$30 off During Our Annual Pro Sale. View Details »

Workshop: Secure Software Development: From Rookie to Hardcore in 90 Minutes

vixentael
March 21, 2019
Programming
1
960

Workshop: Secure Software Development: From Rookie to Hardcore in 90 Minutes

demo project:
https://github.com/vixentael/ios-datasec-basics

1. Intro (Apple, OWASP, jailbreaks)
2. Secure software development lifecycle
3. Stored data mistakes: key management and encryption
4. Practice time
5. Other data security things (network, logging, screenshots)
6. Reading list

Other talks and videos:
https://github.com/vixentael/my-talks

vixentael

March 21, 2019
Tweet

More Decks by vixentael

See All by vixentael
Data is a new security boundary
vixentael
0
3.1k
Cryptographic protection of ML models
vixentael
0
2.3k
e2ee != security != privacy
vixentael
1
1.9k
Maintaining cryptographic library for 12 languages
vixentael
1
3.2k
10 lines of encryption, 1500 lines of key management
vixentael
2
1.4k
Security, privacy and cryptography at WWDC19
vixentael
1
550
Data encryption: CyberKids edition
vixentael
0
480
"Defense in depth": trench warfare principles for building secure distributed applications
vixentael
3
780
"A death by thousand cuts"
vixentael
1
240

Other Decks in Programming

See All in Programming
Angular 17 - Rainaissance
gregonnet
0
130
Java 8 から 21 へのバージョンアップでどう変わる?:実アプリケーションで学ぶ実装のポイント / 20231111 Key Implementation Points from Java 8 to 21
mackey0225
6
540
ABEMA モバイルアプリにおける 「アーキテクチャ」 / ABEMA Mobile Architecture (CA.swift #18)
akkyie
1
360
Kaggle-Vesuvius-Challenge-Ink-Detection-2nd-Solution
mipypf
0
1k
VimConf 2023 Tiny
skanehira
1
220
Gatlingによる負荷テスト入門
irof
6
560
Postman CLI で Integration Test
codemountains
1
300
文系出身・開発未経験エンジニアが 入社から5年間で実践した学習法 〜エンジニアの世界で圧倒的に成長するために〜 (LT) - NIFTY Tech Day 2023
niftycorp
1
120
フロントエンドの書くべきだったテスト、書かなくてよかったテスト
takefumiyoshii
32
11k
「価値」あるものを作るためにエンジニアができること - NIFTY Tech Day 2023
niftycorp
0
120
Input object ではじめる入力値検証/input-value-validation-using-input-object
sanfrecce_osaka
0
200
Intro to Stateful Services or How to get 1 million RPS from a single node
antyadev
0
130

Featured

See All Featured
RailsConf 2023
tenderlove
0
350
Making the Leap to Tech Lead
cromwellryan
120
8.2k
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
52
19k
Rails Girls Zürich Keynote
gr2m
90
12k
How to Ace a Technical Interview
jacobian
272
22k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Faster Mobile Websites
deanohume
296
29k
The Invisible Customer
myddelton
113
12k
The Cost Of JavaScript in 2023
addyosmani
10
3.1k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
6
7.3k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k

Transcript

  1. Secure software development:
    from rookie to hardcore in 90 minutes
    iOS data security workshop
    @vixentael

    View Slide

  2. Secure software development:
    from rookie to hardcore in 90 minutes
    iOS data security workshop
    @vixentael

    View Slide

  3. @vixentael
    product engineer in security
    and cryptography
    started from iOS 3
    OSS maintainer: Themis, Acra
    conduct workshops & training about
    secure apps development
    training.cossacklabs.com

    View Slide

  4. https://medium.com/@vixentael/popular-note-taking-apps-share-
    these-security-flaws-security-tips-for-developers-326180e41329 @vixentael

    View Slide

  5. https://github.com/vixentael/
    ios-datasec-basics
    @vixentael

    View Slide

  6. Plan for next 85 mins:
    1. Intro (Apple, OWASP, jailbreaks)
    @vixentael
    2. Secure software development lifecycle
    3. Stored data mistakes: key management and encryption
    4. Practice time
    5. Other data security things (network, logging, screenshots)
    6. Reading list

    View Slide

  7. Secure software development
    Apple (guidelines, rejection guides)
    users (upset, angry)
    money (breaches, legal actions, fines)
    why care anyway?
    @vixentael

    View Slide

  8. http://headway.io/blog/apple-app-store-new-
    privacy-policy-what-you-need-to-know/
    New App Store privacy policy
    - minimize the data you collect
    - be transparent on how you use the data
    - protect stored and transit data
    - remove data fully and quickly
    @vixentael

    View Slide

  9. GDPR
    @vixentael
    Article 32/35: responsibly store and process
    data according to risks


    Article 33/34: detecting data leakage and
    alert users & controller
    https://gdpr-info.eu/

    View Slide

  10. @vixentael
    https://gdpr-info.eu/
    Article 32

    View Slide

  11. OWASP Top-10 mobile risks
    www.owasp.org/index.php/OWASP_Mobile_Security_Project @vixentael
    • M1: Improper Platform Usage
    • M2: Insecure Data Storage
    • M3: Insecure Communication
    • M4: Insecure Authentication
    • M5: Insufficient Cryptography
    • M6: Insecure Authorization
    • M7: Client Code Quality
    • M8: Code Tampering
    • M9: Reverse Engineering
    • M10: Extraneous Functionality

    View Slide

  12. OWASP Top-10 mobile risks
    • M1: Improper Platform Usage
    • M2: Insecure Data Storage
    • M3: Insecure Communication
    • M4: Insecure Authentication
    • M5: Insufficient Cryptography
    • M6: Insecure Authorization
    • M7: Client Code Quality
    • M8: Code Tampering
    • M9: Reverse Engineering
    • M10: Extraneous Functionality
    www.owasp.org/index.php/OWASP_Mobile_Security_Project @vixentael

    View Slide

  13. Remote jailbreak iOS11 (patched in iOS12)
    https://twitter.com/kevin_backhouse/status/1057352656560287746 @vixentael

    View Slide

  14. www.apple.com/business/site/docs/iOS_Security_Guide.pdf @vixentael
    95 pages PDF

    View Slide

  15. Most users trust sensitive data
    to your app regardless of
    how well you protect it.

    View Slide

  16. Secure development lifecycle
    methodology
    MS SDL OWASP S-SDLC
    microsoft.com/en-us/sdl owasp.org/index.php/
    OWASP_Secure_Software_Develop
    ment_Lifecycle_Project
    @vixentael

    View Slide

  17. Define sensitive data
    Design & implement
    security controls
    Verify security controls

    (testing, monitoring)
    SSDLC in a simple words
    @vixentael
    @vixentael
    during planning
    during planning &
    implementation
    acceptance testing / QA,
    unit testing
    during planning
    during planning &
    implementation
    acceptance testing / QA,
    unit testing

    View Slide

  18. @vixentael
    @vixentael
    SSDLC in a simple words
    Define sensitive data
    Design & implement
    security controls
    Verify security controls

    (testing, monitoring)
    during planning
    during planning &
    implementation
    acceptance testing / QA,
    unit testing
    repeat

    View Slide

  19. So, one by one

    View Slide

  20. Sensitive data
    @vixentael
    @vixentael

    View Slide

  21. Sensitive data
    @vixentael
    @vixentael
    geo-locations
    health data
    financial data
    kids locations
    cars remote control
    credentials
    logs
    PII

    View Slide

  22. – any kind of data, that will break
    business objectives or prosperity of those
    who use data, if leaked.
    Sensitive data
    @vixentael
    @vixentael
    geo-locations
    health data
    financial data
    kids locations
    cars remote control
    credentials
    logs
    PII

    View Slide

  23. Defining sensitive data:
    sensitive user data (PII, password)
    regulations (GDPR / HIPAA / PCI DSS)
    tech data (keys, logs, accesses)
    https://www.cossacklabs.com/blog/what-we-need-to-encrypt-
    cheatsheet.html @vixentael
    @vixentael

    View Slide

  24. @vixentael
    @vixentael
    Security controls

    View Slide

  25. Data security
    Application security
    Infrastructure security
    Monitoring
    Intrusion detection
    Vulnerability management
    @vixentael
    Security controls
    proactive and reactive

    View Slide

  26. Proactive controls
    Data security encryption
    Access security authentication, firewalls, OS
    Node security
    firewalls, compartmentalization,
    isolation, OS
    @vixentael

    View Slide

  27. Data security
    key management, integrity
    checks, authenticated crypto
    Access security
    credential management, access
    logging, jailbans
    Node security code security, monitoring, SIEM
    Reactive controls
    @vixentael

    View Slide

  28. Verification, testing
    @vixentael
    @vixentael
    https://github.com/OWASP/owasp-mstg
    OWASP Mobile Security Testing Guide
    https://github.com/OWASP/owasp-masvs
    OWASP Mobile Application Security
    Verification Standard

    View Slide

  29. MASVS
    @vixentael
    @vixentael

    View Slide

  30. @vixentael
    @vixentael
    SSDLC again
    Define sensitive data
    Design & implement
    security controls
    Verify security controls

    (testing, monitoring)
    during planning
    during planning &
    implementation
    acceptance testing / QA,
    unit testing
    repeat

    View Slide

  31. Storage encryption
    and key management

    View Slide

  32. File and CoreData encryption
    https://developer.apple.com/documentation/uikit/core_app/
    protecting_the_user_s_privacy/encrypting_your_app_s_files
    NSPersistentStoreFileProtectionKey
    @vixentael
    @vixentael

    View Slide

  33. Store encrypted data:
    Encrypt stored data
    UserDefaults
    Files
    Database cells
    Backups
    @vixentael
    @vixentael

    View Slide

  34. Symmetric encryption with integrity
    checks and long key
    AES-256-GCM
    Encrypt stored data
    @vixentael
    Use strong encryption

    View Slide

  35. Symmetric encryption, mistakes
    @vixentael
    @vixentael
    wrong data scope
    poor encryption flow design
    bad key management
    bad cryptography
    encryption lib mis-use

    View Slide

  36. Hashing: md5 vs sha256
    @vixentael
    @vixentael
    https://passwordsgenerator.net/sha256-hash-generator/

    View Slide

  37. ☠ md5 ☠ sha1
    bcrypt
    https://dusted.codes/sha-256-is-not-a-secure-
    password-hashing-algorithm
    PBKDF2
    sha256 sha512
    HKDF
    @vixentael
    Wanna hash password?
    Use KDF

    View Slide

  38. https://www.raywenderlich.com/129-basic-ios-security-keychain-
    and-hashing @vixentael
    Use KDF

    View Slide

  39. https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/
    Password_Storage_Cheat_Sheet.md @vixentael
    should be random
    should be > 10k

    Use KDF correctly

    View Slide

  40. https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf
    269 CVEs
    from 2011-2014
    17%
    83%
    bugs inside crypto libs
    misuses of crypto libs
    by individual apps
    @vixentael

    View Slide

  41. @vixentael
    @vixentael
    Even more mistakes
    XORing != encrypting
    using password as encryption key (without KDF)
    storing keys elsewhere
    use single encryption key for all data/users

    View Slide

  42. @vixentael
    @vixentael
    Use encryption

    View Slide

  43. @vixentael
    @vixentael
    should be random
    should use KDF(key)
    uses AES CBC, not AES GCM
    padding? salt?

    Use encryption correctly

    View Slide

  44. Use “boring” crypto libraries
    ★ use strong & audited crypto
    ★ work everywhere
    ★ hide cryptographic details
    ★ hard to mis-use
    ★ have integration with key storage
    @vixentael
    https://speakerdeck.com/vixentael/dont-waste-time-on-learning-
    cryptography-better-use-it-properly

    View Slide

  45. Encryption that hard to mis-use
    @vixentael
    @vixentael
    Themis

    View Slide

  46. Encryption that hard to mis-use
    @vixentael
    @vixentael
    hides cryptographic details: salt, IV, KDF, padding
    built-in KDF, safe to use passphrase
    uses AES-256-GCM
    Themis

    View Slide

  47. Storage Transport
    Multi-
    platform
    themis
    libsodium
    tink
    TLS

    themis
    libsodium
    OTRKit

    libsignal
    Made for one
    platform, some
    ports available
    RNCryptor
    CryptoSwift
    CommonCrypto
    https://www.cossacklabs.com/choose-your-ios-crypto.html
    @vixentael
    @vixentael

    View Slide

  48. Key management
    APP TOKENS USER PASSWORDS PUBLIC CERTS
    let apiToken = “63ufHs2E82-cJgsm!djr7-Ks1TTYC4TV”
    let appId = "VK1TTYC4TV"
    let poolId = “us-east-1:r0s3s4r3-r3d-13375p34k"
    var userPass = "qwertyqwerty"
    @vixentael

    View Slide

  49. APP FLOW
    BUILT-IN
    Keychain
    - KDF
    - encrypt
    @vixentael
    plist/files
    - encrypt
    - obfuscate
    - calculate

    View Slide

  50. Practice time

    View Slide

  51. https://github.com/vixentael/
    ios-datasec-basics
    @vixentael

    View Slide

  52. Built-in keys
    store as hardcode variable
    store obfuscated in plist, de-obfuscate on start
    store encrypted in plist, decrypt on start
    @vixentael

    View Slide

  53. App flow keys
    store as memory variable
    store obfuscated/encrypted in User Defaults
    store in Keychain, protect by Biometrics
    @vixentael

    View Slide

  54. https://github.com/vixentael/
    ios-datasec-basics
    @vixentael

    View Slide

  55. Other data
    security things

    View Slide

  56. Transport encryption
    github.com/ssllabs/research/wiki/SSL-and-TLS-
    Deployment-Best-Practices
    private keys RSA-2048, ECDSA-256
    obtain certificate from reliable CA
    TLS v1.3-v1.2
    use secure cipher suites
    TLS_ECDHE_ECDSA_WITH_AES_
    256_GCM_SHA384
    ✅ enable Forward Secrecy
    ✅ enable HSTS (web)
    . rotate certificates often
    @vixentael

    View Slide

  57. SSL pinning
    Moya owasp.org/index.php/Pinning_Cheat_Sheet
    @vixentael

    View Slide

  58. Update certificate
    Update app with hardcoded certificate
    Built-in several certificates
    Update from server: build trusted channel
    @vixentael
    SSL pinning

    View Slide

  59. transport = Transport()
    transport?.setupKeys(serverId, serverPublicKey: serverPublicKey)
    session = TSSession(userId: clientIdData, privateKey:
    clientPrivateKeyData, callbacks: transport!)
    startSession(clientId: clientId, message: connectionMessage)
    Encrypt over SSL
    Themis
    @vixentael

    View Slide

  60. Themis axolotl
    noise
    @vixentael
    Encrypt over SSL

    View Slide

  61. medium.com/@AyunasCode/how-to-hide-your-api-keys-367ef6589949
    shanirivers.me/posts/hiding-your-api-keys-for-ios-projects
    orta/cocoapods-keys
    awslabs/git-secrets
    keys.plist → .gitignore
    Do not commit secrets
    @vixentael

    View Slide

  62. Do not log secrets
    cfpb/clouseau
    Automate checking
    code for forgotten
    secrets.
    @vixentael

    View Slide

  63. @vixentael
    https://speakerdeck.com/vixentael/x-things-you-
    need-to-know-before-implementing-cryptography

    View Slide

  64. Do’s and Don’ts

    of secure development

    View Slide

  65. DON’T
    - Do things just because “they make security better”
    - Copy-paste from StackOverflow
    - Implement your own security controls where 

    solutions are available
    @vixentael

    View Slide

  66. DO
    - Only things that address real valid risks
    - Use industry’s best practices, standards and tools
    - Explain why spending effort is necessary
    - Plan, implement, test, formalize
    - Watch the trends, follow experts
    @vixentael

    View Slide

  67. Reading, watching

    View Slide

  68. General theory
    http://mashable.com/2016/04/16/apple-security-explained/
    How Apple Security works
    https://medium.com/@vixentael/popular-note-taking-apps-share-these-security-flaws-security-
    tips-for-developers-326180e41329
    Popular note-taking apps share these security flaws
    https://medium.com/@cossacklabs/apple-export-regulations-on-crypto-6306380682e1
    Apple Export Regulations on Cryptography
    https://howhttps.works/
    How HTTPS works: cats

    View Slide

  69. Cryptography
    https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
    Cryptographic Storage Cheat Sheet
    https://www.owasp.org/index.php/Key_Management_Cheat_Sheet
    Key Management Cheat Sheet
    https://developer.apple.com/library/content/documentation/Security/Conceptual/
    cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html
    Managing Keys, Certificates, and Passwords
    https://cossacklabs.com/choose-your-ios-crypto.html
    Crypto in iOS: choose your destiny

    View Slide

  70. Testing
    http://iphonedevwiki.net/index.php/Crack_prevention
    Crack prevention
    https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06a-
    platform-overview
    Mobile Security Testing Guide
    https://github.com/OWASP/owasp-masvs
    OWASP Mobile Application Security Verification Standard

    View Slide

  71. Talks & training
    github.com/vixentael/
    my-talks
    training.cossacklabs.com

    View Slide

  72. @vixentael
    product engineer in security
    and cryptography
    conduct workshops & training about
    secure apps development

    View Slide