Workshop: Secure Software Development: From Rookie to Hardcore in 90 Minutes

Workshop: Secure Software Development: From Rookie to Hardcore in 90 Minutes

demo project:
https://github.com/vixentael/ios-datasec-basics

1. Intro (Apple, OWASP, jailbreaks)
2. Secure software development lifecycle
3. Stored data mistakes: key management and encryption
4. Practice time
5. Other data security things (network, logging, screenshots)
6. Reading list

Other talks and videos:
https://github.com/vixentael/my-talks

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

March 21, 2019
Tweet

Transcript

  1. 3.

    @vixentael product engineer in security and cryptography started from iOS

    3 OSS maintainer: Themis, Acra conduct workshops & training about secure apps development training.cossacklabs.com
  2. 6.

    Plan for next 85 mins: 1. Intro (Apple, OWASP, jailbreaks)

    @vixentael 2. Secure software development lifecycle 3. Stored data mistakes: key management and encryption 4. Practice time 5. Other data security things (network, logging, screenshots) 6. Reading list
  3. 7.

    Secure software development Apple (guidelines, rejection guides) users (upset, angry)

    money (breaches, legal actions, fines) why care anyway? @vixentael
  4. 8.

    http://headway.io/blog/apple-app-store-new- privacy-policy-what-you-need-to-know/ New App Store privacy policy - minimize the

    data you collect - be transparent on how you use the data - protect stored and transit data - remove data fully and quickly @vixentael
  5. 9.

    GDPR @vixentael Article 32/35: responsibly store and process data according

    to risks
 
 Article 33/34: detecting data leakage and alert users & controller https://gdpr-info.eu/
  6. 11.

    OWASP Top-10 mobile risks www.owasp.org/index.php/OWASP_Mobile_Security_Project @vixentael • M1: Improper Platform

    Usage • M2: Insecure Data Storage • M3: Insecure Communication • M4: Insecure Authentication • M5: Insufficient Cryptography • M6: Insecure Authorization • M7: Client Code Quality • M8: Code Tampering • M9: Reverse Engineering • M10: Extraneous Functionality
  7. 12.

    OWASP Top-10 mobile risks • M1: Improper Platform Usage •

    M2: Insecure Data Storage • M3: Insecure Communication • M4: Insecure Authentication • M5: Insufficient Cryptography • M6: Insecure Authorization • M7: Client Code Quality • M8: Code Tampering • M9: Reverse Engineering • M10: Extraneous Functionality www.owasp.org/index.php/OWASP_Mobile_Security_Project @vixentael
  8. 16.
  9. 17.

    Define sensitive data Design & implement security controls Verify security

    controls
 (testing, monitoring) SSDLC in a simple words @vixentael @vixentael during planning during planning & implementation acceptance testing / QA, unit testing during planning during planning & implementation acceptance testing / QA, unit testing
  10. 18.

    @vixentael @vixentael SSDLC in a simple words Define sensitive data

    Design & implement security controls Verify security controls
 (testing, monitoring) during planning during planning & implementation acceptance testing / QA, unit testing repeat
  11. 21.
  12. 22.

    – any kind of data, that will break business objectives

    or prosperity of those who use data, if leaked. Sensitive data @vixentael @vixentael geo-locations health data financial data kids locations cars remote control credentials logs PII
  13. 23.

    Defining sensitive data: sensitive user data (PII, password) regulations (GDPR

    / HIPAA / PCI DSS) tech data (keys, logs, accesses) https://www.cossacklabs.com/blog/what-we-need-to-encrypt- cheatsheet.html @vixentael @vixentael
  14. 25.
  15. 26.

    Proactive controls Data security encryption Access security authentication, firewalls, OS

    Node security firewalls, compartmentalization, isolation, OS @vixentael
  16. 27.

    Data security key management, integrity checks, authenticated crypto Access security

    credential management, access logging, jailbans Node security code security, monitoring, SIEM Reactive controls @vixentael
  17. 28.

    Verification, testing @vixentael @vixentael https://github.com/OWASP/owasp-mstg OWASP Mobile Security Testing Guide

    https://github.com/OWASP/owasp-masvs OWASP Mobile Application Security Verification Standard
  18. 30.

    @vixentael @vixentael SSDLC again Define sensitive data Design & implement

    security controls Verify security controls
 (testing, monitoring) during planning during planning & implementation acceptance testing / QA, unit testing repeat
  19. 34.
  20. 35.

    Symmetric encryption, mistakes @vixentael @vixentael wrong data scope poor encryption

    flow design bad key management bad cryptography encryption lib mis-use
  21. 41.

    @vixentael @vixentael Even more mistakes XORing != encrypting using password

    as encryption key (without KDF) storing keys elsewhere use single encryption key for all data/users
  22. 43.

    @vixentael @vixentael should be random should use KDF(key) uses AES

    CBC, not AES GCM padding? salt? Use encryption correctly
  23. 44.

    Use “boring” crypto libraries ★ use strong & audited crypto

    ★ work everywhere ★ hide cryptographic details ★ hard to mis-use ★ have integration with key storage @vixentael https://speakerdeck.com/vixentael/dont-waste-time-on-learning- cryptography-better-use-it-properly
  24. 46.

    Encryption that hard to mis-use @vixentael @vixentael hides cryptographic details:

    salt, IV, KDF, padding built-in KDF, safe to use passphrase uses AES-256-GCM Themis
  25. 47.

    Storage Transport Multi- platform themis libsodium tink TLS
 themis libsodium

    OTRKit
 libsignal Made for one platform, some ports available RNCryptor CryptoSwift CommonCrypto https://www.cossacklabs.com/choose-your-ios-crypto.html @vixentael @vixentael
  26. 48.

    Key management APP TOKENS USER PASSWORDS PUBLIC CERTS let apiToken

    = “63ufHs2E82-cJgsm!djr7-Ks1TTYC4TV” let appId = "VK1TTYC4TV" let poolId = “us-east-1:r0s3s4r3-r3d-13375p34k" var userPass = "qwertyqwerty" @vixentael
  27. 52.

    Built-in keys store as hardcode variable store obfuscated in plist,

    de-obfuscate on start store encrypted in plist, decrypt on start @vixentael
  28. 53.

    App flow keys store as memory variable store obfuscated/encrypted in

    User Defaults store in Keychain, protect by Biometrics @vixentael
  29. 56.

    Transport encryption github.com/ssllabs/research/wiki/SSL-and-TLS- Deployment-Best-Practices private keys RSA-2048, ECDSA-256 obtain certificate

    from reliable CA TLS v1.3-v1.2 use secure cipher suites TLS_ECDHE_ECDSA_WITH_AES_ 256_GCM_SHA384 ✅ enable Forward Secrecy ✅ enable HSTS (web) . rotate certificates often @vixentael
  30. 58.

    Update certificate Update app with hardcoded certificate Built-in several certificates

    Update from server: build trusted channel @vixentael SSL pinning
  31. 59.

    transport = Transport() transport?.setupKeys(serverId, serverPublicKey: serverPublicKey) session = TSSession(userId: clientIdData,

    privateKey: clientPrivateKeyData, callbacks: transport!) startSession(clientId: clientId, message: connectionMessage) Encrypt over SSL Themis @vixentael
  32. 65.

    DON’T - Do things just because “they make security better”

    - Copy-paste from StackOverflow - Implement your own security controls where 
 solutions are available @vixentael
  33. 66.

    DO - Only things that address real valid risks -

    Use industry’s best practices, standards and tools - Explain why spending effort is necessary - Plan, implement, test, formalize - Watch the trends, follow experts @vixentael
  34. 68.

    General theory http://mashable.com/2016/04/16/apple-security-explained/ How Apple Security works https://medium.com/@vixentael/popular-note-taking-apps-share-these-security-flaws-security- tips-for-developers-326180e41329 Popular

    note-taking apps share these security flaws https://medium.com/@cossacklabs/apple-export-regulations-on-crypto-6306380682e1 Apple Export Regulations on Cryptography https://howhttps.works/ How HTTPS works: cats
  35. 69.

    Cryptography https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet Cryptographic Storage Cheat Sheet https://www.owasp.org/index.php/Key_Management_Cheat_Sheet Key Management Cheat

    Sheet https://developer.apple.com/library/content/documentation/Security/Conceptual/ cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html Managing Keys, Certificates, and Passwords https://cossacklabs.com/choose-your-ios-crypto.html Crypto in iOS: choose your destiny