Start Securing Your iOS Apps from Zero

Learning About Vulnerabilities from OWASP Mobile Top 10 Start Securing
Your iOS Apps from Zero Soh Satoh (@soh_satoh) - STORES, Inc.

Who am I? • 2018? - 2021 • iOS Tweak
Developer (Independent) • 2021 - 2023 • Security Engineer @ Security Vendor • 2023 - • Security Engineer @ STORES Inc 2 @soh_satoh

Introduction - What’s MASVS/MASTG? • MASVS The industry standard for
mobile app security • MASTG A comprehensive manual for mobile app security testing and reverse engineering スマホアプリの脆弱性診断って何するの？（iOS 編）- STORES Product Blog 3 Reference: OWASP

Introduction - What’s OWASP Mobile TOP10? A standard awareness document
for developers and mobile application security • M1: Improper Credential Usage • M2: Inadequate Supply Chain Security • M3: Insecure Authentication/Authorization • M4: Insu ffi cient Input/Output Validation • M5: Insecure Communication • M6: Inadequate Privacy Controls • M7: Insu ffi cient Binary Protections • M8: Security Miscon fi guration • M9: Insecure Data Storage • M10: Insu ff i cient Cryptography 4 Reference: OWASP (https://owasp.org/www-project-mobile-top-10/)

M9: Insecure Data Storage

M9: Insecure Data Storage Examples • Storing passwords in plain
text • Unprotected logging • Unsecured local storage Attack Vectors • Sandbox escaping • Data leak from iOS backups • (Code injection) 6 Impacts • Leak of sensitive information • Leak of credentials • Compromised user accounts • Reputational damage Vulnerabilities caused by improper implementations for storing sensitive information

M9: Insecure Data Storage - App Sandbox App Sandbox A
security mechanism for separating running programs • Restricting access to resources of other apps (e.g. UserDefaults) • Restricting access to system fi les ↓ Super Secure! 7

M9: Insecure Data Storage - App Sandbox 🤔 8 …
Really?

M9: Insecure Data Storage - App Sandbox 9 Security 101
Do Not Overtrust Anyone!

M9: Insecure Data Storage - UserDefaults vs. Keychain • UserDefaults
• NOT encrypted • Saved to “/var/mobile/Containers/Data/Application/{UUID}/ Library/Preferences” (mobile) • Can be backed up w/o encryption • Keychain • Encrypted (AES-128 / Hardware-based encryption) • Saved to “/var/Keychains/keychain-2.db” (_securityd) • Backed up with encryption 10

M9: Insecure Data Storage - Best Practices Best Practices •
Do NOT store credentials in plaintext • Refresh token • Passwords (Never!) • Use Keychain as possible • Storing sensitive information in Keychain • Storing encryption keys in Keychain 11

M1: Improper Credential Usage

M1: Improper Credential Usage Examples • Hardcoded credentials • Insecure
credential storage Attack Vectors • Sandbox escaping • Data leak from iOS backups • (Code injection) 13 Impacts • Leak of sensitive information • Leak of credentials • Compromised user accounts • Reputational damage Vulnerabilities caused by improper credential usage for storing sensitive information

M1: Improper Credential Usage - Hardcoded Credentials Hardcoded Credentials Examples
• Encrypt sensitive information using hardcoded keys • Login to API using hardcoded password Attack Vectors • Reversing 14

M1: Improper Credential Usage - Obfuscation Obfuscation the act of
creating source or machine code that is di ff i cult for humans or computers to understand Advantage It can delay the process of reverse engineering. Disadvantage While obfuscation can make reading, writing, and reverse-engineering a program di ff i cult and time-consuming, it will not necessarily make it impossible. 15

M1: Improper Credential Usage - Obfuscation 16 Encryption Flow (Example)

M1: Improper Credential Usage - Obfuscation 17 Static Analysis (with
Ghidra) Disassembly Pseudocode

M1: Improper Credential Usage - Obfuscation 18 Dynamic Analysis (with
LLDB)

LLDB)

LLDB) Ref: https://stackoverflow.com/a/78014359/26676166

M1: Improper Credential Usage - Best Practices Best Practices •
Do NOT hardcode secrets • API keys • Encryption keys • Passwords • If secrets must be hardcoded, • Consider the importance of the information • Evaluate the e ff ectiveness of obfuscation 21

Summary Steps You Should Take for Mobile Application Security 1.
Understand the common vulnerabilities in mobile apps 2. Consider whether each vulnerability could realistically have an impact, and assess the need for remediation 3. Develop the application with careful consideration of whether it could introduce vulnerabilities that might impact the business 22

Start Securing Your iOS Apps from Zero

Start Securing Your iOS Apps from Zero

Soh Satoh

Featured

Transcript

Learning About Vulnerabilities from OWASP Mobile Top 10 Start Securing

Who am I? • 2018? - 2021 • iOS Tweak

Introduction - What’s MASVS/MASTG? • MASVS The industry standard for

Introduction - What’s OWASP Mobile TOP10? A standard awareness document

M9: Insecure Data Storage

M9: Insecure Data Storage Examples • Storing passwords in plain

M9: Insecure Data Storage - App Sandbox App Sandbox A

M9: Insecure Data Storage - App Sandbox 🤔 8 …

M9: Insecure Data Storage - App Sandbox 9 Security 101

M9: Insecure Data Storage - UserDefaults vs. Keychain • UserDefaults

M9: Insecure Data Storage - Best Practices Best Practices •

M1: Improper Credential Usage

M1: Improper Credential Usage Examples • Hardcoded credentials • Insecure

M1: Improper Credential Usage - Hardcoded Credentials Hardcoded Credentials Examples

M1: Improper Credential Usage - Obfuscation Obfuscation the act of

M1: Improper Credential Usage - Obfuscation 16 Encryption Flow (Example)

M1: Improper Credential Usage - Obfuscation 17 Static Analysis (with

M1: Improper Credential Usage - Obfuscation 18 Dynamic Analysis (with

M1: Improper Credential Usage - Obfuscation 19 Dynamic Analysis (with

M1: Improper Credential Usage - Obfuscation 20 Dynamic Analysis (with

M1: Improper Credential Usage - Best Practices Best Practices •

Summary Steps You Should Take for Mobile Application Security 1.

23