Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Keys to iOS Security

The Keys to iOS Security

Security is an important pillar of application development. Users of iOS apps expect their information to be kept safe and private.

In this talk we’ll cover the foundations security on iOS. This will include securely saving data to the Keychain, the best practices for hashing private information, and how to incorporate biometrics.

Ryan Ackermann

April 19, 2018
Tweet

Other Decks in Programming

Transcript

  1. The Keys to iOS
    Security

    View Slide

  2. Ryan Ackermann
    iOS Developer YouVersion

    View Slide

  3. Why is iOS security
    important?

    View Slide

  4. iOS stores a lot of
    personal data

    View Slide

  5. Who are threats to
    iOS applications?
    • Criminals (after your data)
    • Business competitors (after your
    ideas)
    • Service providers (after your privacy)
    • Friends or family (after your secrets)

    View Slide

  6. Bad security hurts
    user trust
    • Financial loss
    • Leaked passwords
    • Personal surveillance

    View Slide

  7. “@Korni22 What if this doesn't
    happen because our security
    is amazingly good? ^Käthe”

    View Slide

  8. What does security
    look like on iOS?

    View Slide

  9. Types of data to
    secure on iOS
    • User data (photos, notes, etc.)
    • Payment information
    • Login credentials

    View Slide

  10. How to implement

    View Slide

  11. The example
    Storing user credentials
    email & password

    View Slide

  12. UserDefaults
    A common place to persist
    information across app launches

    View Slide

  13. View Slide

  14. DON’T DO IT!

    View Slide

  15. Plain text passwords
    in UserDefaults
    • Third parties libraries
    • Unencrypted device backup
    • iOS filesystem explorers like
    iExplorer
    The password can be read by:

    View Slide

  16. View Slide

  17. Base64 Example
    Input: myH4rdPassw0rd
    Output: bXlINHJkUGFzc3cwcmQ=

    View Slide

  18. Encoding != Encryption

    View Slide

  19. Encoding
    Used to transform data so that it
    can be read by different systems

    View Slide

  20. Encryption
    Used to transform data so that it
    will be kept secret from others

    View Slide

  21. Apple’s Keychain
    A specialized database for sensitive
    information using the Triple Digital
    Encryption Standard (3DES)

    View Slide

  22. View Slide

  23. KeychainPasswordItem
    Apple’s Keychain wrapper in Swift
    https://developer.apple.com/library/content/
    samplecode/GenericKeychain

    View Slide

  24. Almost There

    View Slide

  25. Apple’s Keychain can
    be compromised
    https://github.com/ptoomey3/
    Keychain-Dumper

    View Slide

  26. View Slide

  27. Randomization Services
    https://developer.apple.com/documentation/
    security/randomization_services
    Generate cryptographically secure
    random numbers.

    View Slide

  28. CryptoSwift
    http://cryptoswift.io
    is a growing collection of standard
    and secure cryptographic algorithms
    implemented in Swift.

    View Slide

  29. View Slide

  30. SHA-256 Example
    Input:
    [email protected]
    6AYPbhQ7t4+Bv28EC1
    MM0A==.myH4rdPassw
    0rd
    Output:
    c3b50f3272c4e0f548a8
    24dde39c4147a09f2d56
    8addb7e46ba9d731e24
    c3c54

    View Slide

  31. Why use a salt?
    A salt is additional input to the hashing
    function to defend against pre-computed
    dictionary attacks

    View Slide

  32. Rainbow Table Attack
    Plain text MD5 hash
    123456 e10adc3949ba59abbe56e057f20f883e
    password 5f4dcc3b5aa765d61d8327deb882cf99
    qwerty d8578edf8458ce06fbc5bb76a58c5ca4
    baseball 276f8db0b86edaa7fc805516c852c889
    dragon 8621ffdbc5698829397d97767ac13db3

    View Slide

  33. LocalAuthentication
    Request authentication from users
    through pass-phrases or biometrics

    View Slide

  34. LABiometryType
    • none
    • faceID
    • touchID
    New in iOS 11 for the iPhone X

    View Slide

  35. View Slide

  36. View Slide

  37. View Slide

  38. Demo

    View Slide

  39. Links
    https://www.raywenderlich.com/185370/
    Basic iOS Security: Keychain and Hashing
    https://developer.apple.com/videos/play/
    wwdc2016/705/
    How iOS Security Really Works
    https://developer.apple.com/
    documentation/security
    Apple Security Documentation

    View Slide

  40. @naturaln0va
    Get in touch
    Personal site
    https://ackermann.io/about
    Example project
    https://github.com/naturaln0va/Avocado
    Slides
    https://speakerdeck.com/naturaln0va

    View Slide