The Keys to iOS Security

Transcript

1. The Keys to iOS Security

2. Ryan Ackermann iOS Developer YouVersion

3. Why is iOS security important?

4. iOS stores a lot of personal data

5. Who are threats to iOS applications? • Criminals (after your

   data) • Business competitors (after your ideas) • Service providers (after your privacy) • Friends or family (after your secrets)

6. Bad security hurts user trust • Financial loss • Leaked

   passwords • Personal surveillance

7. “@Korni22 What if this doesn't happen because our security is

   amazingly good? ^Käthe”

8. What does security look like on iOS?

9. Types of data to secure on iOS • User data

   (photos, notes, etc.) • Payment information • Login credentials

10. How to implement

11. The example Storing user credentials email & password

12. UserDefaults A common place to persist information across app launches

13. None

14. DON’T DO IT!

15. Plain text passwords in UserDefaults • Third parties libraries •

    Unencrypted device backup • iOS filesystem explorers like iExplorer The password can be read by:
16. None

17. Base64 Example Input: myH4rdPassw0rd Output: bXlINHJkUGFzc3cwcmQ=

18. Encoding != Encryption

19. Encoding Used to transform data so that it can be

    read by different systems

20. Encryption Used to transform data so that it will be

    kept secret from others

21. Apple’s Keychain A specialized database for sensitive information using the

    Triple Digital Encryption Standard (3DES)
22. None

23. KeychainPasswordItem Apple’s Keychain wrapper in Swift https://developer.apple.com/library/content/ samplecode/GenericKeychain

24. Almost There

25. Apple’s Keychain can be compromised https://github.com/ptoomey3/ Keychain-Dumper

26. None

27. Randomization Services https://developer.apple.com/documentation/ security/randomization_services Generate cryptographically secure random numbers.

28. CryptoSwift http://cryptoswift.io is a growing collection of standard and secure

    cryptographic algorithms implemented in Swift.
29. None

30. SHA-256 Example Input: [email protected]. 6AYPbhQ7t4+Bv28EC1 MM0A==.myH4rdPassw 0rd Output: c3b50f3272c4e0f548a8 24dde39c4147a09f2d56

    8addb7e46ba9d731e24 c3c54

31. Why use a salt? A salt is additional input to

    the hashing function to defend against pre-computed dictionary attacks

32. Rainbow Table Attack Plain text MD5 hash 123456 e10adc3949ba59abbe56e057f20f883e password

    5f4dcc3b5aa765d61d8327deb882cf99 qwerty d8578edf8458ce06fbc5bb76a58c5ca4 baseball 276f8db0b86edaa7fc805516c852c889 dragon 8621ffdbc5698829397d97767ac13db3

33. LocalAuthentication Request authentication from users through pass-phrases or biometrics

34. LABiometryType • none • faceID • touchID New in iOS

    11 for the iPhone X
35. None
36. None
37. None

38. Demo

39. Links https://www.raywenderlich.com/185370/ Basic iOS Security: Keychain and Hashing https://developer.apple.com/videos/play/ wwdc2016/705/

    How iOS Security Really Works https://developer.apple.com/ documentation/security Apple Security Documentation

40. @naturaln0va Get in touch Personal site https://ackermann.io/about Example project https://github.com/naturaln0va/Avocado

    Slides https://speakerdeck.com/naturaln0va