Slide 1

Slide 1 text

X THINGS YOU NEED TO KNOW before Implementing Cryptography @vixentael

Slide 2

Slide 2 text

@vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :)

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

Slide 7

Slide 7 text and so on! @vixentael

Slide 8

Slide 8 text

RISKS TO DATA reputation risks (Equifax) legal responsibility (GDPR) competitors operations (Facebook)

Slide 9

Slide 9 text

financial damage

Slide 10

Slide 10 text

mln records 0 200 400 600 800 1,000 February March April May June July August September MILLION OF RECORDS LEAKED PER MONTH @vixentael

Slide 11

Slide 11 text local-mattress-store-with-ransomware/ @vixentael

Slide 12

Slide 12 text

@vixentael credentials geo-locations health data financial data kids locations cars remote control sex toys remote control

Slide 13

Slide 13 text


Slide 14

Slide 14 text

@vixentael 1. Follow best practices. 2. Talk to professionals.

Slide 15

Slide 15 text


Slide 16

Slide 16 text

Attackers can find ways to bypass security measures. @vixentael

Slide 17

Slide 17 text

Encryption – walls & gates. @vixentael

Slide 18

Slide 18 text

" @vixentael

Slide 19

Slide 19 text

Harden all the things! @vixentael

Slide 20

Slide 20 text

protecting privacy passwords & auth plaintext secrets transport dependencies

Slide 21

Slide 21 text SENSITIVE DATA @vixentael

Slide 22

Slide 22 text Caring about user data prevents rejections. @vixentael

Slide 23

Slide 23 text

@vixentael new-privacy-policy-what-you-need-to-know/ NEW APP STORE PRIVACY POLICY - minimize the data you collect - be transparent on how you use the data - protect stored and transit data - remove data fully and quickly

Slide 24

Slide 24 text


Slide 25

Slide 25 text

Avoid sensitive data on screenshots. @vixentael

Slide 26

Slide 26 text @vixentael

Slide 27

Slide 27 text There’s a lib for that! @vixentael

Slide 28

Slide 28 text iphone-cameras-any-time-your-app-is-running UNHEALTHY PERMISSIONS hello, Felix! @vixentael

Slide 29

Slide 29 text Minimize amount of data your app works with. @vixentael

Slide 30

Slide 30 text


Slide 31

Slide 31 text understanding-input-validation/ INPUT VALIDATION check length ✋ escape SQL validate on both sides @vixentael

Slide 32

Slide 32 text

from twitter (not like this) @vixentael USE GOOD PASSWORD RULES

Slide 33

Slide 33 text

from twitter (not like this) USE GOOD PASSWORD RULES @vixentael

Slide 34

Slide 34 text

(not like this) USE GOOD PASSWORD RULES @vixentael

Slide 35

Slide 35 text

MORE LIKE THESE: Use long phrase (16+). Disallow typical passwords. Promote password managers usage. well_known_comics_about_horse.png Talk:Password_length_&_complexity @vixentael

Slide 36

Slide 36 text


Slide 37

Slide 37 text stealpassword-easily-get-the-users- apple-id-password-just-by-asking DARK AUTH PATTERNS Avoid asking user password all the time.

Slide 38

Slide 38 text

TouchID/FaceID & 2FA Insecure_Authentication and-face-id-on-ios BETTER AUTH

Slide 39

Slide 39 text safariservices/sfauthenticationsession SFAuthenticationSession BETTER AUTH

Slide 40

Slide 40 text

Password Autofill BETTER AUTH for-ios-apps-for-faster-login-ios-11-1d9f77deb35a

Slide 41

Slide 41 text

BETTER AUTH iOS12 textField.textContentType = .newPassword textField.passwordRules = .init(descriptor: "allowed: ascii-printable; minlength: 8;" ) textField.textContentType = . oneTimeCode

Slide 42

Slide 42 text

Password Autofill MAKE AUTH BETTER! Single Sign-On SFAuthenticationSession Ask pass on sensitive screens TouchID/FaceID & 2FA @vixentael

Slide 43

Slide 43 text AUTH BUGS: DOUBLE SPACE Test your login flow @vixentael

Slide 44

Slide 44 text


Slide 45

Slide 45 text stored all passwords ‘very well encrypted’. @vixentael STORING SECRETS IN PLAINTEXT

Slide 46

Slide 46 text

Avoid storing sensitive plaintext. passwords document pictures license plates SSNs credit cards health data home address passport num phone num @vixentael

Slide 47

Slide 47 text password-found-in-another-more-persistent-macos-log-file /var/log/install.log @vixentael LOGGING SECRETS IN PLAINTEXT

Slide 48

Slide 48 text


Slide 49

Slide 49 text

CHECK YOUR SOURCE CODE cfpb/clouseau Automate checking code for forgotten secrets. @vixentael

Slide 50

Slide 50 text source-code-iboot-ios-leak NOT ALL CODE SHOULD BE PUBLISHED @vixentael

Slide 51

Slide 51 text orta/cocoapods-keys awslabs/git-secrets Avoid publishing keys. DO NOT COMMIT KEYS keys.plist → .gitignore @vixentael

Slide 52

Slide 52 text


Slide 53

Slide 53 text

NSAppTransportSecurity NSAllowsArbitraryLoads NSAppTransportSecurity NSAllowsArbitraryLoadsInWebContent app-transport-security-ats/ @vixentael

Slide 54

Slide 54 text Deployment-Best-Practices private keys RSA-2048, ECDSA-256 obtain certificate from reliable CA use TLS v1.3-v1.2 use secure cipher suites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ✅ enable Forward Secrecy ✅ enable HSTS (web) WELL-CONFIGURED SSL @vixentael

Slide 55

Slide 55 text @vixentael SSL PINNING

Slide 56

Slide 56 text let serverTrustPolicies: [String: ServerTrustPolicy] = [ “”: .pinPublicKeys( publicKeys: ServerTrustPolicy.publicKeys(), validateCertificateChain: true, validateHost: true ) ] let sessionManager = SessionManager( serverTrustPolicyManager: ServerTrustPolicyManager( policies: serverTrustPolicies ) ) SSL PINNING @vixentael

Slide 57

Slide 57 text certificate-for-github-com @vixentael SSL IS NOT ENOUGH: WOSIGN STORY

Slide 58

Slide 58 text distrusting-wosign-and-startcom.html @vixentael SSL IS NOT ENOUGH: WOSIGN STORY

Slide 59

Slide 59 text

@vixentael BREAKING SSL PINNING intercept-ssl-pinning-https-requests-12446303cc9d

Slide 60

Slide 60 text

transport = Transport() transport?.setupKeys(serverId, serverPublicKey: serverPublicKey) session = TSSession(userId: clientIdData, privateKey: clientPrivateKeyData, callbacks: transport!) startSession(clientId: clientId, message: connectionMessage) ENCRYPT OVER SSL @vixentael

Slide 61

Slide 61 text


Slide 62

Slide 62 text DOWNLOAD LIBS / IDE use HTTPS / VPN ✅ check certificate 2 check hash-sum clone & build from source Do you really need that lib? GDPR @vixentael

Slide 63

Slide 63 text

CHECK 3RD PARTY LIBRARIES Monitor & fix critical bugs Update if any security patch Update if any privacy change (GDPR) Automate all the checks @vixentael

Slide 64

Slide 64 text @vixentael

Slide 65

Slide 65 text

OTHER THINGS TO DO #uikonf @vixentael

Slide 66

Slide 66 text

store as HEX replace chars rename files to .mp3 combine from pieces OBFUSCATION .xib / .nib inline keys API urls pjebs/Obfuscator-iOS rename important methods / constants preemptive/PPiOS-Rename @vixentael

Slide 67

Slide 67 text

DO NOT FORGET ABOUT firewalls 9 IDS ⚠ SIEM fake targets / honey pots poison records @vixentael

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

Now, after easy things are done, cryptography! it’s time for @vixentael

Slide 70

Slide 70 text

cryptography! storage encryption transport encryption key management @vixentael

Slide 71

Slide 71 text

Storage Transport Multi- platform themis libsodium tink TLS
 themis libsodium OTRKit Works with 
 iOS/macOS only CryptoSwift RNCryptor CommonCrypto @vixentael

Slide 72

Slide 72 text


Slide 73


Slide 74


Slide 75

Slide 75 text @vixentael

Slide 76

Slide 76 text @vixentael

Slide 77

Slide 77 text

KEY POINTS Keep an eye on the sensitive data during the whole data flow. do not store do not collect remove fast

Slide 78

Slide 78 text Secure mobile development LINKS Mobile security testing guide Organization security for startups testing-environment-for-ios-platform/ Series of posts about security testing

Slide 79

Slide 79 text

My other security slides my-talks

Slide 80

Slide 80 text

Security Basics SECURITY WORKSHOPS Enterprise Secure Architecture Secure Web apps Secure Software Development Secure Mobile apps

Slide 81

Slide 81 text

@vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :)

Slide 82

Slide 82 text

IMAGE CREDITS freepik, linector, switficons, pixelperfect, smashicons, icon pond, dinosoftlabs Authors: