The Keys to iOS Security

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Ryan Ackermann iOS Developer YouVersion

Slide 3

Slide 3 text

Why is iOS security important?

Slide 4

Slide 4 text

iOS stores a lot of personal data

Slide 5

Slide 5 text

Who are threats to iOS applications? • Criminals (after your data) • Business competitors (after your ideas) • Service providers (after your privacy) • Friends or family (after your secrets)

Slide 6

Slide 6 text

Bad security hurts user trust • Financial loss • Leaked passwords • Personal surveillance

Slide 7

Slide 7 text

“@Korni22 What if this doesn't happen because our security is amazingly good? ^Käthe”

Slide 8

Slide 8 text

What does security look like on iOS?

Slide 9

Slide 9 text

Types of data to secure on iOS • User data (photos, notes, etc.) • Payment information • Login credentials

Slide 10

Slide 10 text

How to implement

Slide 11

Slide 11 text

The example Storing user credentials email & password

Slide 12

Slide 12 text

UserDefaults A common place to persist information across app launches

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

DON’T DO IT!

Slide 15

Slide 15 text

Plain text passwords in UserDefaults • Third parties libraries • Unencrypted device backup • iOS filesystem explorers like iExplorer The password can be read by:

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

Base64 Example Input: myH4rdPassw0rd Output: bXlINHJkUGFzc3cwcmQ=

Slide 18

Slide 18 text

Encoding != Encryption

Slide 19

Slide 19 text

Encoding Used to transform data so that it can be read by different systems

Slide 20

Slide 20 text

Encryption Used to transform data so that it will be kept secret from others

Slide 21

Slide 21 text

Apple’s Keychain A specialized database for sensitive information using the Triple Digital Encryption Standard (3DES)

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

KeychainPasswordItem Apple’s Keychain wrapper in Swift https://developer.apple.com/library/content/ samplecode/GenericKeychain

Slide 24

Slide 24 text

Almost There

Slide 25

Slide 25 text

Apple’s Keychain can be compromised https://github.com/ptoomey3/ Keychain-Dumper

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

Randomization Services https://developer.apple.com/documentation/ security/randomization_services Generate cryptographically secure random numbers.

Slide 28

Slide 28 text

CryptoSwift http://cryptoswift.io is a growing collection of standard and secure cryptographic algorithms implemented in Swift.

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

SHA-256 Example Input: [email protected]. 6AYPbhQ7t4+Bv28EC1 MM0A==.myH4rdPassw 0rd Output: c3b50f3272c4e0f548a8 24dde39c4147a09f2d56 8addb7e46ba9d731e24 c3c54

Slide 31

Slide 31 text

Why use a salt? A salt is additional input to the hashing function to defend against pre-computed dictionary attacks

Slide 32

Slide 32 text

Rainbow Table Attack Plain text MD5 hash 123456 e10adc3949ba59abbe56e057f20f883e password 5f4dcc3b5aa765d61d8327deb882cf99 qwerty d8578edf8458ce06fbc5bb76a58c5ca4 baseball 276f8db0b86edaa7fc805516c852c889 dragon 8621ﬀdbc5698829397d97767ac13db3

Slide 33

Slide 33 text

LocalAuthentication Request authentication from users through pass-phrases or biometrics

Slide 34

Slide 34 text

LABiometryType • none • faceID • touchID New in iOS 11 for the iPhone X

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

Demo

Slide 39

Slide 39 text

Links https://www.raywenderlich.com/185370/ Basic iOS Security: Keychain and Hashing https://developer.apple.com/videos/play/ wwdc2016/705/ How iOS Security Really Works https://developer.apple.com/ documentation/security Apple Security Documentation

Slide 40

Slide 40 text

@naturaln0va Get in touch Personal site https://ackermann.io/about Example project https://github.com/naturaln0va/Avocado Slides https://speakerdeck.com/naturaln0va