Swift-ly Secure

Transcript

1. Copyright © 2015 nVisium LLC · 590 Herndon Parkway Suite

   120, Herndon VA 20170 · 571.353.7551 · www.nvisium.com 1 Swift-ly Secure Seth Law

2. • Seth Law • VP of Research & Development @

   nVisium • Developer/Contributor - Swift.nV, Django.nV, SiRATool, RAFT • Hacker, AppSec Architect, Security Consultant • Soccer Hooligan Introduction
3. None

4. Your App

5. Hopefully, not your App

6. swift + security = ???

7. About Swift

8. • Good • The vulnerabilities inherent in C-Style languages are

   addressed in Swift functions. • Bad • Your code is only as secure as you make it. • Why yes, you can still make mistakes. What does this mean to you?
9. None

10. Houston, we have a problem

11. • Integer Overflows • Buffer Overflows* • Unvalidated Input •

    Race Conditions • Interprocess Communications • Access Control • Secure Storage/Encryption • XSS and Injection Security can still be an issue
12. None

13. • Integer Overflows • Buffer Overflows* • Unvalidated Input •

    Race Conditions • Interprocess Communications • Access Control • Secure Storage/Encryption • XSS and Injection Security is still a problem

14. • All comes down to trust • Trust you can

    defend against a reasonable level of attacker skill set • Trust you can recover from that which you cannot prevent • Your users can trust your product • Your product does not trust its users Security Mindset

15. • Vulnerabilities (OWASP) • Data Storage • Network Communications •

    Resources • Developer • Security Agenda

16. • Why? • Disclaimer Vulnerabilities

17. None

18. • M2 in OWASP Mobile Top 10 • Anything stored

    by the application • Data at rest • Majority of “mobile security” issues in the news • Swift calls to: Core Data, NSUserDefaults, Keychain, Documents, Cache Data Storage

19. Core Data

20. Core Data

21. None

22. NSUserDefaults

23. • Newer iOS versions (starting with 8.3) limit access to

    the filesystem. • Don’t forget the backups! • Jailbreaking is not generally recommended • Gives root access to the device • And filesystem Data Storage
24. None
25. None

26. • Encryption • No sensitive data in Property Lists •

    Secure storage in the Keychain • https:/ /github.com/square/Valet • Plan for the worst. Data Storage - Defense

27. Is your app under siege?

28. • M3 - Insufficient Transport Layer Protection • iOS 9

    defaults to encrypted communications • Are the communication mechanisms secure? • What level of encryption should be used? Network Communications
29. None

30. Lack of Encryption

31. • iOS 9 now defaults to encrypted communications for apps,

    unless disabled… Lack of Encryption
32. None

33. Self-signed Certificates

34. • Defense • Encrypt! • Good: Internal CA • Better:

    External CA • Best: Cert Pinning • TLS1.2, please. Network Communications

35. • Swift Toolbox • github • stack overflow? • OWASP

    • Swift.nV - Example App Resources

36. Swift Toolbox

37. Swift Toolbox

38. Swift Toolbox

39. Swift Toolbox

40. github

41. github

42. github

43. Stack Overflow

44. OWASP Mobile Top 10 Risks

45. • Open Source Training Tool • Intentionally Vulnerable • https:/

    /github.com/nVisium/Swift.nV Swift.nV

46. Copyright © 2015 nVisium LLC · 590 Herndon Parkway Suite

    120, Herndon VA 20170 · 571.353.7551 · www.nvisium.com 46 Conclusion Security is hard, try harder

47. Copyright © 2015 nVisium LLC · 590 Herndon Parkway Suite

    120, Herndon VA 20170 · 571.353.7551 · www.nvisium.com Questions? @sethlaw - Seth Law [email protected] 47