Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[Extended version] Building user-centric security model in iOS applications

042b7c0e45c53de46667f07de2fb2614?s=47 vixentael
September 16, 2016

[Extended version] Building user-centric security model in iOS applications

Read text and watch video on eng:
https://realm.io/news/tryswift-anastasiia-voitova-building-user-centric-security-model-ios-applications-swift/

video on ru:
https://www.youtube.com/watch?v=h4egvZ4JuvI

The extended version of my talk about user-centric trust for your mobile app layout!

- risk and threats models
- real-world app analysis
- building user-app-server interactions step by steps
- code samples
- ways to make it even more tough
- possible attacks
- "crypto is not expensive"
- "Apple cares about security, you should too!"
- key points

--------------------------------------

If you can't tap on the link inside slides, please open as pdf (button on the right).

--------------------------------------

I presented this talk with slight modifications on #nsspain2016 and #mobiconf conferences. September-October 2016.

In this presentation we will talk about building security, that does not fail when application keys are exposed; when servers are hacked; security that lasts as long as unique user's crypto keys (or passwords) are safe. Putting secrets known by the user to be a source of trust is the ultimate way for an app to become "thin" in relation to the security model, thus lowering the risks and developer pain. We will learn about thin transparent security layers system and its applicability in client-server systems.

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

September 16, 2016
Tweet

More Decks by vixentael

Other Decks in Programming

Transcript

  1. Building user-centric security model in iOS apps @vixentael

  2. @vixentael Lead Developer at stanfy.com Core Contributor at themis/ cossacklabs.com

    Who am I Get in touch if you need help in building a secure mobile app
  3. Security talk ahead! #courage

  4. #mobiconf @vixentael Risks and threat models Trust models Analyze real

    app Protection methods ZKP Code samples Attack scenarios Security model future improvements
  5. Why we should think more about security? #mobiconf @vixentael

  6. Users trust Apple platform Users trust us Why we should

    think more about security? #mobiconf @vixentael
  7. Most users trust sensitive data to our app regardless of

    how well we protect it #mobiconf @vixentael
  8. #mobiconf @vixentael abstract app in a vacuum

  9. None
  10. security security is set of ultimatum rules abstract app in

    a vacuum #mobiconf @vixentael
  11. security is set of ultimatum rules abstract app in a

    vacuum real apps, real ecosystems #mobiconf @vixentael
  12. App Flow App Features Code User Problem #mobiconf @vixentael

  13. Risk Threat Model Secure Methods Secure Implemen- tations Libs/ Code

    App Flow App Features Code User Problem #mobiconf @vixentael
  14. #mobiconf @vixentael It is secure

  15. It is secure It is secure against certain threat model

    and adversary #mobiconf @vixentael
  16. https://twitter.com/mubix/status/745403991475904513 #mobiconf @vixentael

  17. Risk Model & Threat Model create demands for security #mobiconf

    @vixentael
  18. Real world risks Data leak/ data tampering Reputation risks Legal

    responsibility Financial damage #mobiconf @vixentael
  19. Risk impact Data is used/sold by someone Data is tampered

    and you’re operating on adversary’s plan Identity/auth is used elsewhere DL DT data leakage data tampering identity theft #mobiconf @vixentael
  20. Risk prevention data leakage data tampering identity theft confidentiality (secrecy)

    integrity authentication #mobiconf @vixentael
  21. Risk prevention (for us) - Encryption w/ secret or PKC

    - Limit access - Signed encryption - Protected transport with trust and integrity - Authenticated encryption - Action authentication confidentiality (secrecy) integrity authentication #mobiconf @vixentael
  22. Encryption is letting only those who know the secret to

    access the data, no matter how they alter the code or the system (read Kerckhoffs's desideratum) #mobiconf @vixentael
  23. Trust model is whose secrets you trust in a security

    system #mobiconf @vixentael
  24. Everything is broken Trust no one, but the user #mobiconf

    @vixentael
  25. Risks Trust model Threat model Methods and instruments #mobiconf @vixentael

  26. Now let’s apply this to the real app #mobiconf @vixentael

  27. None
  28. What user hero has? secret data paranoia pa55w0rd trust #mobiconf

    @vixentael
  29. secret data paranoia pa55w0rd trust tin foil hat! #mobiconf @vixentael

    What user hero has?
  30. for saving your important docs during trips Let’s make an

    app!
  31. Take pictures of important documents App functionality Store them on

    server Lets user see them #mobiconf @vixentael
  32. Architecture and flow user app network server storage #mobiconf @vixentael

  33. Threats we can handle T2 T3 passive MitM active MitM

    T1/T4 data loss/ tampering #mobiconf @vixentael
  34. More complicated.. T5 verbal key leak T6 phishing / social

    engineering T7 rubber-hose cryptanalysis T8 satellite imaging of sensitive input T9 EM emissions T10 sandbox escaping T11 misconfiguration T12 random generator abuse T13 random generator abuse T14 EM emissions and physical side channel T15 physical access malicious dependency T19 storing keys with data T20 weak cipher random generator abuse T21 T2 T3 passive MitM active MitM T1/T4 data loss/ tampering T16 misconfigured access T17 T18 unattended backups #mobiconf @vixentael
  35. Back to threats we can handle T2 T3 passive MitM

    active MitM T1/T4 data loss/ tampering #mobiconf @vixentael
  36. #mobiconf @vixentael Threats: T1/T4 attacker steals stored data or tampers

    it
  37. attacker steals stored data or tampers it Threats: T1/T4 Secret

    Key Crypto Protection Symmetric crypto for storing data. If user has no secret, he can’t read or change data. #mobiconf @vixentael
  38. #mobiconf @vixentael Threats: T2 attacker captures network traffic (passive MitM)

  39. attacker captures network traffic (passive MitM) Public Key Cryptography, ephemeral

    keys Asymmetric crypto for sending data. Ephemeral keys to avoid decrypting accumulated traffic if keys are leaked/cracked. Threats: T2 Protection #mobiconf @vixentael
  40. Threats: T3 attacker redirects traffic and pretends to be remote

    party (active MitM) #mobiconf @vixentael
  41. attacker redirects traffic and pretends to be remote party (active

    MitM) Public Key Cryptography, certificate pinning Asymmetric crypto for sending data. Check server certificate to make sure it matches with pinned one. Threats: T3 Protection #mobiconf @vixentael
  42. Protection methods Secret Key Crypto PKC + ephem. keys T2

    T3 passive MitM active MitM T1/T4 data loss/ tampering PKC + cert. pinning #mobiconf @vixentael
  43. Public Key Crypto Perfect Forward Secrecy Secret Key Crypto Authenticated

    Encryption Certificate Pinning Trust model Trust the user only #mobiconf @vixentael
  44. Relationship model plain data symmetric encryption PKC + eph. keys

    symmetric encryption PKC + eph. keys ZKP ZKP #mobiconf @vixentael
  45. #mobiconf @vixentael …what if trapdoor function fails? …what if key

    exchange is flawed? add more paranoia! …what if we suspect that server is fraudulent?
  46. …what if trapdoor function fails? …what if key exchange is

    flawed? add more paranoia! …what if we suspect that server is fraudulent? Zero Knowledge Proof for the rescue! #mobiconf @vixentael
  47. ZKP is comparing shared secret without transmitting it does not

    require the key exchange, does not leak password https://www.cossacklabs.com/zero-knowledge-protocols-without-magic.html #mobiconf @vixentael
  48. #mobiconf @vixentael So, data model: Secret key (SK) = KDF(user

    password)
  49. #mobiconf @vixentael Sensitive Data (SD) — passport photo Metadata (M1)

    — timestamp+CRC of photo Metadata (M2) — name of photo (user input) Secret key (SK) = KDF(user password) So, data model:
  50. So, data model: Secret key (SK) = KDF(user password) Sensitive

    Data (SD) — passport photo Metadata (M1) — timestamp+CRC of photo Metadata (M2) — name of photo (user input) Mobile Key Pair (MKP) — private+public keys gen. inside app. Server Key Pair (SKP) — private+public keys gen. on server. App pins Server Public Key. #mobiconf @vixentael
  51. Pwd Key + Data model SD M1 M2 MKP SKP

    SK #mobiconf @vixentael
  52. User-centric trust Pwd MKP SKP SK symmetric encryption PKC +

    eph. keys KDF() Rand PKC + eph. keys Rand #mobiconf @vixentael
  53. App Flows

  54. Crypto primitives* Symmetric crypto SCell Asymmetric crypto based on ephemeral

    keys SSession SComparator ZKP implementation *based on Themis crypto lib https://github.com/cossacklabs/themis #mobiconf @vixentael
  55. #mobiconf @vixentael 1. Encrypt photo EncData = SCell_wrap(SD, SK, Context=M2)

    2. Store EncData, M1, M2 in Local Store 3. Drop SD, SK from memory prepare data Send photo to server
  56. 1. Encrypt photo EncData = SCell_wrap(SD, SK, Context=M2) 2. Store

    EncData, M1, M2 in Local Store 3. Drop SD, SK from memory prepare data 4. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 5. Send EncData, M1, M2 via Session transfer data Send photo to server #mobiconf @vixentael
  57. 6. Receive OK 7. Terminate Session 8. Mark EncData in

    Local Store as Synced 4. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 5. Send EncData, M1, M2 via Session 1. Encrypt photo EncData = SCell_wrap(SD, SK, Context=M2) 2. Store EncData, M1, M2 in Local Store 3. Drop SD, SK from memory prepare data transfer data terminate session Send photo to server
  58. Send photo to server 6. Receive OK 7. Terminate Session

    8. Mark EncData in Local Store as Synced 4. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 5. Send EncData, M1, M2 via Session 1. Encrypt photo EncData = SCell_wrap(SD, SK, Context=M2) 2. Store EncData, M1, M2 in Local Store 3. Drop SD, SK from memory prepare data transfer data terminate session
  59. Read photo from server 1. Connect to Server: Session =

    SSession(Priv(MKP), Pub(SKP)) 2. Request EncData proof via ZKP: 2.1 Send M1 2.2 Request Server to prove he has M2 by performing SComparator(M2) initialize connection #mobiconf @vixentael
  60. Read photo from server 1. Connect to Server: Session =

    SSession(Priv(MKP), Pub(SKP)) 3. Receive EncData 2. Request EncData proof via ZKP: 2.1 Send M1 2.2 Request Server to prove he has M2 by performing SComparator(M2) initialize connection transfer data #mobiconf @vixentael
  61. 1. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 3. Receive

    EncData 2. Request EncData proof via ZKP: 2.1 Send M1 2.2 Request Server to prove he has M2 by performing SComparator(M2) 4. Request password from user 5. Decrypt data: SD = SCell_unwrap(EncData, SK, Context=M2) initialize connection transfer data decrypt data Read photo from server
  62. Read photo from server 1. Connect to Server: Session =

    SSession(Priv(MKP), Pub(SKP)) 3. Receive EncData 2. Request EncData proof via ZKP: 2.1 Send M1 2.2 Request Server to prove he has M2 by performing SComparator(M2) 4. Request password from user 5. Decrypt data: SD = SCell_unwrap(EncData, SK, Context=M2) initialize connection transfer data decrypt data
  63. Code samples

  64. Generate keys // Generating EC keys guard let keyGeneratorEC: TSKeyGen

    = TSKeyGen(algorithm: .EC) else { print("Error occurred while initializing object keyGeneratorEC”) return } let privateKeyEC: NSData = keyGeneratorEC.privateKey let publicKeyEC: NSData = keyGeneratorEC.publicKey https://github.com/cossacklabs/themis/wiki/Swift-Howto https://github.com/cossacklabs/themis/tree/master/docs/examples/Themis-server/swift #mobiconf @vixentael
  65. let masterKeyData: NSData = self.generateMasterKey() guard let cellSeal: TSCellSeal =

    TSCellSeal(key: masterKeyData) else { print("Error occurred while initializing object cellSeal", #function) return } let message: String = "All your base are belong to us!" let context: String = "For great justice" var encryptedMessage: NSData = NSData() do { // context is optional parameter and may be ignored encryptedMessage = try cellSeal.wrapData(message.dataUsingEncoding(NSUTF8StringEncoding), context: context.dataUsingEncoding(NSUTF8StringEncoding)) print("encryptedMessages = \(encryptedMessage)") } catch let error as NSError { print("Error occurred while encrypting \(error)", #function) return } Symmetric encryption https://github.com/cossacklabs/themis/wiki/Swift-Howto https://github.com/cossacklabs/themis/tree/master/docs/examples/Themis-server/swift #mobiconf @vixentael
  66. Symmetric decryption let masterKeyData: NSData = self.generateMasterKey() guard let cellSeal:

    TSCellSeal = TSCellSeal(key: masterKeyData) else { print("Error occurred while initializing object cellSeal", #function) return } let message: String = "All your base are belong to us!" let context: String = "For great justice" do { let decryptedMessage: NSData = try cellSeal.unwrapData(encryptedMessage, context: context.dataUsingEncoding(NSUTF8StringEncoding)) let resultString: String = String(data: decryptedMessage, encoding: NSUTF8StringEncoding)! print("decryptedMessage = \(resultString)") } catch let error as NSError { print("Error occurred while decrypting \(error)", #function) return } https://github.com/cossacklabs/themis/wiki/Swift-Howto https://github.com/cossacklabs/themis/tree/master/docs/examples/Themis-server/swift #mobiconf @vixentael
  67. Initialize Session guard let clientIdData: NSData = kClientId.dataUsingEncoding(NSUTF8StringEncoding), let clientPrivateKey:

    NSData = NSData(base64EncodedString: kClientPrivateKey, options: .IgnoreUnknownCharacters) else { print("Error occurred during base64 encoding", #function) return } self.transport = Transport() self.transport?.setupKeys(kServerId, serverPublicKey: kServerPublicKey) self.session = TSSession(userId: clientIdData, privateKey: clientPrivateKey, callbacks: self.transport) https://github.com/cossacklabs/themis/wiki/Swift-Howto https://github.com/cossacklabs/themis/tree/master/docs/examples/Themis-server/swift #mobiconf @vixentael
  68. Encrypt/Decrypt Session messages var encryptedMessage: NSData do { guard let

    wrappedMessage: NSData = try self.session?.wrapData(message.dataUsingEncoding(NSUTF8StringEncoding)) else { print("Error occurred during wrapping message ", #function) return } encryptedMessage = wrappedMessage } catch let error as NSError { print("Error occurred while wrapping message \(error)", #function) completion(data: nil, error: error) return } //... do { guard let decryptedMessage: NSData = try self.session?.unwrapData(data), let resultString: String = String(data: decryptedMessage, encoding: NSUTF8StringEncoding) else { throw NSError(domain: "com.example", code: -3, userInfo: nil) } completion(data: resultString, error: nil) } catch let error as NSError { print("Error occurred while decrypting message \(error)", #function) completion(data: nil, error: error) return } https://github.com/cossacklabs/themis/tree/master/docs/examples/Themis-server/swift #mobiconf @vixentael
  69. Make it tough even more

  70. one password per photo Enforce app security user inputs password

    every time on photo access #mobiconf @vixentael
  71. Use ZKP to prove that Server has M2 from any

    previous transfer Repeated auth #mobiconf @vixentael Received items Synced items D1 D2 Dn ... D1 D2 Dn ...
  72. Repeated auth request ZKP(M1i) select any Di, where Di =

    (EncData, M1, M2) prove M2i transfer Dn+1 compare M2i, on success Received items Synced items D1 D2 Dn ... D1 D2 Dn ... #mobiconf @vixentael
  73. The worst case scenario attacks

  74. Active MitM without hacking the server: The worst scenario attacks

    Attacker does not have SKP. SecureSession initialization fails. App doesn’t start transfer data to server at all. Results: #mobiconf @vixentael
  75. Best active MitM + hack server: The worst scenario attacks

    Attacker seizes SKP from Server and pretends to be normal server by DNS spoofing or routing redirection. Results: Accumulates useless M1, M2 and lousy EncData. #mobiconf @vixentael
  76. The worst scenario attacks Denial of Service: Attacker floods server

    with requests / tons of data. Results: Server may be flooded. Monitor all the things! #mobiconf @vixentael
  77. Finalizing…

  78. * hardware support (AES) Crypto is very expensive!!11 https://www.cossacklabs.com/benchmarking-secure-comparator.html *

    scripted language and questionable frameworks affect performance as much as running the expensive math, if not more * endorse crypto everywhere to make it more cheap :) (it is not) #mobiconf @vixentael
  79. Apple enforces good security practices iOS 10 use HTTPS everywhere!

    https://developer.apple.com/videos/play/wwdc2016/706/ http://useyourloaf.com/blog/privacy-settings-in-ios-10/ add purpose strings for accessing private data https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/ read more about Apple security care in Additional reading section drop TLS < 1.2 #mobiconf @vixentael
  80. https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf Apple enforces good security practices

  81. ̣ Security is a system, not a set of methods

    ̣ You may need to re-read this slides when you will plan your next app ̣ User-centric trust is simple to implement, yet almost impossible to hack Key points! #mobiconf @vixentael
  82. My other security talks https://medium.com/@vixentael/upgrading-approaches-to-the-secure- mobile-architectures-7a8fcb10d28a#.ffbsjwqx6 Upgrading Approaches to the

    Secure Mobile Architectures Data Protection For Mobile Client-Server Architectures https://medium.com/stanfy-engineering-practices/data-protection-for- mobile-client-server-architectures-6e6dcabd871a https://speakerdeck.com/vixentael/users-data-security-in-ios-applications Users' data security in iOS applications #mobiconf @vixentael
  83. Additional reading by Apple https://developer.apple.com/videos/play/wwdc2016/705/ How iOS Security Really Works

    https://developer.apple.com/videos/play/wwdc2016/706/ What's New in Security https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf Behind the Scenes with iOS Security https://developer.apple.com/videos/play/wwdc2016/709/ Engineering Privacy for Your Users #mobiconf @vixentael
  84. Additional reading by smarties https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/ Getting Ready for ATS Enforcement

    in 2017 http://useyourloaf.com/blog/privacy-settings-in-ios-10/ Privacy Settings in iOS 10 https://www.cossacklabs.com/zero-knowledge-protocols-without- magic.html Zero Knowledge Protocols Without Magic https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical- analysis.pdf Technical Analysis of Pegasus Spyware https://medium.com/@9gunpi/side-effects-of-pegasus-malware-32c9a112ec1c Side effect of Pegasus malware #mobiconf @vixentael
  85. @vixentael The last slide Lead Developer at stanfy.com Core Contributor

    at themis/ cossacklabs.com Need help? Talk to me :)