X Things you Need to Know before Implementing Cryptography

X Things you Need to Know before Implementing Cryptography

#security #mobile #basic-sanity #tips-and-tricks

Presented at CocoaHeadsKyiv #14 and UIKonf18.

1. Handling user secrets with care (showing, storing, logging).
2. Input validation and password rules.
3. Handling transport connection.
4. And some tips and tricks that will confuse attackers.
--------------------------------------

If you can't tap on the link inside slides, please open as pdf (button on the right).

--------------------------------------

Before we get deep into protocols vulnerabilities: things you should remember designing your app flow from a security point of view.

This talk will focus on copybook headings of infosec: what you need to know before exciting stuff like cryptography and AI-assisted incident detection. Like, choice of data you show in the background mode, choice of 3rd party SDKs, which logs we send and where...

Even when developers create apps with security in minds, protect user secrets, and don’t reveal unencrypted data, attackers can find ways to bypass these security measures by exploiting architectural weaknesses and unobvious, yet very simple vulnerabilities. We will talk about all the tiny bits and pieces are necessary to make your app secure against simple attacks way before focusing on the hard things (like crypto).

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

May 14, 2018
Tweet

Transcript

  1. 3.
  2. 8.

    RISKS TO DATA reputation risks (Equifax) legal responsibility (GDPR) competitors

    operations (Facebook) https://www.cossacklabs.com/blog/gdpr-for-engineers.html
  3. 10.

    mln records 0 200 400 600 800 1,000 February March

    April May June July August September https://www.itgovernance.co.uk/blog/category/cyber-security/ MILLION OF RECORDS LEAKED PER MONTH @vixentael
  4. 23.

    @vixentael http://headway.io/blog/apple-app-store- new-privacy-policy-what-you-need-to-know/ NEW APP STORE PRIVACY POLICY - minimize

    the data you collect - be transparent on how you use the data - protect stored and transit data - remove data fully and quickly
  5. 35.

    MORE LIKE THESE: Use long phrase (16+). Disallow typical passwords.

    Promote password managers usage. well_known_comics_about_horse.png owasp.org/index.php/ Talk:Password_length_&_complexity @vixentael
  6. 41.

    BETTER AUTH iOS12 https://nshipster.com/ios-12/ textField.textContentType = .newPassword textField.passwordRules = .init(descriptor:

    "allowed: ascii-printable; minlength: 8;" ) textField.textContentType = . oneTimeCode
  7. 42.
  8. 46.

    Avoid storing sensitive plaintext. passwords document pictures license plates SSNs

    credit cards health data home address passport num phone num @vixentael
  9. 54.

    github.com/ssllabs/research/wiki/SSL-and-TLS- Deployment-Best-Practices private keys RSA-2048, ECDSA-256 obtain certificate from reliable

    CA use TLS v1.3-v1.2 use secure cipher suites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ✅ enable Forward Secrecy ✅ enable HSTS (web) WELL-CONFIGURED SSL @vixentael
  10. 56.

    infinum.co/the-capsized-eight/ssl-pinning-revisited let serverTrustPolicies: [String: ServerTrustPolicy] = [ “mydomain.com”: .pinPublicKeys( publicKeys:

    ServerTrustPolicy.publicKeys(), validateCertificateChain: true, validateHost: true ) ] let sessionManager = SessionManager( serverTrustPolicyManager: ServerTrustPolicyManager( policies: serverTrustPolicies ) ) SSL PINNING @vixentael
  11. 60.

    transport = Transport() transport?.setupKeys(serverId, serverPublicKey: serverPublicKey) session = TSSession(userId: clientIdData,

    privateKey: clientPrivateKeyData, callbacks: transport!) startSession(clientId: clientId, message: connectionMessage) github.com/cossacklabs/themis/wiki/Swift-Howto#secure-session ENCRYPT OVER SSL @vixentael
  12. 62.

    krausefx.com/blog/trusting-sdks DOWNLOAD LIBS / IDE use HTTPS / VPN ✅

    check certificate 2 check hash-sum clone & build from source Do you really need that lib? GDPR @vixentael
  13. 63.

    CHECK 3RD PARTY LIBRARIES Monitor & fix critical bugs Update

    if any security patch Update if any privacy change (GDPR) Automate all the checks @vixentael
  14. 66.

    store as HEX replace chars rename files to .mp3 combine

    from pieces OBFUSCATION .xib / .nib inline keys API urls pjebs/Obfuscator-iOS rename important methods / constants preemptive/PPiOS-Rename @vixentael
  15. 67.

    DO NOT FORGET ABOUT firewalls 9 IDS ⚠ SIEM fake

    targets / honey pots poison records @vixentael
  16. 68.
  17. 71.

    Storage Transport Multi- platform themis libsodium tink TLS
 themis libsodium

    OTRKit Works with 
 iOS/macOS only CryptoSwift RNCryptor CommonCrypto @vixentael https://www.cossacklabs.com/choose-your-ios-crypto.html
  18. 77.

    KEY POINTS Keep an eye on the sensitive data during

    the whole data flow. do not store do not collect remove fast
  19. 78.

    https://www.digitalinterruption.com/secure-mobile-development Secure mobile development LINKS https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide Mobile security testing guide

    https://github.com/forter/security-101-for-saas-startups/blob/english/security.md Organization security for startups https://agostini.tech/2017/11/20/ios-application-security-part-1-setting-up-a- testing-environment-for-ios-platform/ Series of posts about security testing