Data transfer security for mobile apps: what the fish doesn’t notice in the ocean? 🐟

Transcript

1. Data transfer security for mobile apps what the fish doesn’t

   notice in the ocean? #mddaylviv2015 @vixentael

2. There ain’t enough talks about security

3. Apple Security Guide Every program is a potential target. Your

   customers’ property and your reputation are at stake. https://developer.apple.com/library/mac/documentation/Security/ Conceptual/SecureCodingGuide/Introduction.html data transfer security for mobile apps #mddaylviv2015 @vixentael

4. 3 kinds of data to protect Data in storage Data

   in memory Data in motion data transfer security for mobile apps #mddaylviv2015 @vixentael

5. Data in motion: what could possibly go wrong

6. Communication with server. Usually. data transfer security for mobile apps

   #mddaylviv2015 @vixentael

7. Imagine little fish... data transfer security for mobile apps #mddaylviv2015

   @vixentael

8. ...in the ocean of threats

9. active eavesdropping data leakage evil twin replay attack ...in the

   ocean of threats

10. * SSL experimenting with Android Top100 apps http://bit.ly/1NqpheM * Intercepting

    the App Store's Traffic on iOS http://bit.ly/1H3xMrs One proxy to rule ‘em all!

11. Attack reasons Many apps use HTTP* data transfer security for

    mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number

12. Attack reasons Many apps use HTTP* Some apps use HTTPS

    data transfer security for mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number

13. Attack reasons Many apps use HTTP* Some apps use HTTPS

    Few apps encrypt user’s data *iOS9 ATS will decrease this number data transfer security for mobile apps #mddaylviv2015 @vixentael

14. Why is this happening?

15. 1. Security is hard. STACKOVERFLOW!

16. Let’s StackOverflow! http://stackoverflow.com/a/21826729 data transfer security for mobile apps #mddaylviv2015

    @vixentael

17. Weird padding http://stackoverflow.com/a/21826729 data transfer security for mobile apps #mddaylviv2015

    @vixentael

18. 2. Software is buggy

19. Remove padding! http://stackoverflow.com/a/26147479 data transfer security for mobile apps #mddaylviv2015

    @vixentael

20. Omg WTF is going on WTF http://stackoverflow.com/a/26147479 WTF WTF data

    transfer security for mobile apps #mddaylviv2015 @vixentael

21. 3. Illusion of safety is still a illusion data transfer

    security for mobile apps #mddaylviv2015 @vixentael #define kUserPassword @“1111111”

22. Armoring your fish

23. Realize security risks data transfer security for mobile apps #mddaylviv2015

    @vixentael

24. Amateurs Produce Amateur Cryptography Anyone can invent a security system

    that he himself cannot break — Schneier's Law https://www.schneier.com/blog/archives/ 2011/04/schneiers_law.html data transfer security for mobile apps #mddaylviv2015 @vixentael

25. Do not re-implement existing things data transfer security for mobile

    apps #mddaylviv2015 @vixentael

26. Security is a system, not a pluggable library

27. Build stout architecture data transfer security for mobile apps #mddaylviv2015

    @vixentael

28. Build stout architecture cryptolib key management data transfer security for

    mobile apps #mddaylviv2015 @vixentael

29. Use great tools Themis https://github.com/cossacklabs/themis RNCryptor https://github.com/RNCryptor/RNCryptor MIHCrypto https://github.com/hohl/MIHCrypto OTRKit

    https://github.com/ChatSecure/OTRKit libsodium/NaCL https://github.com/mochtu/libsodium-ios scientific background trust big guys good track record data transfer security for mobile apps #mddaylviv2015 @vixentael
30. None

31. Use SSL? Do it right! https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet ✤use long keys ✤remove

    backward compatibility ✤use good ciphers (EC vs RSA) ✤SSL pinning ✤use cheat sheet https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html SSL has a lot of problems To survive you need to: data transfer security for mobile apps #mddaylviv2015 @vixentael

32. TLS/SSL in short data transfer security for mobile apps #mddaylviv2015

    @vixentael

33. Where can it break? data transfer security for mobile apps

    #mddaylviv2015 @vixentael

34. SSL pinning data transfer security for mobile apps #mddaylviv2015 @vixentael

35. SSL pinning on iOS https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/ https://www.paypal-engineering.com/2015/10/14/key-pinning-in-mobile- applications/ - (void)connection:(NSURLConnection *)connection

    willSendRequestForAuthenticationChallenge: (NSURLAuthenticationChallenge *)challenge { SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; id<NSURLAuthenticationChallengeSender> sender = challenge.sender; SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0); NSData * remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate)); NSString * cerPath = [[NSBundle mainBundle] pathForResource:@"MyLocalCertificate" ofType:@"cer"]; NSData * localCertData = [NSData dataWithContentsOfFile:cerPath]; if ([remoteCertificateData isEqualToData:localCertData]) { NSURLCredential * credential = [NSURLCredential credentialForTrust:serverTrust]; [sender useCredential:credential forAuthenticationChallenge:challenge]; } else { [sender cancelAuthenticationChallenge:challenge]; } } data transfer security for mobile apps #mddaylviv2015 @vixentael

36. SSL pinning more easy :) Swift lib for HTTPS with

    SSL pinning https://github.com/johnlui/Pitaya/wiki let  certData  =  NSData(contentsOfFile:   NSBundle.mainBundle().pathForResource("lvwenhancom",  ofType:  "cer")!)!
 ...  ...
 .addSSLPinning(LocalCertData:  certData)  {  ()  -­‐>  Void  in
        print("Under  Man-­‐in-­‐the-­‐middle  attack!")
 } data transfer security for mobile apps #mddaylviv2015 @vixentael

37. How to achieve the solution

38. Let’s imagine chatting app simple API authentication meaningfull communication confidentiality

    thread data transfer security for mobile apps #mddaylviv2015 @vixentael

39. Securing app step by step 1. HTTPS everywhere 2. SSL

    pinning 3. Encrypt messages by persistent keys data transfer security for mobile apps #mddaylviv2015 @vixentael

40. Securing app step by step 1. HTTPS everywhere ----> SSL/TLS

    has lots of bugs and bad crypto 2. SSL pinning ----> is not a panacea 3. Encrypt messages by persistent keys ----> can be easily cracked data transfer security for mobile apps #mddaylviv2015 @vixentael
41. None

42. Securing in a more proper way perfect forward secrecy use

    good ciphers data transfer security for mobile apps #mddaylviv2015 @vixentael

43. Using ephemeral key data transfer security for mobile apps #mddaylviv2015

    @vixentael

44. How to achieve it easily https://github.com/cossacklabs/themis 1. establish session 2.

    encrypt message with SecureSession before sending 3. decrypt message after receive 4. encrypt history with SecureCell data transfer security for mobile apps #mddaylviv2015 @vixentael

45. How to achieve it easily https://github.com/cossacklabs/mobile- websocket-example data transfer security

    for mobile apps #mddaylviv2015 @vixentael

46. Security is hard, but if you’re smart, security is not

    so hard :)

47. The last slide @vixentael iOS developer at stanfy.com [creating awesome

    mobile and IoT apps]

48. To read ★ CryptoCat iOS app security audit https://nabla-c0d3.github.io/documents/iSEC_Cryptocat_iOS.pdf ★

    Why you should avoid SSL for your next application https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html ★ OAuth1, OAuth2, OAuth...? http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html

49. To watch youtube ★ All tasks of Moxie Marlinspike https://www.youtube.com/watch?v=ibF36Yyeehw

    https://www.youtube.com/watch?v=8N4sb-SEpcg https://www.youtube.com/watch?v=tOMiAeRwpPA

50. To read more slides ★ Securing iOS apps https://speakerdeck.com/mbazaliy/securing-ios-applications ★

    Users' data security in iOS applications https://speakerdeck.com/vixentael/users-data-security-in-ios-applications ★ Reversing 101 https://speakerdeck.com/0xc010d/reversing-101