iOS App Security Basics

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

codesign -dv --verbose=4 Xcode.app/

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

How secure iOS is?

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

iOS Security Pillars • opera&ng system • so$ware updates • building secure apps

Slide 13

Slide 13 text

! & OS • Secure Enclave • Passcode • TouchID • Secure Boot • Code Signing • Sandboxing

Slide 14

Slide 14 text

Updates • 1.2% Android devices → Android 7.x Nougat [Feb 6th, 2017] • 76% iOS devices → iOS 10 [Jan 4th, 2017]

Slide 15

Slide 15 text

Building Secure Apps • Network • Data Protec.on • Inter-Process Communica.on (IPC) • Jailbreak - detec.on & ac.on

Slide 16

Slide 16 text

Our apps can be under a-ack...

Slide 17

Slide 17 text

Why apps can be a,acked? • !!! ﬁnancial transac,ons • PCI - Personal Card Informa,on " • PII - Personal Iden,ﬁable Informa,on # • PHI - Personal Health Informa,on $

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

Who might be an a-acker? • ! Criminals • Business compe1tors " • # Internet Service Providers (ISP) • Governments $ • ❤ Roman1c partners, family, friends

Slide 22

Slide 22 text

When can they a*ack? • Direct access • No passcode • Jailbroken • Malware • Zero-day device

Slide 23

Slide 23 text

Building Secure Apps

Slide 24

Slide 24 text

Network • Secure connec*on (HTTPS) • App Transport Security (ATS) • Cer*ﬁcate pinning • Cer*ﬁcate Transparency (new mechanism)

Slide 25

Slide 25 text

Data Protec*on • FileProtec+onType → .complete or .completeUnlessOpen • Creden+als → Keychain • Default Snapshot → replaced • UIPasteboard → cleared • Custom keyboard extensions → disabled • Database ﬁles → exclude from backup

Slide 26

Slide 26 text

Inter-Process Communica1on (IPC) • URL Schemes • ❌ application:handleOpenURL: • ✔ application:openURL:options: • validate Bundle ID & URL params

Slide 27

Slide 27 text

Source code • @inline(__always) • class guard obfusca.on

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

Jailbreak • Cydia app • access outside sandbox • fork a process • method hooks & code injec1on • debugger a4ached • non-standard ports open

Slide 30

Slide 30 text

Jailbreak - how to live? • slow down an a*acker • wipe out sensi3ve data • mark account as fraudolent on backend

Slide 31

Slide 31 text

How secure your app is?

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

Materials Security @ swi-ing.io My Cards project Replace snapshot example Protect store example Disable keyboard extensions example Validate IPC example

Slide 36

Slide 36 text

Materials Apple's iOS Security Guide Apple's Secure Coding Guide WWDC 2016 - How iOS Security Really Works WWDC 2016 - What's New in Security XcodeGhost Bypassing Jailbreak DetecHon