Secure software development:
from rookie to hardcore in 90 minutes
iOS data security workshop
@vixentael
Slide 2
Slide 2 text
Secure software development:
from rookie to hardcore in 90 minutes
iOS data security workshop
@vixentael
Slide 3
Slide 3 text
@vixentael
product engineer in security
and cryptography
started from iOS 3
OSS maintainer: Themis, Acra
conduct workshops & training about
secure apps development
training.cossacklabs.com
Plan for next 85 mins:
1. Intro (Apple, OWASP, jailbreaks)
@vixentael
2. Secure software development lifecycle
3. Stored data mistakes: key management and encryption
4. Practice time
5. Other data security things (network, logging, screenshots)
6. Reading list
Slide 7
Slide 7 text
Secure software development
Apple (guidelines, rejection guides)
users (upset, angry)
money (breaches, legal actions, fines)
why care anyway?
@vixentael
Slide 8
Slide 8 text
http://headway.io/blog/apple-app-store-new-
privacy-policy-what-you-need-to-know/
New App Store privacy policy
- minimize the data you collect
- be transparent on how you use the data
- protect stored and transit data
- remove data fully and quickly
@vixentael
Slide 9
Slide 9 text
GDPR
@vixentael
Article 32/35: responsibly store and process
data according to risks
Article 33/34: detecting data leakage and
alert users & controller
https://gdpr-info.eu/
Remote jailbreak iOS11 (patched in iOS12)
https://twitter.com/kevin_backhouse/status/1057352656560287746 @vixentael
Slide 14
Slide 14 text
www.apple.com/business/site/docs/iOS_Security_Guide.pdf @vixentael
95 pages PDF
Slide 15
Slide 15 text
Most users trust sensitive data
to your app regardless of
how well you protect it.
Slide 16
Slide 16 text
Secure development lifecycle
methodology
MS SDL OWASP S-SDLC
microsoft.com/en-us/sdl owasp.org/index.php/
OWASP_Secure_Software_Develop
ment_Lifecycle_Project
@vixentael
Slide 17
Slide 17 text
Define sensitive data
Design & implement
security controls
Verify security controls
(testing, monitoring)
SSDLC in a simple words
@vixentael
@vixentael
during planning
during planning &
implementation
acceptance testing / QA,
unit testing
during planning
during planning &
implementation
acceptance testing / QA,
unit testing
Slide 18
Slide 18 text
@vixentael
@vixentael
SSDLC in a simple words
Define sensitive data
Design & implement
security controls
Verify security controls
(testing, monitoring)
during planning
during planning &
implementation
acceptance testing / QA,
unit testing
repeat
Slide 19
Slide 19 text
So, one by one
Slide 20
Slide 20 text
Sensitive data
@vixentael
@vixentael
Slide 21
Slide 21 text
Sensitive data
@vixentael
@vixentael
geo-locations
health data
financial data
kids locations
cars remote control
credentials
logs
PII
Slide 22
Slide 22 text
– any kind of data, that will break
business objectives or prosperity of those
who use data, if leaked.
Sensitive data
@vixentael
@vixentael
geo-locations
health data
financial data
kids locations
cars remote control
credentials
logs
PII
Slide 23
Slide 23 text
Defining sensitive data:
sensitive user data (PII, password)
regulations (GDPR / HIPAA / PCI DSS)
tech data (keys, logs, accesses)
https://www.cossacklabs.com/blog/what-we-need-to-encrypt-
cheatsheet.html @vixentael
@vixentael
Slide 24
Slide 24 text
@vixentael
@vixentael
Security controls
Slide 25
Slide 25 text
Data security
Application security
Infrastructure security
Monitoring
Intrusion detection
Vulnerability management
@vixentael
Security controls
proactive and reactive
Slide 26
Slide 26 text
Proactive controls
Data security encryption
Access security authentication, firewalls, OS
Node security
firewalls, compartmentalization,
isolation, OS
@vixentael
https://www.raywenderlich.com/129-basic-ios-security-keychain-
and-hashing @vixentael
Use KDF
Slide 39
Slide 39 text
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/
Password_Storage_Cheat_Sheet.md @vixentael
should be random
should be > 10k
Use KDF correctly
Slide 40
Slide 40 text
https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf
269 CVEs
from 2011-2014
17%
83%
bugs inside crypto libs
misuses of crypto libs
by individual apps
@vixentael
Slide 41
Slide 41 text
@vixentael
@vixentael
Even more mistakes
XORing != encrypting
using password as encryption key (without KDF)
storing keys elsewhere
use single encryption key for all data/users
Slide 42
Slide 42 text
@vixentael
@vixentael
Use encryption
Slide 43
Slide 43 text
@vixentael
@vixentael
should be random
should use KDF(key)
uses AES CBC, not AES GCM
padding? salt?
Use encryption correctly
Slide 44
Slide 44 text
Use “boring” crypto libraries
★ use strong & audited crypto
★ work everywhere
★ hide cryptographic details
★ hard to mis-use
★ have integration with key storage
@vixentael
https://speakerdeck.com/vixentael/dont-waste-time-on-learning-
cryptography-better-use-it-properly
Slide 45
Slide 45 text
Encryption that hard to mis-use
@vixentael
@vixentael
Themis
Slide 46
Slide 46 text
Encryption that hard to mis-use
@vixentael
@vixentael
hides cryptographic details: salt, IV, KDF, padding
built-in KDF, safe to use passphrase
uses AES-256-GCM
Themis
Slide 47
Slide 47 text
Storage Transport
Multi-
platform
themis
libsodium
tink
TLS
themis
libsodium
OTRKit
libsignal
Made for one
platform, some
ports available
RNCryptor
CryptoSwift
CommonCrypto
https://www.cossacklabs.com/choose-your-ios-crypto.html
@vixentael
@vixentael
Slide 48
Slide 48 text
Key management
APP TOKENS USER PASSWORDS PUBLIC CERTS
let apiToken = “63ufHs2E82-cJgsm!djr7-Ks1TTYC4TV”
let appId = "VK1TTYC4TV"
let poolId = “us-east-1:r0s3s4r3-r3d-13375p34k"
var userPass = "qwertyqwerty"
@vixentael
DON’T
- Do things just because “they make security better”
- Copy-paste from StackOverflow
- Implement your own security controls where
solutions are available
@vixentael
Slide 66
Slide 66 text
DO
- Only things that address real valid risks
- Use industry’s best practices, standards and tools
- Explain why spending effort is necessary
- Plan, implement, test, formalize
- Watch the trends, follow experts
@vixentael
Slide 67
Slide 67 text
Reading, watching
Slide 68
Slide 68 text
General theory
http://mashable.com/2016/04/16/apple-security-explained/
How Apple Security works
https://medium.com/@vixentael/popular-note-taking-apps-share-these-security-flaws-security-
tips-for-developers-326180e41329
Popular note-taking apps share these security flaws
https://medium.com/@cossacklabs/apple-export-regulations-on-crypto-6306380682e1
Apple Export Regulations on Cryptography
https://howhttps.works/
How HTTPS works: cats
Slide 69
Slide 69 text
Cryptography
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
Cryptographic Storage Cheat Sheet
https://www.owasp.org/index.php/Key_Management_Cheat_Sheet
Key Management Cheat Sheet
https://developer.apple.com/library/content/documentation/Security/Conceptual/
cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html
Managing Keys, Certificates, and Passwords
https://cossacklabs.com/choose-your-ios-crypto.html
Crypto in iOS: choose your destiny
Slide 70
Slide 70 text
Testing
http://iphonedevwiki.net/index.php/Crack_prevention
Crack prevention
https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06a-
platform-overview
Mobile Security Testing Guide
https://github.com/OWASP/owasp-masvs
OWASP Mobile Application Security Verification Standard
Slide 71
Slide 71 text
Talks & training
github.com/vixentael/
my-talks
training.cossacklabs.com
Slide 72
Slide 72 text
@vixentael
product engineer in security
and cryptography
conduct workshops & training about
secure apps development