Securely Storing Secrets (on iOS)

Transcript

1. http://www.egeniq.com [email protected] @egeniq iosdevuk, 10 July 2012 Ivo Jansch -

   @ijansch Securely Storing Secrets

2. About Me @ijansch Developer Author Entreprenerd iOS/Android/PHP 2

3. About Egeniq Mobile Development Knowledge Geeks Distributed Mdevcon (subliminal message:

   by the time you are wondering if your current job is still right for you, remember that at Egeniq we do awesome things with mobile technology and we don’t really care where you live as long as you are very talented.) 3

4. Tiqr - Learning about Mobile Security 4 1 2 3

   4 5 6 http://www.tiqr.org

5. Why is Mobile Security Important? ‣We deal with data ‣Apps

   run on our user’s hardware • Out of our control ‣Our users deal with third party services • Even more out of our control 5

6. A Use Case 6 iPhone App Third Party Services Server

   backend

7. OAuth 7 OAuth Consumer OAuth Provider

8. Why do you need to protect keys? 8 8 OAuth

   Provider

9. The iOS Security Model 9

10. Sandboxing ‣Apps only have access to their own data ‣Access

    is based on OS user ID ‣Further protected by application signature 10

11. So we don’t have to worry, right? ‣Can I securely

    store data? • Is sandboxing a solution? -> Not when device is rooted 11

12. It’s a common question Stackoverflow search for ‘store secret iphone’:

    12

13. With common answers 13

14. With common answers - Huh? - Don’t store secrets! -

    Don’t use OAuth! 14

15. Know what? I’ll just use a library 15

16. Securing Data In Your Code 0. Obfuscation 16

17. Obfuscation 17

18. Securing Data In Your Code 1. Encryption 18

19. Encryption 19

20. Decryption 20

21. What’s the problem with encryption? 21 We need another key

    to protect the secret

22. Other Encryption gotchas ‣AppStore is US based: Encryption export •

    Requires NSA approval, basically • Process is documented, but time consuming • Unless it’s only for “authentication purposes” ‣Two flavours of US gov approval: • Self classification (if you use standard stuff for standard things) • Agency classification (non standard stuff and/or non standard things) 22

23. Securing Data In Your Code 2. The KeyChain 23

24. KeyChain Aspects ‣Hardware based encryption for secrets ‣Good: • Not

    too much code • No extra key/password required (device passcode) • Works well with (encrypted) iTunes Backup ‣Bad: • Not every user has a passcode set • Lower level functions, lots of C (complexity) • Doesn’t work across iCloud backup/restore 24

25. More KeyChain So if I use the KeyChain and have

    a passcode, I’m safe, right? RIGHT? ‣4 digit passode can be brute forced in 9 minutes ‣6 digit passcode takes 1.5 years Source: Fraunhofer’s “iOS KeyChain Weakness FAQ” http://sit4.me/ios-keychain-faq 25

26. Using the KeyChain 26

27. Securing Data In Your Code 3. Server Side Solutions 27

28. Retrieve key from API 28 iOS App OAuth Provider Your

    API ?

29. Transparent Proxy 29 iOS App OAuth Provider Proxy

30. Securing Data In Your Code 4. “All of the above”

    30

31. What are we doing in Tiqr? ‣ Tiqr secrets are

    encrypted • The encryption key is a pincode • There’s no plain text to compare against, so breaking it is hard ‣ Encrypted identities are stored in keychain • So also protected by passcode lock, if present ‣ Secret is not communicated • Challenge/response for ‘proof of posession’ ‣ Requires server validation of decrypted secret • Server enforces temporary and permanent blocks to stop brute force 31

32. Always Secure Your Code (Because data is not the only

    thing at risk) 32

33. Buffers 33 ‣Especially when moving down to C level constructs,

    be wary...

34. Conclusion 34

35. Conclusion It’s all about awareness 35

36. Recommended Reading ‣ ISBN: 2147483647 ‣ Authors: • Himanshu Dwivedi

    • Chris Clark • David Thiel ‣ Covers: • Android • Apple • WinMo 36

37. Thank you! Questions? http://www.egeniq.com [email protected] @egeniq http://www.egeniq.com (about us) http://tiqr.org

    (demo + code) http://nomopass.com (tiqr as a service) [email protected] @ijansch

38. Credits ‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/

    ‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/ travishasphotos/3481640534/ ‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/