Slide 1

Slide 1 text

Building user-centric security model in iOS apps @vixentael

Slide 2

Slide 2 text

@vixentael Lead Developer at stanfy.com Core Contributor at themis/ cossacklabs.com Who am I Get in touch if you need help in building a secure mobile app

Slide 3

Slide 3 text

Security talk ahead! #courage

Slide 4

Slide 4 text

#mobiconf @vixentael Risks and threat models Trust models Analyze real app Protection methods ZKP Code samples Attack scenarios Security model future improvements

Slide 5

Slide 5 text

Why we should think more about security? #mobiconf @vixentael

Slide 6

Slide 6 text

Users trust Apple platform Users trust us Why we should think more about security? #mobiconf @vixentael

Slide 7

Slide 7 text

Most users trust sensitive data to our app regardless of how well we protect it #mobiconf @vixentael

Slide 8

Slide 8 text

#mobiconf @vixentael abstract app in a vacuum

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

security security is set of ultimatum rules abstract app in a vacuum #mobiconf @vixentael

Slide 11

Slide 11 text

security is set of ultimatum rules abstract app in a vacuum real apps, real ecosystems #mobiconf @vixentael

Slide 12

Slide 12 text

App Flow App Features Code User Problem #mobiconf @vixentael

Slide 13

Slide 13 text

Risk Threat Model Secure Methods Secure Implemen- tations Libs/ Code App Flow App Features Code User Problem #mobiconf @vixentael

Slide 14

Slide 14 text

#mobiconf @vixentael It is secure

Slide 15

Slide 15 text

It is secure It is secure against certain threat model and adversary #mobiconf @vixentael

Slide 16

Slide 16 text

https://twitter.com/mubix/status/745403991475904513 #mobiconf @vixentael

Slide 17

Slide 17 text

Risk Model & Threat Model create demands for security #mobiconf @vixentael

Slide 18

Slide 18 text

Real world risks Data leak/ data tampering Reputation risks Legal responsibility Financial damage #mobiconf @vixentael

Slide 19

Slide 19 text

Risk impact Data is used/sold by someone Data is tampered and you’re operating on adversary’s plan Identity/auth is used elsewhere DL DT data leakage data tampering identity theft #mobiconf @vixentael

Slide 20

Slide 20 text

Risk prevention data leakage data tampering identity theft confidentiality (secrecy) integrity authentication #mobiconf @vixentael

Slide 21

Slide 21 text

Risk prevention (for us) - Encryption w/ secret or PKC - Limit access - Signed encryption - Protected transport with trust and integrity - Authenticated encryption - Action authentication confidentiality (secrecy) integrity authentication #mobiconf @vixentael

Slide 22

Slide 22 text

Encryption is letting only those who know the secret to access the data, no matter how they alter the code or the system (read Kerckhoffs's desideratum) #mobiconf @vixentael

Slide 23

Slide 23 text

Trust model is whose secrets you trust in a security system #mobiconf @vixentael

Slide 24

Slide 24 text

Everything is broken Trust no one, but the user #mobiconf @vixentael

Slide 25

Slide 25 text

Risks Trust model Threat model Methods and instruments #mobiconf @vixentael

Slide 26

Slide 26 text

Now let’s apply this to the real app #mobiconf @vixentael

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

What user hero has? secret data paranoia pa55w0rd trust #mobiconf @vixentael

Slide 29

Slide 29 text

secret data paranoia pa55w0rd trust tin foil hat! #mobiconf @vixentael What user hero has?

Slide 30

Slide 30 text

for saving your important docs during trips Let’s make an app!

Slide 31

Slide 31 text

Take pictures of important documents App functionality Store them on server Lets user see them #mobiconf @vixentael

Slide 32

Slide 32 text

Architecture and flow user app network server storage #mobiconf @vixentael

Slide 33

Slide 33 text

Threats we can handle T2 T3 passive MitM active MitM T1/T4 data loss/ tampering #mobiconf @vixentael

Slide 34

Slide 34 text

More complicated.. T5 verbal key leak T6 phishing / social engineering T7 rubber-hose cryptanalysis T8 satellite imaging of sensitive input T9 EM emissions T10 sandbox escaping T11 misconfiguration T12 random generator abuse T13 random generator abuse T14 EM emissions and physical side channel T15 physical access malicious dependency T19 storing keys with data T20 weak cipher random generator abuse T21 T2 T3 passive MitM active MitM T1/T4 data loss/ tampering T16 misconfigured access T17 T18 unattended backups #mobiconf @vixentael

Slide 35

Slide 35 text

Back to threats we can handle T2 T3 passive MitM active MitM T1/T4 data loss/ tampering #mobiconf @vixentael

Slide 36

Slide 36 text

#mobiconf @vixentael Threats: T1/T4 attacker steals stored data or tampers it

Slide 37

Slide 37 text

attacker steals stored data or tampers it Threats: T1/T4 Secret Key Crypto Protection Symmetric crypto for storing data. If user has no secret, he can’t read or change data. #mobiconf @vixentael

Slide 38

Slide 38 text

#mobiconf @vixentael Threats: T2 attacker captures network traffic (passive MitM)

Slide 39

Slide 39 text

attacker captures network traffic (passive MitM) Public Key Cryptography, ephemeral keys Asymmetric crypto for sending data. Ephemeral keys to avoid decrypting accumulated traffic if keys are leaked/cracked. Threats: T2 Protection #mobiconf @vixentael

Slide 40

Slide 40 text

Threats: T3 attacker redirects traffic and pretends to be remote party (active MitM) #mobiconf @vixentael

Slide 41

Slide 41 text

attacker redirects traffic and pretends to be remote party (active MitM) Public Key Cryptography, certificate pinning Asymmetric crypto for sending data. Check server certificate to make sure it matches with pinned one. Threats: T3 Protection #mobiconf @vixentael

Slide 42

Slide 42 text

Protection methods Secret Key Crypto PKC + ephem. keys T2 T3 passive MitM active MitM T1/T4 data loss/ tampering PKC + cert. pinning #mobiconf @vixentael

Slide 43

Slide 43 text

Public Key Crypto Perfect Forward Secrecy Secret Key Crypto Authenticated Encryption Certificate Pinning Trust model Trust the user only #mobiconf @vixentael

Slide 44

Slide 44 text

Relationship model plain data symmetric encryption PKC + eph. keys symmetric encryption PKC + eph. keys ZKP ZKP #mobiconf @vixentael

Slide 45

Slide 45 text

#mobiconf @vixentael …what if trapdoor function fails? …what if key exchange is flawed? add more paranoia! …what if we suspect that server is fraudulent?

Slide 46

Slide 46 text

…what if trapdoor function fails? …what if key exchange is flawed? add more paranoia! …what if we suspect that server is fraudulent? Zero Knowledge Proof for the rescue! #mobiconf @vixentael

Slide 47

Slide 47 text

ZKP is comparing shared secret without transmitting it does not require the key exchange, does not leak password https://www.cossacklabs.com/zero-knowledge-protocols-without-magic.html #mobiconf @vixentael

Slide 48

Slide 48 text

#mobiconf @vixentael So, data model: Secret key (SK) = KDF(user password)

Slide 49

Slide 49 text

#mobiconf @vixentael Sensitive Data (SD) — passport photo Metadata (M1) — timestamp+CRC of photo Metadata (M2) — name of photo (user input) Secret key (SK) = KDF(user password) So, data model:

Slide 50

Slide 50 text

So, data model: Secret key (SK) = KDF(user password) Sensitive Data (SD) — passport photo Metadata (M1) — timestamp+CRC of photo Metadata (M2) — name of photo (user input) Mobile Key Pair (MKP) — private+public keys gen. inside app. Server Key Pair (SKP) — private+public keys gen. on server. App pins Server Public Key. #mobiconf @vixentael

Slide 51

Slide 51 text

Pwd Key + Data model SD M1 M2 MKP SKP SK #mobiconf @vixentael

Slide 52

Slide 52 text

User-centric trust Pwd MKP SKP SK symmetric encryption PKC + eph. keys KDF() Rand PKC + eph. keys Rand #mobiconf @vixentael

Slide 53

Slide 53 text

App Flows

Slide 54

Slide 54 text

Crypto primitives* Symmetric crypto SCell Asymmetric crypto based on ephemeral keys SSession SComparator ZKP implementation *based on Themis crypto lib https://github.com/cossacklabs/themis #mobiconf @vixentael

Slide 55

Slide 55 text

#mobiconf @vixentael 1. Encrypt photo EncData = SCell_wrap(SD, SK, Context=M2) 2. Store EncData, M1, M2 in Local Store 3. Drop SD, SK from memory prepare data Send photo to server

Slide 56

Slide 56 text

1. Encrypt photo EncData = SCell_wrap(SD, SK, Context=M2) 2. Store EncData, M1, M2 in Local Store 3. Drop SD, SK from memory prepare data 4. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 5. Send EncData, M1, M2 via Session transfer data Send photo to server #mobiconf @vixentael

Slide 57

Slide 57 text

6. Receive OK 7. Terminate Session 8. Mark EncData in Local Store as Synced 4. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 5. Send EncData, M1, M2 via Session 1. Encrypt photo EncData = SCell_wrap(SD, SK, Context=M2) 2. Store EncData, M1, M2 in Local Store 3. Drop SD, SK from memory prepare data transfer data terminate session Send photo to server

Slide 58

Slide 58 text

Send photo to server 6. Receive OK 7. Terminate Session 8. Mark EncData in Local Store as Synced 4. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 5. Send EncData, M1, M2 via Session 1. Encrypt photo EncData = SCell_wrap(SD, SK, Context=M2) 2. Store EncData, M1, M2 in Local Store 3. Drop SD, SK from memory prepare data transfer data terminate session

Slide 59

Slide 59 text

Read photo from server 1. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 2. Request EncData proof via ZKP: 2.1 Send M1 2.2 Request Server to prove he has M2 by performing SComparator(M2) initialize connection #mobiconf @vixentael

Slide 60

Slide 60 text

Read photo from server 1. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 3. Receive EncData 2. Request EncData proof via ZKP: 2.1 Send M1 2.2 Request Server to prove he has M2 by performing SComparator(M2) initialize connection transfer data #mobiconf @vixentael

Slide 61

Slide 61 text

1. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 3. Receive EncData 2. Request EncData proof via ZKP: 2.1 Send M1 2.2 Request Server to prove he has M2 by performing SComparator(M2) 4. Request password from user 5. Decrypt data: SD = SCell_unwrap(EncData, SK, Context=M2) initialize connection transfer data decrypt data Read photo from server

Slide 62

Slide 62 text

Read photo from server 1. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 3. Receive EncData 2. Request EncData proof via ZKP: 2.1 Send M1 2.2 Request Server to prove he has M2 by performing SComparator(M2) 4. Request password from user 5. Decrypt data: SD = SCell_unwrap(EncData, SK, Context=M2) initialize connection transfer data decrypt data

Slide 63

Slide 63 text

Code samples

Slide 64

Slide 64 text

Generate keys // Generating EC keys guard let keyGeneratorEC: TSKeyGen = TSKeyGen(algorithm: .EC) else { print("Error occurred while initializing object keyGeneratorEC”) return } let privateKeyEC: NSData = keyGeneratorEC.privateKey let publicKeyEC: NSData = keyGeneratorEC.publicKey https://github.com/cossacklabs/themis/wiki/Swift-Howto https://github.com/cossacklabs/themis/tree/master/docs/examples/Themis-server/swift #mobiconf @vixentael

Slide 65

Slide 65 text

let masterKeyData: NSData = self.generateMasterKey() guard let cellSeal: TSCellSeal = TSCellSeal(key: masterKeyData) else { print("Error occurred while initializing object cellSeal", #function) return } let message: String = "All your base are belong to us!" let context: String = "For great justice" var encryptedMessage: NSData = NSData() do { // context is optional parameter and may be ignored encryptedMessage = try cellSeal.wrapData(message.dataUsingEncoding(NSUTF8StringEncoding), context: context.dataUsingEncoding(NSUTF8StringEncoding)) print("encryptedMessages = \(encryptedMessage)") } catch let error as NSError { print("Error occurred while encrypting \(error)", #function) return } Symmetric encryption https://github.com/cossacklabs/themis/wiki/Swift-Howto https://github.com/cossacklabs/themis/tree/master/docs/examples/Themis-server/swift #mobiconf @vixentael

Slide 66

Slide 66 text

Symmetric decryption let masterKeyData: NSData = self.generateMasterKey() guard let cellSeal: TSCellSeal = TSCellSeal(key: masterKeyData) else { print("Error occurred while initializing object cellSeal", #function) return } let message: String = "All your base are belong to us!" let context: String = "For great justice" do { let decryptedMessage: NSData = try cellSeal.unwrapData(encryptedMessage, context: context.dataUsingEncoding(NSUTF8StringEncoding)) let resultString: String = String(data: decryptedMessage, encoding: NSUTF8StringEncoding)! print("decryptedMessage = \(resultString)") } catch let error as NSError { print("Error occurred while decrypting \(error)", #function) return } https://github.com/cossacklabs/themis/wiki/Swift-Howto https://github.com/cossacklabs/themis/tree/master/docs/examples/Themis-server/swift #mobiconf @vixentael

Slide 67

Slide 67 text

Initialize Session guard let clientIdData: NSData = kClientId.dataUsingEncoding(NSUTF8StringEncoding), let clientPrivateKey: NSData = NSData(base64EncodedString: kClientPrivateKey, options: .IgnoreUnknownCharacters) else { print("Error occurred during base64 encoding", #function) return } self.transport = Transport() self.transport?.setupKeys(kServerId, serverPublicKey: kServerPublicKey) self.session = TSSession(userId: clientIdData, privateKey: clientPrivateKey, callbacks: self.transport) https://github.com/cossacklabs/themis/wiki/Swift-Howto https://github.com/cossacklabs/themis/tree/master/docs/examples/Themis-server/swift #mobiconf @vixentael

Slide 68

Slide 68 text

Encrypt/Decrypt Session messages var encryptedMessage: NSData do { guard let wrappedMessage: NSData = try self.session?.wrapData(message.dataUsingEncoding(NSUTF8StringEncoding)) else { print("Error occurred during wrapping message ", #function) return } encryptedMessage = wrappedMessage } catch let error as NSError { print("Error occurred while wrapping message \(error)", #function) completion(data: nil, error: error) return } //... do { guard let decryptedMessage: NSData = try self.session?.unwrapData(data), let resultString: String = String(data: decryptedMessage, encoding: NSUTF8StringEncoding) else { throw NSError(domain: "com.example", code: -3, userInfo: nil) } completion(data: resultString, error: nil) } catch let error as NSError { print("Error occurred while decrypting message \(error)", #function) completion(data: nil, error: error) return } https://github.com/cossacklabs/themis/tree/master/docs/examples/Themis-server/swift #mobiconf @vixentael

Slide 69

Slide 69 text

Make it tough even more

Slide 70

Slide 70 text

one password per photo Enforce app security user inputs password every time on photo access #mobiconf @vixentael

Slide 71

Slide 71 text

Use ZKP to prove that Server has M2 from any previous transfer Repeated auth #mobiconf @vixentael Received items Synced items D1 D2 Dn ... D1 D2 Dn ...

Slide 72

Slide 72 text

Repeated auth request ZKP(M1i) select any Di, where Di = (EncData, M1, M2) prove M2i transfer Dn+1 compare M2i, on success Received items Synced items D1 D2 Dn ... D1 D2 Dn ... #mobiconf @vixentael

Slide 73

Slide 73 text

The worst case scenario attacks

Slide 74

Slide 74 text

Active MitM without hacking the server: The worst scenario attacks Attacker does not have SKP. SecureSession initialization fails. App doesn’t start transfer data to server at all. Results: #mobiconf @vixentael

Slide 75

Slide 75 text

Best active MitM + hack server: The worst scenario attacks Attacker seizes SKP from Server and pretends to be normal server by DNS spoofing or routing redirection. Results: Accumulates useless M1, M2 and lousy EncData. #mobiconf @vixentael

Slide 76

Slide 76 text

The worst scenario attacks Denial of Service: Attacker floods server with requests / tons of data. Results: Server may be flooded. Monitor all the things! #mobiconf @vixentael

Slide 77

Slide 77 text

Finalizing…

Slide 78

Slide 78 text

* hardware support (AES) Crypto is very expensive!!11 https://www.cossacklabs.com/benchmarking-secure-comparator.html * scripted language and questionable frameworks affect performance as much as running the expensive math, if not more * endorse crypto everywhere to make it more cheap :) (it is not) #mobiconf @vixentael

Slide 79

Slide 79 text

Apple enforces good security practices iOS 10 use HTTPS everywhere! https://developer.apple.com/videos/play/wwdc2016/706/ http://useyourloaf.com/blog/privacy-settings-in-ios-10/ add purpose strings for accessing private data https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/ read more about Apple security care in Additional reading section drop TLS < 1.2 #mobiconf @vixentael

Slide 80

Slide 80 text

https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf Apple enforces good security practices

Slide 81

Slide 81 text

̣ Security is a system, not a set of methods ̣ You may need to re-read this slides when you will plan your next app ̣ User-centric trust is simple to implement, yet almost impossible to hack Key points! #mobiconf @vixentael

Slide 82

Slide 82 text

My other security talks https://medium.com/@vixentael/upgrading-approaches-to-the-secure- mobile-architectures-7a8fcb10d28a#.ffbsjwqx6 Upgrading Approaches to the Secure Mobile Architectures Data Protection For Mobile Client-Server Architectures https://medium.com/stanfy-engineering-practices/data-protection-for- mobile-client-server-architectures-6e6dcabd871a https://speakerdeck.com/vixentael/users-data-security-in-ios-applications Users' data security in iOS applications #mobiconf @vixentael

Slide 83

Slide 83 text

Additional reading by Apple https://developer.apple.com/videos/play/wwdc2016/705/ How iOS Security Really Works https://developer.apple.com/videos/play/wwdc2016/706/ What's New in Security https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf Behind the Scenes with iOS Security https://developer.apple.com/videos/play/wwdc2016/709/ Engineering Privacy for Your Users #mobiconf @vixentael

Slide 84

Slide 84 text

Additional reading by smarties https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/ Getting Ready for ATS Enforcement in 2017 http://useyourloaf.com/blog/privacy-settings-in-ios-10/ Privacy Settings in iOS 10 https://www.cossacklabs.com/zero-knowledge-protocols-without- magic.html Zero Knowledge Protocols Without Magic https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical- analysis.pdf Technical Analysis of Pegasus Spyware https://medium.com/@9gunpi/side-effects-of-pegasus-malware-32c9a112ec1c Side effect of Pegasus malware #mobiconf @vixentael

Slide 85

Slide 85 text

@vixentael The last slide Lead Developer at stanfy.com Core Contributor at themis/ cossacklabs.com Need help? Talk to me :)