileProtec*onType.complete or .completeUnlessOpen for data • Keychain
for creden,als • Default Snapshot replaced • UIPasteboard cleared • Custom keyboard extensions disabled

Inter-Process Communica1on (IPC) • URL Schemes • validate Bundle ID
& URL params • ❌ application:handleOpenURL: • ✔ application:openURL:options:

Jailbreak • Cydia app • system calls outside sandbox •
method hooks & code injec2on • debugger a2ached • non-standard ports open

Jailbreak - how to live? • slow down an a*acker
• wipe out sensi3ve data • mark account as fraud on backend

How secure my app is?

Materials Security @ swi-ing.io My Cards project Replace snapshot example
Protect store example Validate IPC example Disable keyboard extensions example

Materials Apple's iOS Security Guide Apple's Secure Coding Guide WWDC
2016 How iOS Security Really Works WWDC 2016 What's New in Security Max Bazily's slides Vixantel's slides The Mobile ApplicaJon Hacker's Handbook OWASP Mobile Security Project Damn Vulnerable iOS ApplicaJon (DVIA) Make use of - Appstore Malware

iOS App Security Basics - Singapore, iOS Dev Scout Meetup, January 17th 2017

iOS App Security Basics - Singapore, iOS Dev Scout Meetup, January 17th 2017

Maciej Piotrowski

More Decks by Maciej Piotrowski

Other Decks in Technology

Featured

Transcript

How secure iOS is?

Security Pillars • iOS pla$orm security • so.ware updates •

Passcode • 80 unlocks per day • 49% people used

Updates • 0.7% people use Android 7.0 - 7.1 Nougat

Building Secure Apps • Network • Data Protec.on • Inter-Process

Our apps can be under a-ack...

Why apps can be a,acked? • PII - Personal Iden.ﬁable

Who might be an a-acker? • Criminals • Business compe1tors

When can they a*ack? • Direct access • No passcode

Building Secure Apps

Network • Secure connec'on (HTTPS) • App Transport Security (ATS)

Data Protecon • FileProteconType.complete or .completeUnlessOpen for data • Keychain

Inter-Process Communica1on (IPC) • URL Schemes • validate Bundle ID

Jailbreak • Cydia app • system calls outside sandbox •

Jailbreak - how to live? • slow down an a*acker

How secure my app is?

Materials Security @ swi-ing.io My Cards project Replace snapshot example

Materials Apple's iOS Security Guide Apple's Secure Coding Guide WWDC