Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Keys to iOS Security

Ryan Ackermann
April 19, 2018
Programming
0
77

The Keys to iOS Security

Security is an important pillar of application development. Users of iOS apps expect their information to be kept safe and private.

In this talk we’ll cover the foundations security on iOS. This will include securely saving data to the Keychain, the best practices for hashing private information, and how to incorporate biometrics.

Ryan Ackermann

April 19, 2018
Tweet

Other Decks in Programming

See All in Programming
Goのジェネリクスを活用する
syumai
2
1.2k
その Swift コード、
こう書き換えてみないか / Polishing your Swift code with me!
treastrain
1
3.3k
Mitigate Attacks on your PHP Supply Chain
dunglas
2
550
サバンナ便り〜自動テストに関する連載で得られた知見のまとめ(2023年5月版)〜 / Automated Test Knowledge from Savanna 202305 edition
twada
PRO
15
4.8k
「無ければ作る」Backlogに欲しい機能を自分で作った話
nsuz
0
180
デザイナーと協業しているNuxtプロジェクトを、ChromaticによるVRTでさらに改善した話
mozu1206
0
150
若者とGPTのすべて
pyama86
0
130
From complexity to observability using OpenTelemetry
danilop
1
310
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
510
Design Doc の書き方 / How to Write a Design Doc (Ja ver.)
munetoshi
20
6.6k
Ruby JIT Hacking Guide / RubyKaigi 2023
k0kubun
0
3.4k
Hugo で作ったブログに閲覧数ランキングが欲しい!
track3jyo
PRO
2
430

Featured

See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
Being A Developer After 40
akosma
49
580k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Happy Clients
brianwarren
90
5.9k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
9
770
A Philosophy of Restraint
colly
195
15k
Building Adaptive Systems
keathley
29
1.5k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
183
15k
4 Signs Your Business is Dying
shpigford
171
20k
YesSQL, Process and Tooling at Scale
rocio
158
13k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
35
9.6k

Transcript

  1. The Keys to iOS
    Security

    View Slide

  2. Ryan Ackermann
    iOS Developer YouVersion

    View Slide

  3. Why is iOS security
    important?

    View Slide

  4. iOS stores a lot of
    personal data

    View Slide

  5. Who are threats to
    iOS applications?
    • Criminals (after your data)
    • Business competitors (after your
    ideas)
    • Service providers (after your privacy)
    • Friends or family (after your secrets)

    View Slide

  6. Bad security hurts
    user trust
    • Financial loss
    • Leaked passwords
    • Personal surveillance

    View Slide

  7. “@Korni22 What if this doesn't
    happen because our security
    is amazingly good? ^Käthe”

    View Slide

  8. What does security
    look like on iOS?

    View Slide

  9. Types of data to
    secure on iOS
    • User data (photos, notes, etc.)
    • Payment information
    • Login credentials

    View Slide

  10. How to implement

    View Slide

  11. The example
    Storing user credentials
    email & password

    View Slide

  12. UserDefaults
    A common place to persist
    information across app launches

    View Slide

  13. View Slide

  14. DON’T DO IT!

    View Slide

  15. Plain text passwords
    in UserDefaults
    • Third parties libraries
    • Unencrypted device backup
    • iOS filesystem explorers like
    iExplorer
    The password can be read by:

    View Slide

  16. View Slide

  17. Base64 Example
    Input: myH4rdPassw0rd
    Output: bXlINHJkUGFzc3cwcmQ=

    View Slide

  18. Encoding != Encryption

    View Slide

  19. Encoding
    Used to transform data so that it
    can be read by different systems

    View Slide

  20. Encryption
    Used to transform data so that it
    will be kept secret from others

    View Slide

  21. Apple’s Keychain
    A specialized database for sensitive
    information using the Triple Digital
    Encryption Standard (3DES)

    View Slide

  22. View Slide

  23. KeychainPasswordItem
    Apple’s Keychain wrapper in Swift
    https://developer.apple.com/library/content/
    samplecode/GenericKeychain

    View Slide

  24. Almost There

    View Slide

  25. Apple’s Keychain can
    be compromised
    https://github.com/ptoomey3/
    Keychain-Dumper

    View Slide

  26. View Slide

  27. Randomization Services
    https://developer.apple.com/documentation/
    security/randomization_services
    Generate cryptographically secure
    random numbers.

    View Slide

  28. CryptoSwift
    http://cryptoswift.io
    is a growing collection of standard
    and secure cryptographic algorithms
    implemented in Swift.

    View Slide

  29. View Slide

  30. SHA-256 Example
    Input:
    [email protected]
    6AYPbhQ7t4+Bv28EC1
    MM0A==.myH4rdPassw
    0rd
    Output:
    c3b50f3272c4e0f548a8
    24dde39c4147a09f2d56
    8addb7e46ba9d731e24
    c3c54

    View Slide

  31. Why use a salt?
    A salt is additional input to the hashing
    function to defend against pre-computed
    dictionary attacks

    View Slide

  32. Rainbow Table Attack
    Plain text MD5 hash
    123456 e10adc3949ba59abbe56e057f20f883e
    password 5f4dcc3b5aa765d61d8327deb882cf99
    qwerty d8578edf8458ce06fbc5bb76a58c5ca4
    baseball 276f8db0b86edaa7fc805516c852c889
    dragon 8621ffdbc5698829397d97767ac13db3

    View Slide

  33. LocalAuthentication
    Request authentication from users
    through pass-phrases or biometrics

    View Slide

  34. LABiometryType
    • none
    • faceID
    • touchID
    New in iOS 11 for the iPhone X

    View Slide

  35. View Slide

  36. View Slide

  37. View Slide

  38. Demo

    View Slide

  39. Links
    https://www.raywenderlich.com/185370/
    Basic iOS Security: Keychain and Hashing
    https://developer.apple.com/videos/play/
    wwdc2016/705/
    How iOS Security Really Works
    https://developer.apple.com/
    documentation/security
    Apple Security Documentation

    View Slide

  40. @naturaln0va
    Get in touch
    Personal site
    https://ackermann.io/about
    Example project
    https://github.com/naturaln0va/Avocado
    Slides
    https://speakerdeck.com/naturaln0va

    View Slide