iOS App Security Basics

iOS App Security Basics

Have you ever exposed your company to intellectual or financial loss? Have you ever written an app that doesn’t have security and privacy in mind? Join in the talk by our invited speaker from Poland, Maciej, to get to know iOS security basics and best practices to build secure apps!

https://www.meetup.com/CocoaHeads-Tricity/events/237364434/

4bd42ec665d6185be0a2e955db17427e?s=128

Maciej Piotrowski

February 15, 2017
Tweet

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. codesign -dv --verbose=4 Xcode.app/

  9. None
  10. How secure iOS is?

  11. None
  12. iOS Security Pillars • opera&ng system • so$ware updates •

    building secure apps
  13. ! & OS • Secure Enclave • Passcode • TouchID

    • Secure Boot • Code Signing • Sandboxing
  14. Updates • 1.2% Android devices → Android 7.x Nougat [Feb

    6th, 2017] • 76% iOS devices → iOS 10 [Jan 4th, 2017]
  15. Building Secure Apps • Network • Data Protec.on • Inter-Process

    Communica.on (IPC) • Jailbreak - detec.on & ac.on
  16. Our apps can be under a-ack...

  17. Why apps can be a,acked? • !!! financial transac,ons •

    PCI - Personal Card Informa,on " • PII - Personal Iden,fiable Informa,on # • PHI - Personal Health Informa,on $
  18. None
  19. None
  20. None
  21. Who might be an a-acker? • ! Criminals • Business

    compe1tors " • # Internet Service Providers (ISP) • Governments $ • ❤ Roman1c partners, family, friends
  22. When can they a*ack? • Direct access • No passcode

    • Jailbroken • Malware • Zero-day device
  23. Building Secure Apps

  24. Network • Secure connec*on (HTTPS) • App Transport Security (ATS)

    • Cer*ficate pinning • Cer*ficate Transparency (new mechanism)
  25. Data Protec*on • FileProtec+onType → .complete or .completeUnlessOpen • Creden+als

    → Keychain • Default Snapshot → replaced • UIPasteboard → cleared • Custom keyboard extensions → disabled • Database files → exclude from backup
  26. Inter-Process Communica1on (IPC) • URL Schemes • ❌ application:handleOpenURL: •

    ✔ application:openURL:options: • validate Bundle ID & URL params
  27. Source code • @inline(__always) • class guard obfusca.on

  28. None
  29. Jailbreak • Cydia app • access outside sandbox • fork

    a process • method hooks & code injec1on • debugger a4ached • non-standard ports open
  30. Jailbreak - how to live? • slow down an a*acker

    • wipe out sensi3ve data • mark account as fraudolent on backend
  31. How secure your app is?

  32. None
  33. None
  34. None
  35. Materials Security @ swi-ing.io My Cards project Replace snapshot example

    Protect store example Disable keyboard extensions example Validate IPC example
  36. Materials Apple's iOS Security Guide Apple's Secure Coding Guide WWDC

    2016 - How iOS Security Really Works WWDC 2016 - What's New in Security XcodeGhost Bypassing Jailbreak DetecHon