Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Keys to iOS Security

The Keys to iOS Security

Security is an important pillar of application development. Users of iOS apps expect their information to be kept safe and private.

In this talk we’ll cover the foundations security on iOS. This will include securely saving data to the Keychain, the best practices for hashing private information, and how to incorporate biometrics.

7f619db03f032290f6d5874f4d4770d2?s=128

Ryan Ackermann

April 19, 2018
Tweet

Transcript

  1. The Keys to iOS Security

  2. Ryan Ackermann iOS Developer YouVersion

  3. Why is iOS security important?

  4. iOS stores a lot of personal data

  5. Who are threats to iOS applications? • Criminals (after your

    data) • Business competitors (after your ideas) • Service providers (after your privacy) • Friends or family (after your secrets)
  6. Bad security hurts user trust • Financial loss • Leaked

    passwords • Personal surveillance
  7. “@Korni22 What if this doesn't happen because our security is

    amazingly good? ^Käthe”
  8. What does security look like on iOS?

  9. Types of data to secure on iOS • User data

    (photos, notes, etc.) • Payment information • Login credentials
  10. How to implement

  11. The example Storing user credentials email & password

  12. UserDefaults A common place to persist information across app launches

  13. None
  14. DON’T DO IT!

  15. Plain text passwords in UserDefaults • Third parties libraries •

    Unencrypted device backup • iOS filesystem explorers like iExplorer The password can be read by:
  16. None
  17. Base64 Example Input: myH4rdPassw0rd Output: bXlINHJkUGFzc3cwcmQ=

  18. Encoding != Encryption

  19. Encoding Used to transform data so that it can be

    read by different systems
  20. Encryption Used to transform data so that it will be

    kept secret from others
  21. Apple’s Keychain A specialized database for sensitive information using the

    Triple Digital Encryption Standard (3DES)
  22. None
  23. KeychainPasswordItem Apple’s Keychain wrapper in Swift https://developer.apple.com/library/content/ samplecode/GenericKeychain

  24. Almost There

  25. Apple’s Keychain can be compromised https://github.com/ptoomey3/ Keychain-Dumper

  26. None
  27. Randomization Services https://developer.apple.com/documentation/ security/randomization_services Generate cryptographically secure random numbers.

  28. CryptoSwift http://cryptoswift.io is a growing collection of standard and secure

    cryptographic algorithms implemented in Swift.
  29. None
  30. SHA-256 Example Input: ryan@ackermann.io. 6AYPbhQ7t4+Bv28EC1 MM0A==.myH4rdPassw 0rd Output: c3b50f3272c4e0f548a8 24dde39c4147a09f2d56

    8addb7e46ba9d731e24 c3c54
  31. Why use a salt? A salt is additional input to

    the hashing function to defend against pre-computed dictionary attacks
  32. Rainbow Table Attack Plain text MD5 hash 123456 e10adc3949ba59abbe56e057f20f883e password

    5f4dcc3b5aa765d61d8327deb882cf99 qwerty d8578edf8458ce06fbc5bb76a58c5ca4 baseball 276f8db0b86edaa7fc805516c852c889 dragon 8621ffdbc5698829397d97767ac13db3
  33. LocalAuthentication Request authentication from users through pass-phrases or biometrics

  34. LABiometryType • none • faceID • touchID New in iOS

    11 for the iPhone X
  35. None
  36. None
  37. None
  38. Demo

  39. Links https://www.raywenderlich.com/185370/ Basic iOS Security: Keychain and Hashing https://developer.apple.com/videos/play/ wwdc2016/705/

    How iOS Security Really Works https://developer.apple.com/ documentation/security Apple Security Documentation
  40. @naturaln0va Get in touch Personal site https://ackermann.io/about Example project https://github.com/naturaln0va/Avocado

    Slides https://speakerdeck.com/naturaln0va