Pro Yearly is on sale from $80 to $50! »

Workshop: Secure Software Development: From Rookie to Hardcore in 90 Minutes

Workshop: Secure Software Development: From Rookie to Hardcore in 90 Minutes

demo project:
https://github.com/vixentael/ios-datasec-basics

1. Intro (Apple, OWASP, jailbreaks)
2. Secure software development lifecycle
3. Stored data mistakes: key management and encryption
4. Practice time
5. Other data security things (network, logging, screenshots)
6. Reading list

Other talks and videos:
https://github.com/vixentael/my-talks

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

March 21, 2019
Tweet

Transcript

  1. Secure software development: from rookie to hardcore in 90 minutes

    iOS data security workshop @vixentael
  2. Secure software development: from rookie to hardcore in 90 minutes

    iOS data security workshop @vixentael
  3. @vixentael product engineer in security and cryptography started from iOS

    3 OSS maintainer: Themis, Acra conduct workshops & training about secure apps development training.cossacklabs.com
  4. https://medium.com/@vixentael/popular-note-taking-apps-share- these-security-flaws-security-tips-for-developers-326180e41329 @vixentael

  5. https://github.com/vixentael/ ios-datasec-basics @vixentael

  6. Plan for next 85 mins: 1. Intro (Apple, OWASP, jailbreaks)

    @vixentael 2. Secure software development lifecycle 3. Stored data mistakes: key management and encryption 4. Practice time 5. Other data security things (network, logging, screenshots) 6. Reading list
  7. Secure software development Apple (guidelines, rejection guides) users (upset, angry)

    money (breaches, legal actions, fines) why care anyway? @vixentael
  8. http://headway.io/blog/apple-app-store-new- privacy-policy-what-you-need-to-know/ New App Store privacy policy - minimize the

    data you collect - be transparent on how you use the data - protect stored and transit data - remove data fully and quickly @vixentael
  9. GDPR @vixentael Article 32/35: responsibly store and process data according

    to risks
 
 Article 33/34: detecting data leakage and alert users & controller https://gdpr-info.eu/
  10. @vixentael https://gdpr-info.eu/ Article 32

  11. OWASP Top-10 mobile risks www.owasp.org/index.php/OWASP_Mobile_Security_Project @vixentael • M1: Improper Platform

    Usage • M2: Insecure Data Storage • M3: Insecure Communication • M4: Insecure Authentication • M5: Insufficient Cryptography • M6: Insecure Authorization • M7: Client Code Quality • M8: Code Tampering • M9: Reverse Engineering • M10: Extraneous Functionality
  12. OWASP Top-10 mobile risks • M1: Improper Platform Usage •

    M2: Insecure Data Storage • M3: Insecure Communication • M4: Insecure Authentication • M5: Insufficient Cryptography • M6: Insecure Authorization • M7: Client Code Quality • M8: Code Tampering • M9: Reverse Engineering • M10: Extraneous Functionality www.owasp.org/index.php/OWASP_Mobile_Security_Project @vixentael
  13. Remote jailbreak iOS11 (patched in iOS12) https://twitter.com/kevin_backhouse/status/1057352656560287746 @vixentael

  14. www.apple.com/business/site/docs/iOS_Security_Guide.pdf @vixentael 95 pages PDF

  15. Most users trust sensitive data to your app regardless of

    how well you protect it.
  16. Secure development lifecycle methodology MS SDL OWASP S-SDLC microsoft.com/en-us/sdl owasp.org/index.php/

    OWASP_Secure_Software_Develop ment_Lifecycle_Project @vixentael
  17. Define sensitive data Design & implement security controls Verify security

    controls
 (testing, monitoring) SSDLC in a simple words @vixentael @vixentael during planning during planning & implementation acceptance testing / QA, unit testing during planning during planning & implementation acceptance testing / QA, unit testing
  18. @vixentael @vixentael SSDLC in a simple words Define sensitive data

    Design & implement security controls Verify security controls
 (testing, monitoring) during planning during planning & implementation acceptance testing / QA, unit testing repeat
  19. So, one by one

  20. Sensitive data @vixentael @vixentael

  21. Sensitive data @vixentael @vixentael geo-locations health data financial data kids

    locations cars remote control credentials logs PII
  22. – any kind of data, that will break business objectives

    or prosperity of those who use data, if leaked. Sensitive data @vixentael @vixentael geo-locations health data financial data kids locations cars remote control credentials logs PII
  23. Defining sensitive data: sensitive user data (PII, password) regulations (GDPR

    / HIPAA / PCI DSS) tech data (keys, logs, accesses) https://www.cossacklabs.com/blog/what-we-need-to-encrypt- cheatsheet.html @vixentael @vixentael
  24. @vixentael @vixentael Security controls

  25. Data security Application security Infrastructure security Monitoring Intrusion detection Vulnerability

    management @vixentael Security controls proactive and reactive
  26. Proactive controls Data security encryption Access security authentication, firewalls, OS

    Node security firewalls, compartmentalization, isolation, OS @vixentael
  27. Data security key management, integrity checks, authenticated crypto Access security

    credential management, access logging, jailbans Node security code security, monitoring, SIEM Reactive controls @vixentael
  28. Verification, testing @vixentael @vixentael https://github.com/OWASP/owasp-mstg OWASP Mobile Security Testing Guide

    https://github.com/OWASP/owasp-masvs OWASP Mobile Application Security Verification Standard
  29. MASVS @vixentael @vixentael

  30. @vixentael @vixentael SSDLC again Define sensitive data Design & implement

    security controls Verify security controls
 (testing, monitoring) during planning during planning & implementation acceptance testing / QA, unit testing repeat
  31. Storage encryption and key management

  32. File and CoreData encryption https://developer.apple.com/documentation/uikit/core_app/ protecting_the_user_s_privacy/encrypting_your_app_s_files NSPersistentStoreFileProtectionKey @vixentael @vixentael

  33. Store encrypted data: Encrypt stored data UserDefaults Files Database cells

    Backups @vixentael @vixentael
  34. Symmetric encryption with integrity checks and long key AES-256-GCM Encrypt

    stored data @vixentael Use strong encryption
  35. Symmetric encryption, mistakes @vixentael @vixentael wrong data scope poor encryption

    flow design bad key management bad cryptography encryption lib mis-use
  36. Hashing: md5 vs sha256 @vixentael @vixentael https://passwordsgenerator.net/sha256-hash-generator/

  37. ☠ md5 ☠ sha1 bcrypt https://dusted.codes/sha-256-is-not-a-secure- password-hashing-algorithm PBKDF2 sha256 sha512

    HKDF @vixentael Wanna hash password? Use KDF
  38. https://www.raywenderlich.com/129-basic-ios-security-keychain- and-hashing @vixentael Use KDF

  39. https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/ Password_Storage_Cheat_Sheet.md @vixentael should be random should be > 10k

    Use KDF correctly
  40. https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf 269 CVEs from 2011-2014 17% 83% bugs inside crypto

    libs misuses of crypto libs by individual apps @vixentael
  41. @vixentael @vixentael Even more mistakes XORing != encrypting using password

    as encryption key (without KDF) storing keys elsewhere use single encryption key for all data/users
  42. @vixentael @vixentael Use encryption

  43. @vixentael @vixentael should be random should use KDF(key) uses AES

    CBC, not AES GCM padding? salt? Use encryption correctly
  44. Use “boring” crypto libraries ★ use strong & audited crypto

    ★ work everywhere ★ hide cryptographic details ★ hard to mis-use ★ have integration with key storage @vixentael https://speakerdeck.com/vixentael/dont-waste-time-on-learning- cryptography-better-use-it-properly
  45. Encryption that hard to mis-use @vixentael @vixentael Themis

  46. Encryption that hard to mis-use @vixentael @vixentael hides cryptographic details:

    salt, IV, KDF, padding built-in KDF, safe to use passphrase uses AES-256-GCM Themis
  47. Storage Transport Multi- platform themis libsodium tink TLS
 themis libsodium

    OTRKit
 libsignal Made for one platform, some ports available RNCryptor CryptoSwift CommonCrypto https://www.cossacklabs.com/choose-your-ios-crypto.html @vixentael @vixentael
  48. Key management APP TOKENS USER PASSWORDS PUBLIC CERTS let apiToken

    = “63ufHs2E82-cJgsm!djr7-Ks1TTYC4TV” let appId = "VK1TTYC4TV" let poolId = “us-east-1:r0s3s4r3-r3d-13375p34k" var userPass = "qwertyqwerty" @vixentael
  49. APP FLOW BUILT-IN Keychain - KDF - encrypt @vixentael plist/files

    - encrypt - obfuscate - calculate
  50. Practice time

  51. https://github.com/vixentael/ ios-datasec-basics @vixentael

  52. Built-in keys store as hardcode variable store obfuscated in plist,

    de-obfuscate on start store encrypted in plist, decrypt on start @vixentael
  53. App flow keys store as memory variable store obfuscated/encrypted in

    User Defaults store in Keychain, protect by Biometrics @vixentael
  54. https://github.com/vixentael/ ios-datasec-basics @vixentael

  55. Other data security things

  56. Transport encryption github.com/ssllabs/research/wiki/SSL-and-TLS- Deployment-Best-Practices private keys RSA-2048, ECDSA-256 obtain certificate

    from reliable CA TLS v1.3-v1.2 use secure cipher suites TLS_ECDHE_ECDSA_WITH_AES_ 256_GCM_SHA384 ✅ enable Forward Secrecy ✅ enable HSTS (web) . rotate certificates often @vixentael
  57. SSL pinning Moya owasp.org/index.php/Pinning_Cheat_Sheet @vixentael

  58. Update certificate Update app with hardcoded certificate Built-in several certificates

    Update from server: build trusted channel @vixentael SSL pinning
  59. transport = Transport() transport?.setupKeys(serverId, serverPublicKey: serverPublicKey) session = TSSession(userId: clientIdData,

    privateKey: clientPrivateKeyData, callbacks: transport!) startSession(clientId: clientId, message: connectionMessage) Encrypt over SSL Themis @vixentael
  60. Themis axolotl noise @vixentael Encrypt over SSL

  61. medium.com/@AyunasCode/how-to-hide-your-api-keys-367ef6589949 shanirivers.me/posts/hiding-your-api-keys-for-ios-projects orta/cocoapods-keys awslabs/git-secrets keys.plist → .gitignore Do not commit

    secrets @vixentael
  62. Do not log secrets cfpb/clouseau Automate checking code for forgotten

    secrets. @vixentael
  63. @vixentael https://speakerdeck.com/vixentael/x-things-you- need-to-know-before-implementing-cryptography

  64. Do’s and Don’ts
 of secure development

  65. DON’T - Do things just because “they make security better”

    - Copy-paste from StackOverflow - Implement your own security controls where 
 solutions are available @vixentael
  66. DO - Only things that address real valid risks -

    Use industry’s best practices, standards and tools - Explain why spending effort is necessary - Plan, implement, test, formalize - Watch the trends, follow experts @vixentael
  67. Reading, watching

  68. General theory http://mashable.com/2016/04/16/apple-security-explained/ How Apple Security works https://medium.com/@vixentael/popular-note-taking-apps-share-these-security-flaws-security- tips-for-developers-326180e41329 Popular

    note-taking apps share these security flaws https://medium.com/@cossacklabs/apple-export-regulations-on-crypto-6306380682e1 Apple Export Regulations on Cryptography https://howhttps.works/ How HTTPS works: cats
  69. Cryptography https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet Cryptographic Storage Cheat Sheet https://www.owasp.org/index.php/Key_Management_Cheat_Sheet Key Management Cheat

    Sheet https://developer.apple.com/library/content/documentation/Security/Conceptual/ cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html Managing Keys, Certificates, and Passwords https://cossacklabs.com/choose-your-ios-crypto.html Crypto in iOS: choose your destiny
  70. Testing http://iphonedevwiki.net/index.php/Crack_prevention Crack prevention https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06a- platform-overview Mobile Security Testing Guide

    https://github.com/OWASP/owasp-masvs OWASP Mobile Application Security Verification Standard
  71. Talks & training github.com/vixentael/ my-talks training.cossacklabs.com

  72. @vixentael product engineer in security and cryptography conduct workshops &

    training about secure apps development