Data transfer security for mobile apps what the fish doesn’t notice in the ocean? #mddaylviv2015 @vixentael

There ain’t enough talks about security

Apple Security Guide Every program is a potential target. Your customers’ property and your reputation are at stake. https://developer.apple.com/library/mac/documentation/Security/ Conceptual/SecureCodingGuide/Introduction.html data transfer security for mobile apps #mddaylviv2015 @vixentael

3 kinds of data to protect Data in storage Data in memory Data in motion data transfer security for mobile apps #mddaylviv2015 @vixentael

Data in motion: what could possibly go wrong

Communication with server. Usually. data transfer security for mobile apps #mddaylviv2015 @vixentael

Imagine little fish... data transfer security for mobile apps #mddaylviv2015 @vixentael

...in the ocean of threats

active eavesdropping data leakage evil twin replay attack ...in the ocean of threats

* SSL experimenting with Android Top100 apps http://bit.ly/1NqpheM * Intercepting the App Store's Traffic on iOS http://bit.ly/1H3xMrs One proxy to rule ‘em all!

Attack reasons Many apps use HTTP* data transfer security for mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number

Attack reasons Many apps use HTTP* Some apps use HTTPS data transfer security for mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number

Attack reasons Many apps use HTTP* Some apps use HTTPS Few apps encrypt user’s data *iOS9 ATS will decrease this number data transfer security for mobile apps #mddaylviv2015 @vixentael

Why is this happening?

1. Security is hard. STACKOVERFLOW!

Let’s StackOverflow! http://stackoverflow.com/a/21826729 data transfer security for mobile apps #mddaylviv2015 @vixentael

Weird padding http://stackoverflow.com/a/21826729 data transfer security for mobile apps #mddaylviv2015 @vixentael

2. Software is buggy

Remove padding! http://stackoverflow.com/a/26147479 data transfer security for mobile apps #mddaylviv2015 @vixentael

Omg WTF is going on WTF http://stackoverflow.com/a/26147479 WTF WTF data transfer security for mobile apps #mddaylviv2015 @vixentael

3. Illusion of safety is still a illusion data transfer security for mobile apps #mddaylviv2015 @vixentael #define kUserPassword @“1111111”

Armoring your fish

Realize security risks data transfer security for mobile apps #mddaylviv2015 @vixentael

Amateurs Produce Amateur Cryptography Anyone can invent a security system that he himself cannot break — Schneier's Law https://www.schneier.com/blog/archives/ 2011/04/schneiers_law.html data transfer security for mobile apps #mddaylviv2015 @vixentael

Do not re-implement existing things data transfer security for mobile apps #mddaylviv2015 @vixentael

Security is a system, not a pluggable library

Build stout architecture data transfer security for mobile apps #mddaylviv2015 @vixentael

Build stout architecture cryptolib key management data transfer security for mobile apps #mddaylviv2015 @vixentael

Use great tools Themis https://github.com/cossacklabs/themis RNCryptor https://github.com/RNCryptor/RNCryptor MIHCrypto https://github.com/hohl/MIHCrypto OTRKit https://github.com/ChatSecure/OTRKit libsodium/NaCL https://github.com/mochtu/libsodium-ios scientific background trust big guys good track record data transfer security for mobile apps #mddaylviv2015 @vixentael

No content

Use SSL? Do it right! https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet ✤use long keys ✤remove backward compatibility ✤use good ciphers (EC vs RSA) ✤SSL pinning ✤use cheat sheet https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html SSL has a lot of problems To survive you need to: data transfer security for mobile apps #mddaylviv2015 @vixentael

TLS/SSL in short data transfer security for mobile apps #mddaylviv2015 @vixentael

Where can it break? data transfer security for mobile apps #mddaylviv2015 @vixentael

SSL pinning data transfer security for mobile apps #mddaylviv2015 @vixentael

SSL pinning on iOS https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/ https://www.paypal-engineering.com/2015/10/14/key-pinning-in-mobile- applications/ - (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge: (NSURLAuthenticationChallenge *)challenge { SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; id sender = challenge.sender; SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0); NSData * remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate)); NSString * cerPath = [[NSBundle mainBundle] pathForResource:@"MyLocalCertificate" ofType:@"cer"]; NSData * localCertData = [NSData dataWithContentsOfFile:cerPath]; if ([remoteCertificateData isEqualToData:localCertData]) { NSURLCredential * credential = [NSURLCredential credentialForTrust:serverTrust]; [sender useCredential:credential forAuthenticationChallenge:challenge]; } else { [sender cancelAuthenticationChallenge:challenge]; } } data transfer security for mobile apps #mddaylviv2015 @vixentael

SSL pinning more easy :) Swift lib for HTTPS with SSL pinning https://github.com/johnlui/Pitaya/wiki let  certData  =  NSData(contentsOfFile:   NSBundle.mainBundle().pathForResource("lvwenhancom",  ofType:  "cer")!)!
 ...  ...
 .addSSLPinning(LocalCertData:  certData)  {  ()  -­‐>  Void  in
        print("Under  Man-­‐in-­‐the-­‐middle  attack!")
 } data transfer security for mobile apps #mddaylviv2015 @vixentael

How to achieve the solution

Let’s imagine chatting app simple API authentication meaningfull communication confidentiality thread data transfer security for mobile apps #mddaylviv2015 @vixentael

Securing app step by step 1. HTTPS everywhere 2. SSL pinning 3. Encrypt messages by persistent keys data transfer security for mobile apps #mddaylviv2015 @vixentael

Securing app step by step 1. HTTPS everywhere ----> SSL/TLS has lots of bugs and bad crypto 2. SSL pinning ----> is not a panacea 3. Encrypt messages by persistent keys ----> can be easily cracked data transfer security for mobile apps #mddaylviv2015 @vixentael

No content

Securing in a more proper way perfect forward secrecy use good ciphers data transfer security for mobile apps #mddaylviv2015 @vixentael

Using ephemeral key data transfer security for mobile apps #mddaylviv2015 @vixentael

How to achieve it easily https://github.com/cossacklabs/themis 1. establish session 2. encrypt message with SecureSession before sending 3. decrypt message after receive 4. encrypt history with SecureCell data transfer security for mobile apps #mddaylviv2015 @vixentael

How to achieve it easily https://github.com/cossacklabs/mobile- websocket-example data transfer security for mobile apps #mddaylviv2015 @vixentael

Security is hard, but if you’re smart, security is not so hard :)

The last slide @vixentael iOS developer at stanfy.com [creating awesome mobile and IoT apps]

To read ★ CryptoCat iOS app security audit https://nabla-c0d3.github.io/documents/iSEC_Cryptocat_iOS.pdf ★ Why you should avoid SSL for your next application https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html ★ OAuth1, OAuth2, OAuth...? http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html

To watch youtube ★ All tasks of Moxie Marlinspike https://www.youtube.com/watch?v=ibF36Yyeehw https://www.youtube.com/watch?v=8N4sb-SEpcg https://www.youtube.com/watch?v=tOMiAeRwpPA

To read more slides ★ Securing iOS apps https://speakerdeck.com/mbazaliy/securing-ios-applications ★ Users' data security in iOS applications https://speakerdeck.com/vixentael/users-data-security-in-ios-applications ★ Reversing 101 https://speakerdeck.com/0xc010d/reversing-101