X Things you Need to Know before Implementing Cryptography

Slide 1

Slide 1 text

X THINGS YOU NEED TO KNOW before Implementing Cryptography @vixentael

Slide 2

Slide 2 text

@vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :)

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

https://habr.com/post/418851/

Slide 5

Slide 5 text

https://habr.com/post/418851/ https://www.troyhunt.com/controlling-vehicle-features-of-nissan/

Slide 6

Slide 6 text

https://habr.com/post/418851/ https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/

Slide 7

Slide 7 text

https://habr.com/post/418851/ https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/ and so on! @vixentael

Slide 8

Slide 8 text

RISKS TO DATA reputation risks (Equifax) legal responsibility (GDPR) competitors operations (Facebook) https://www.cossacklabs.com/blog/gdpr-for-engineers.html

Slide 9

Slide 9 text

ﬁnancial damage

Slide 10

Slide 10 text

mln records 0 200 400 600 800 1,000 February March April May June July August September https://www.itgovernance.co.uk/blog/category/cyber-security/ MILLION OF RECORDS LEAKED PER MONTH @vixentael

Slide 11

Slide 11 text

https://globalnews.ca/news/4298279/hacker-hits- local-mattress-store-with-ransomware/ @vixentael

Slide 12

Slide 12 text

@vixentael https://www.wired.com/story/2018-worst-hacks-so-far/ credentials geo-locations health data ﬁnancial data kids locations cars remote control sex toys remote control

Slide 13

Slide 13 text

@vixentael WHO TELLS YOU TO MAKE SECURE APPS? – NO ONE.

Slide 14

Slide 14 text

@vixentael 1. Follow best practices. 2. Talk to professionals.

Slide 15

Slide 15 text

LET’S GO!

Slide 16

Slide 16 text

Attackers can ﬁnd ways to bypass security measures. @vixentael

Slide 17

Slide 17 text

Encryption – walls & gates. @vixentael

Slide 18

Slide 18 text

" @vixentael

Slide 19

Slide 19 text

Harden all the things! @vixentael

Slide 20

Slide 20 text

protecting privacy passwords & auth plaintext secrets transport dependencies

Slide 21

Slide 21 text

gdpr-info.eu/art-4-gdpr/ SENSITIVE DATA @vixentael

Slide 22

Slide 22 text

developer.apple.com/app-store/review/rejections/ Caring about user data prevents rejections. @vixentael

Slide 23

Slide 23 text

@vixentael http://headway.io/blog/apple-app-store- new-privacy-policy-what-you-need-to-know/ NEW APP STORE PRIVACY POLICY - minimize the data you collect - be transparent on how you use the data - protect stored and transit data - remove data fully and quickly

Slide 24

Slide 24 text

PROTECTING PRIVACY

Slide 25

Slide 25 text

Avoid sensitive data on screenshots. @vixentael

Slide 26

Slide 26 text

developer.apple.com @vixentael

Slide 27

Slide 27 text

screenshieldkit.com There’s a lib for that! @vixentael

Slide 28

Slide 28 text

krausefx.com/blog/ios-privacy-watchuser-access-both- iphone-cameras-any-time-your-app-is-running UNHEALTHY PERMISSIONS hello, Felix! @vixentael

Slide 29

Slide 29 text

twitter.com/Viss/status/987028660585578496 Minimize amount of data your app works with. @vixentael

Slide 30

Slide 30 text

PASSWORD RULES

Slide 31

Slide 31 text

littlemaninmyhead.wordpress.com/2018/02/18/secure-coding- understanding-input-validation/ INPUT VALIDATION check length ✋ escape SQL validate on both sides @vixentael

Slide 32

Slide 32 text

from twitter (not like this) @vixentael USE GOOD PASSWORD RULES

Slide 33

Slide 33 text

from twitter (not like this) USE GOOD PASSWORD RULES @vixentael

Slide 34

Slide 34 text

(not like this) USE GOOD PASSWORD RULES @vixentael

Slide 35

Slide 35 text

MORE LIKE THESE: Use long phrase (16+). Disallow typical passwords. Promote password managers usage. well_known_comics_about_horse.png owasp.org/index.php/ Talk:Password_length_&_complexity @vixentael

Slide 36

Slide 36 text

AUTHORIZATION & AUTHENTICATION

Slide 37

Slide 37 text

krausefx.com/blog/ios-privacy- stealpassword-easily-get-the-users- apple-id-password-just-by-asking DARK AUTH PATTERNS Avoid asking user password all the time.

Slide 38

Slide 38 text

TouchID/FaceID & 2FA owasp.org/index.php/Mobile_Top_10_2016-M4- Insecure_Authentication michael-brown.net/2018/touch-id- and-face-id-on-ios BETTER AUTH

Slide 39

Slide 39 text

twitter.com/ay8s/status/885230327441915904 developer.apple.com/documentation/ safariservices/sfauthenticationsession SFAuthenticationSession BETTER AUTH

Slide 40

Slide 40 text

Password Autoﬁll BETTER AUTH medium.com/@abhimuralidharan/password-autoﬁll- for-ios-apps-for-faster-login-ios-11-1d9f77deb35a

Slide 41

Slide 41 text

BETTER AUTH iOS12 https://nshipster.com/ios-12/ textField.textContentType = .newPassword textField.passwordRules = .init(descriptor: "allowed: ascii-printable; minlength: 8;" ) textField.textContentType = . oneTimeCode

Slide 42

Slide 42 text

Password Autoﬁll MAKE AUTH BETTER! Single Sign-On SFAuthenticationSession Ask pass on sensitive screens TouchID/FaceID & 2FA @vixentael

Slide 43

Slide 43 text

objective-see.com/blog/blog_0x24.html AUTH BUGS: DOUBLE SPACE Test your login flow @vixentael

Slide 44

Slide 44 text

PLAINTEXT SECRETS

Slide 45

Slide 45 text

facebook.com/vstyran/posts/10156368247887372 rabota.ua stored all passwords ‘very well encrypted’. @vixentael STORING SECRETS IN PLAINTEXT

Slide 46

Slide 46 text

Avoid storing sensitive plaintext. passwords document pictures license plates SSNs credit cards health data home address passport num phone num @vixentael

Slide 47

Slide 47 text

mac4n6.com/blog/2018/3/30/omg-seriously-apfs-encrypted-plaintext- password-found-in-another-more-persistent-macos-log-ﬁle /var/log/install.log @vixentael LOGGING SECRETS IN PLAINTEXT

Slide 48

Slide 48 text

LOGGING SECRETS IN PLAINTEXT @vixentael

Slide 49

Slide 49 text

CHECK YOUR SOURCE CODE cfpb/clouseau Automate checking code for forgotten secrets. @vixentael

Slide 50

Slide 50 text

motherboard.vice.com/en_us/article/a34g9j/iphone- source-code-iboot-ios-leak NOT ALL CODE SHOULD BE PUBLISHED @vixentael

Slide 51

Slide 51 text

medium.com/@AyunasCode/how-to-hide-your-api-keys-367ef6589949 shanirivers.me/posts/hiding-your-api-keys-for-ios-projects orta/cocoapods-keys awslabs/git-secrets Avoid publishing keys. DO NOT COMMIT KEYS keys.plist → .gitignore @vixentael

Slide 52

Slide 52 text

TRANSPORT SECURITY

Slide 53

Slide 53 text

NSAppTransportSecurity NSAllowsArbitraryLoads NSAppTransportSecurity NSAllowsArbitraryLoadsInWebContent agostini.tech/2018/04/01/ios-application-security-part-ﬁve- app-transport-security-ats/ @vixentael

Slide 54

Slide 54 text

github.com/ssllabs/research/wiki/SSL-and-TLS- Deployment-Best-Practices private keys RSA-2048, ECDSA-256 obtain certiﬁcate from reliable CA use TLS v1.3-v1.2 use secure cipher suites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ✅ enable Forward Secrecy ✅ enable HSTS (web) WELL-CONFIGURED SSL @vixentael

Slide 55

Slide 55 text

owasp.org/index.php/Pinning_Cheat_Sheet @vixentael SSL PINNING

Slide 56

Slide 56 text

inﬁnum.co/the-capsized-eight/ssl-pinning-revisited let serverTrustPolicies: [String: ServerTrustPolicy] = [ “mydomain.com”: .pinPublicKeys( publicKeys: ServerTrustPolicy.publicKeys(), validateCertificateChain: true, validateHost: true ) ] let sessionManager = SessionManager( serverTrustPolicyManager: ServerTrustPolicyManager( policies: serverTrustPolicies ) ) SSL PINNING @vixentael

Slide 57

Slide 57 text

schrauger.com/the-story-of-how-wosign-gave-me-an-ssl- certiﬁcate-for-github-com @vixentael SSL IS NOT ENOUGH: WOSIGN STORY

Slide 58

Slide 58 text

security.googleblog.com/2016/10/ distrusting-wosign-and-startcom.html support.apple.com/en-us/HT204132 @vixentael SSL IS NOT ENOUGH: WOSIGN STORY

Slide 59

Slide 59 text

@vixentael BREAKING SSL PINNING https://habr.com/post/424485/ https://medium.com/@kennethpoon/lets-write-swift-code-to- intercept-ssl-pinning-https-requests-12446303cc9d

Slide 60

Slide 60 text

transport = Transport() transport?.setupKeys(serverId, serverPublicKey: serverPublicKey) session = TSSession(userId: clientIdData, privateKey: clientPrivateKeyData, callbacks: transport!) startSession(clientId: clientId, message: connectionMessage) github.com/cossacklabs/themis/wiki/Swift-Howto#secure-session ENCRYPT OVER SSL @vixentael

Slide 61

Slide 61 text

3RD PARTY CODE

Slide 62

Slide 62 text

krausefx.com/blog/trusting-sdks DOWNLOAD LIBS / IDE use HTTPS / VPN ✅ check certiﬁcate 2 check hash-sum clone & build from source Do you really need that lib? GDPR @vixentael

Slide 63

Slide 63 text

CHECK 3RD PARTY LIBRARIES Monitor & ﬁx critical bugs Update if any security patch Update if any privacy change (GDPR) Automate all the checks @vixentael

Slide 64

Slide 64 text

snyk.io/ whitesourcesoftware.com/ @vixentael

Slide 65

Slide 65 text

OTHER THINGS TO DO #uikonf @vixentael

Slide 66

Slide 66 text

store as HEX replace chars rename ﬁles to .mp3 combine from pieces OBFUSCATION .xib / .nib inline keys API urls pjebs/Obfuscator-iOS rename important methods / constants preemptive/PPiOS-Rename @vixentael

Slide 67

Slide 67 text

DO NOT FORGET ABOUT ﬁrewalls 9 IDS ⚠ SIEM fake targets / honey pots poison records @vixentael

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

Now, after easy things are done, cryptography! it’s time for @vixentael

Slide 70

Slide 70 text

cryptography! storage encryption transport encryption key management @vixentael

Slide 71

Slide 71 text

Storage Transport Multi- platform themis libsodium tink TLS  themis libsodium OTRKit Works with   iOS/macOS only CryptoSwift RNCryptor CommonCrypto @vixentael https://www.cossacklabs.com/choose-your-ios-crypto.html

Slide 72

Slide 72 text

LAST BUT NOT LEAST

Slide 73

Slide 73 text

twitter.com/c_pellegrino/status/981409466242486272 DON’T SAY THAT YOUR SECURITY IS AMAZINGLY GOOD :)

Slide 74

Slide 74 text

twitter.com/c_pellegrino/status/981409466242486272 DON’T SAY THAT YOUR SECURITY IS AMAZINGLY GOOD :)

Slide 75

Slide 75 text

twitter.com/fabricio_giglio/status/982362735924137984 @vixentael

Slide 76

Slide 76 text

twitter.com/fabricio_giglio/status/982362735924137984 @vixentael

Slide 77

Slide 77 text

KEY POINTS Keep an eye on the sensitive data during the whole data flow. do not store do not collect remove fast

Slide 78

Slide 78 text

https://www.digitalinterruption.com/secure-mobile-development Secure mobile development LINKS https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide Mobile security testing guide https://github.com/forter/security-101-for-saas-startups/blob/english/security.md Organization security for startups https://agostini.tech/2017/11/20/ios-application-security-part-1-setting-up-a- testing-environment-for-ios-platform/ Series of posts about security testing

Slide 79

Slide 79 text

My other security slides github.com/vixentael/ my-talks

Slide 80

Slide 80 text

Security Basics SECURITY WORKSHOPS Enterprise Secure Architecture Secure Web apps Secure Software Development Secure Mobile apps

Slide 81

Slide 81 text

@vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :)

Slide 82

Slide 82 text

IMAGE CREDITS www.flaticon.com freepik, linector, switﬁcons, pixelperfect, smashicons, icon pond, dinosoftlabs Authors: