Slide 1

Slide 1 text

Learning About Vulnerabilities from OWASP Mobile Top 10 Start Securing Your iOS Apps from Zero Soh Satoh (@soh_satoh) - STORES, Inc.

Slide 2

Slide 2 text

Who am I? • 2018? - 2021 • iOS Tweak Developer (Independent) • 2021 - 2023 • Security Engineer @ Security Vendor • 2023 - • Security Engineer @ STORES Inc 2 @soh_satoh

Slide 3

Slide 3 text

Introduction - What’s MASVS/MASTG? • MASVS The industry standard for mobile app security • MASTG A comprehensive manual for mobile app security testing and reverse engineering スマホアプリの脆弱性診断って何するの?(iOS 編 )- STORES Product Blog 3 Reference: OWASP

Slide 4

Slide 4 text

Introduction - What’s OWASP Mobile TOP10? A standard awareness document for developers and mobile application security • M1: Improper Credential Usage • M2: Inadequate Supply Chain Security • M3: Insecure Authentication/Authorization • M4: Insu ffi cient Input/Output Validation • M5: Insecure Communication • M6: Inadequate Privacy Controls • M7: Insu ffi cient Binary Protections • M8: Security Miscon fi guration • M9: Insecure Data Storage • M10: Insu ff i cient Cryptography 4 Reference: OWASP (https://owasp.org/www-project-mobile-top-10/)

Slide 5

Slide 5 text

M9: Insecure Data Storage

Slide 6

Slide 6 text

M9: Insecure Data Storage Examples • Storing passwords in plain text • Unprotected logging • Unsecured local storage Attack Vectors • Sandbox escaping • Data leak from iOS backups • (Code injection) 6 Impacts • Leak of sensitive information • Leak of credentials • Compromised user accounts • Reputational damage Vulnerabilities caused by improper implementations for storing sensitive information

Slide 7

Slide 7 text

M9: Insecure Data Storage - App Sandbox App Sandbox A security mechanism for separating running programs • Restricting access to resources of other apps (e.g. UserDefaults) • Restricting access to system fi les ↓ Super Secure! 7

Slide 8

Slide 8 text

M9: Insecure Data Storage - App Sandbox 🤔 8 … Really?

Slide 9

Slide 9 text

M9: Insecure Data Storage - App Sandbox 9 Security 101 Do Not Overtrust Anyone!

Slide 10

Slide 10 text

M9: Insecure Data Storage - UserDefaults vs. Keychain • UserDefaults • NOT encrypted • Saved to “/var/mobile/Containers/Data/Application/{UUID}/ Library/Preferences” (mobile) • Can be backed up w/o encryption • Keychain • Encrypted (AES-128 / Hardware-based encryption) • Saved to “/var/Keychains/keychain-2.db” (_securityd) • Backed up with encryption 10

Slide 11

Slide 11 text

M9: Insecure Data Storage - Best Practices Best Practices • Do NOT store credentials in plaintext • Refresh token • Passwords (Never!) • Use Keychain as possible • Storing sensitive information in Keychain • Storing encryption keys in Keychain 11

Slide 12

Slide 12 text

M1: Improper Credential Usage

Slide 13

Slide 13 text

M1: Improper Credential Usage Examples • Hardcoded credentials • Insecure credential storage Attack Vectors • Sandbox escaping • Data leak from iOS backups • (Code injection) 13 Impacts • Leak of sensitive information • Leak of credentials • Compromised user accounts • Reputational damage Vulnerabilities caused by improper credential usage for storing sensitive information

Slide 14

Slide 14 text

M1: Improper Credential Usage - Hardcoded Credentials Hardcoded Credentials Examples • Encrypt sensitive information using hardcoded keys • Login to API using hardcoded password Attack Vectors • Reversing 14

Slide 15

Slide 15 text

M1: Improper Credential Usage - Obfuscation Obfuscation the act of creating source or machine code that is di ff i cult for humans or computers to understand Advantage It can delay the process of reverse engineering. Disadvantage While obfuscation can make reading, writing, and reverse-engineering a program di ff i cult and time-consuming, it will not necessarily make it impossible. 15

Slide 16

Slide 16 text

M1: Improper Credential Usage - Obfuscation 16 Encryption Flow (Example)

Slide 17

Slide 17 text

M1: Improper Credential Usage - Obfuscation 17 Static Analysis (with Ghidra) Disassembly Pseudocode

Slide 18

Slide 18 text

M1: Improper Credential Usage - Obfuscation 18 Dynamic Analysis (with LLDB)

Slide 19

Slide 19 text

M1: Improper Credential Usage - Obfuscation 19 Dynamic Analysis (with LLDB)

Slide 20

Slide 20 text

M1: Improper Credential Usage - Obfuscation 20 Dynamic Analysis (with LLDB) Ref: https://stackoverflow.com/a/78014359/26676166

Slide 21

Slide 21 text

M1: Improper Credential Usage - Best Practices Best Practices • Do NOT hardcode secrets • API keys • Encryption keys • Passwords • If secrets must be hardcoded, • Consider the importance of the information • Evaluate the e ff ectiveness of obfuscation 21

Slide 22

Slide 22 text

Summary Steps You Should Take for Mobile Application Security 1. Understand the common vulnerabilities in mobile apps 2. Consider whether each vulnerability could realistically have an impact, and assess the need for remediation 3. Develop the application with careful consideration of whether it could introduce vulnerabilities that might impact the business 22

Slide 23

Slide 23 text

23