Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Data transfer security for mobile apps: what the fish doesn’t notice in the ocean? 🐟

042b7c0e45c53de46667f07de2fb2614?s=47 vixentael
October 31, 2015

Data transfer security for mobile apps: what the fish doesn’t notice in the ocean? 🐟

If you can't tap on the link inside slides, please open as pdf (button on the right).

-------------------

Talk on Lviv Mobile Day.

* Wise fish knows there ain’t enough talks about security
* Communication with server: security, reliability, ease of use, choose two
* Applied cryptography: should you manually configure CommonCrypto or …?
* Network security is piranha in risk and ruff in implementation
* Practical example: protecting network transport without breaking app

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

October 31, 2015
Tweet

More Decks by vixentael

Other Decks in Programming

Transcript

  1. Data transfer security for mobile apps what the fish doesn’t

    notice in the ocean? #mddaylviv2015 @vixentael
  2. There ain’t enough talks about security

  3. Apple Security Guide Every program is a potential target. Your

    customers’ property and your reputation are at stake. https://developer.apple.com/library/mac/documentation/Security/ Conceptual/SecureCodingGuide/Introduction.html data transfer security for mobile apps #mddaylviv2015 @vixentael
  4. 3 kinds of data to protect Data in storage Data

    in memory Data in motion data transfer security for mobile apps #mddaylviv2015 @vixentael
  5. Data in motion: what could possibly go wrong

  6. Communication with server. Usually. data transfer security for mobile apps

    #mddaylviv2015 @vixentael
  7. Imagine little fish... data transfer security for mobile apps #mddaylviv2015

    @vixentael
  8. ...in the ocean of threats

  9. active eavesdropping data leakage evil twin replay attack ...in the

    ocean of threats
  10. * SSL experimenting with Android Top100 apps http://bit.ly/1NqpheM * Intercepting

    the App Store's Traffic on iOS http://bit.ly/1H3xMrs One proxy to rule ‘em all!
  11. Attack reasons Many apps use HTTP* data transfer security for

    mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number
  12. Attack reasons Many apps use HTTP* Some apps use HTTPS

    data transfer security for mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number
  13. Attack reasons Many apps use HTTP* Some apps use HTTPS

    Few apps encrypt user’s data *iOS9 ATS will decrease this number data transfer security for mobile apps #mddaylviv2015 @vixentael
  14. Why is this happening?

  15. 1. Security is hard. STACKOVERFLOW!

  16. Let’s StackOverflow! http://stackoverflow.com/a/21826729 data transfer security for mobile apps #mddaylviv2015

    @vixentael
  17. Weird padding http://stackoverflow.com/a/21826729 data transfer security for mobile apps #mddaylviv2015

    @vixentael
  18. 2. Software is buggy

  19. Remove padding! http://stackoverflow.com/a/26147479 data transfer security for mobile apps #mddaylviv2015

    @vixentael
  20. Omg WTF is going on WTF http://stackoverflow.com/a/26147479 WTF WTF data

    transfer security for mobile apps #mddaylviv2015 @vixentael
  21. 3. Illusion of safety is still a illusion data transfer

    security for mobile apps #mddaylviv2015 @vixentael #define kUserPassword @“1111111”
  22. Armoring your fish

  23. Realize security risks data transfer security for mobile apps #mddaylviv2015

    @vixentael
  24. Amateurs Produce Amateur Cryptography Anyone can invent a security system

    that he himself cannot break — Schneier's Law https://www.schneier.com/blog/archives/ 2011/04/schneiers_law.html data transfer security for mobile apps #mddaylviv2015 @vixentael
  25. Do not re-implement existing things data transfer security for mobile

    apps #mddaylviv2015 @vixentael
  26. Security is a system, not a pluggable library

  27. Build stout architecture data transfer security for mobile apps #mddaylviv2015

    @vixentael
  28. Build stout architecture cryptolib key management data transfer security for

    mobile apps #mddaylviv2015 @vixentael
  29. Use great tools Themis https://github.com/cossacklabs/themis RNCryptor https://github.com/RNCryptor/RNCryptor MIHCrypto https://github.com/hohl/MIHCrypto OTRKit

    https://github.com/ChatSecure/OTRKit libsodium/NaCL https://github.com/mochtu/libsodium-ios scientific background trust big guys good track record data transfer security for mobile apps #mddaylviv2015 @vixentael
  30. None
  31. Use SSL? Do it right! https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet ✤use long keys ✤remove

    backward compatibility ✤use good ciphers (EC vs RSA) ✤SSL pinning ✤use cheat sheet https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html SSL has a lot of problems To survive you need to: data transfer security for mobile apps #mddaylviv2015 @vixentael
  32. TLS/SSL in short data transfer security for mobile apps #mddaylviv2015

    @vixentael
  33. Where can it break? data transfer security for mobile apps

    #mddaylviv2015 @vixentael
  34. SSL pinning data transfer security for mobile apps #mddaylviv2015 @vixentael

  35. SSL pinning on iOS https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/ https://www.paypal-engineering.com/2015/10/14/key-pinning-in-mobile- applications/ - (void)connection:(NSURLConnection *)connection

    willSendRequestForAuthenticationChallenge: (NSURLAuthenticationChallenge *)challenge { SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; id<NSURLAuthenticationChallengeSender> sender = challenge.sender; SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0); NSData * remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate)); NSString * cerPath = [[NSBundle mainBundle] pathForResource:@"MyLocalCertificate" ofType:@"cer"]; NSData * localCertData = [NSData dataWithContentsOfFile:cerPath]; if ([remoteCertificateData isEqualToData:localCertData]) { NSURLCredential * credential = [NSURLCredential credentialForTrust:serverTrust]; [sender useCredential:credential forAuthenticationChallenge:challenge]; } else { [sender cancelAuthenticationChallenge:challenge]; } } data transfer security for mobile apps #mddaylviv2015 @vixentael
  36. SSL pinning more easy :) Swift lib for HTTPS with

    SSL pinning https://github.com/johnlui/Pitaya/wiki let  certData  =  NSData(contentsOfFile:   NSBundle.mainBundle().pathForResource("lvwenhancom",  ofType:  "cer")!)!
 ...  ...
 .addSSLPinning(LocalCertData:  certData)  {  ()  -­‐>  Void  in
        print("Under  Man-­‐in-­‐the-­‐middle  attack!")
 } data transfer security for mobile apps #mddaylviv2015 @vixentael
  37. How to achieve the solution

  38. Let’s imagine chatting app simple API authentication meaningfull communication confidentiality

    thread data transfer security for mobile apps #mddaylviv2015 @vixentael
  39. Securing app step by step 1. HTTPS everywhere 2. SSL

    pinning 3. Encrypt messages by persistent keys data transfer security for mobile apps #mddaylviv2015 @vixentael
  40. Securing app step by step 1. HTTPS everywhere ----> SSL/TLS

    has lots of bugs and bad crypto 2. SSL pinning ----> is not a panacea 3. Encrypt messages by persistent keys ----> can be easily cracked data transfer security for mobile apps #mddaylviv2015 @vixentael
  41. None
  42. Securing in a more proper way perfect forward secrecy use

    good ciphers data transfer security for mobile apps #mddaylviv2015 @vixentael
  43. Using ephemeral key data transfer security for mobile apps #mddaylviv2015

    @vixentael
  44. How to achieve it easily https://github.com/cossacklabs/themis 1. establish session 2.

    encrypt message with SecureSession before sending 3. decrypt message after receive 4. encrypt history with SecureCell data transfer security for mobile apps #mddaylviv2015 @vixentael
  45. How to achieve it easily https://github.com/cossacklabs/mobile- websocket-example data transfer security

    for mobile apps #mddaylviv2015 @vixentael
  46. Security is hard, but if you’re smart, security is not

    so hard :)
  47. The last slide @vixentael iOS developer at stanfy.com [creating awesome

    mobile and IoT apps]
  48. To read ★ CryptoCat iOS app security audit https://nabla-c0d3.github.io/documents/iSEC_Cryptocat_iOS.pdf ★

    Why you should avoid SSL for your next application https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html ★ OAuth1, OAuth2, OAuth...? http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html
  49. To watch youtube ★ All tasks of Moxie Marlinspike https://www.youtube.com/watch?v=ibF36Yyeehw

    https://www.youtube.com/watch?v=8N4sb-SEpcg https://www.youtube.com/watch?v=tOMiAeRwpPA
  50. To read more slides ★ Securing iOS apps https://speakerdeck.com/mbazaliy/securing-ios-applications ★

    Users' data security in iOS applications https://speakerdeck.com/vixentael/users-data-security-in-ios-applications ★ Reversing 101 https://speakerdeck.com/0xc010d/reversing-101