Pro Yearly is on sale from $80 to $50! »

X Things you Need to Know before Implementing Cryptography

X Things you Need to Know before Implementing Cryptography

#security #mobile #basic-sanity #tips-and-tricks

Presented at CocoaHeadsKyiv #14 and UIKonf18.

1. Handling user secrets with care (showing, storing, logging).
2. Input validation and password rules.
3. Handling transport connection.
4. And some tips and tricks that will confuse attackers.
--------------------------------------

If you can't tap on the link inside slides, please open as pdf (button on the right).

--------------------------------------

Before we get deep into protocols vulnerabilities: things you should remember designing your app flow from a security point of view.

This talk will focus on copybook headings of infosec: what you need to know before exciting stuff like cryptography and AI-assisted incident detection. Like, choice of data you show in the background mode, choice of 3rd party SDKs, which logs we send and where...

Even when developers create apps with security in minds, protect user secrets, and don’t reveal unencrypted data, attackers can find ways to bypass these security measures by exploiting architectural weaknesses and unobvious, yet very simple vulnerabilities. We will talk about all the tiny bits and pieces are necessary to make your app secure against simple attacks way before focusing on the hard things (like crypto).

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

May 14, 2018
Tweet

Transcript

  1. X THINGS YOU NEED TO KNOW before Implementing Cryptography @vixentael

  2. @vixentael Product Engineer Feel free to reach me with security

    questions. I do check my inbox :)
  3. None
  4. https://habr.com/post/418851/

  5. https://habr.com/post/418851/ https://www.troyhunt.com/controlling-vehicle-features-of-nissan/

  6. https://habr.com/post/418851/ https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/

  7. https://habr.com/post/418851/ https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/ and so on! @vixentael

  8. RISKS TO DATA reputation risks (Equifax) legal responsibility (GDPR) competitors

    operations (Facebook) https://www.cossacklabs.com/blog/gdpr-for-engineers.html
  9. financial damage

  10. mln records 0 200 400 600 800 1,000 February March

    April May June July August September https://www.itgovernance.co.uk/blog/category/cyber-security/ MILLION OF RECORDS LEAKED PER MONTH @vixentael
  11. https://globalnews.ca/news/4298279/hacker-hits- local-mattress-store-with-ransomware/ @vixentael

  12. @vixentael https://www.wired.com/story/2018-worst-hacks-so-far/ credentials geo-locations health data financial data kids locations

    cars remote control sex toys remote control
  13. @vixentael WHO TELLS YOU TO MAKE SECURE APPS? – NO

    ONE.
  14. @vixentael 1. Follow best practices. 2. Talk to professionals.

  15. LET’S GO!

  16. Attackers can find ways to bypass security measures. @vixentael

  17. Encryption – walls & gates. @vixentael

  18. " @vixentael

  19. Harden all the things! @vixentael

  20. protecting privacy passwords & auth plaintext secrets transport dependencies

  21. gdpr-info.eu/art-4-gdpr/ SENSITIVE DATA @vixentael

  22. developer.apple.com/app-store/review/rejections/ Caring about user data prevents rejections. @vixentael

  23. @vixentael http://headway.io/blog/apple-app-store- new-privacy-policy-what-you-need-to-know/ NEW APP STORE PRIVACY POLICY - minimize

    the data you collect - be transparent on how you use the data - protect stored and transit data - remove data fully and quickly
  24. PROTECTING PRIVACY

  25. Avoid sensitive data on screenshots. @vixentael

  26. developer.apple.com @vixentael

  27. screenshieldkit.com There’s a lib for that! @vixentael

  28. krausefx.com/blog/ios-privacy-watchuser-access-both- iphone-cameras-any-time-your-app-is-running UNHEALTHY PERMISSIONS hello, Felix! @vixentael

  29. twitter.com/Viss/status/987028660585578496 Minimize amount of data your app works with. @vixentael

  30. PASSWORD RULES

  31. littlemaninmyhead.wordpress.com/2018/02/18/secure-coding- understanding-input-validation/ INPUT VALIDATION check length ✋ escape SQL validate

    on both sides @vixentael
  32. from twitter (not like this) @vixentael USE GOOD PASSWORD RULES

  33. from twitter (not like this) USE GOOD PASSWORD RULES @vixentael

  34. (not like this) USE GOOD PASSWORD RULES @vixentael

  35. MORE LIKE THESE: Use long phrase (16+). Disallow typical passwords.

    Promote password managers usage. well_known_comics_about_horse.png owasp.org/index.php/ Talk:Password_length_&_complexity @vixentael
  36. AUTHORIZATION & AUTHENTICATION

  37. krausefx.com/blog/ios-privacy- stealpassword-easily-get-the-users- apple-id-password-just-by-asking DARK AUTH PATTERNS Avoid asking user password

    all the time.
  38. TouchID/FaceID & 2FA owasp.org/index.php/Mobile_Top_10_2016-M4- Insecure_Authentication michael-brown.net/2018/touch-id- and-face-id-on-ios BETTER AUTH

  39. twitter.com/ay8s/status/885230327441915904 developer.apple.com/documentation/ safariservices/sfauthenticationsession SFAuthenticationSession BETTER AUTH

  40. Password Autofill BETTER AUTH medium.com/@abhimuralidharan/password-autofill- for-ios-apps-for-faster-login-ios-11-1d9f77deb35a

  41. BETTER AUTH iOS12 https://nshipster.com/ios-12/ textField.textContentType = .newPassword textField.passwordRules = .init(descriptor:

    "allowed: ascii-printable; minlength: 8;" ) textField.textContentType = . oneTimeCode
  42. Password Autofill MAKE AUTH BETTER! Single Sign-On SFAuthenticationSession Ask pass

    on sensitive screens TouchID/FaceID & 2FA @vixentael
  43. objective-see.com/blog/blog_0x24.html AUTH BUGS: DOUBLE SPACE Test your login flow @vixentael

  44. PLAINTEXT SECRETS

  45. facebook.com/vstyran/posts/10156368247887372 rabota.ua stored all passwords ‘very well encrypted’. @vixentael STORING

    SECRETS IN PLAINTEXT
  46. Avoid storing sensitive plaintext. passwords document pictures license plates SSNs

    credit cards health data home address passport num phone num @vixentael
  47. mac4n6.com/blog/2018/3/30/omg-seriously-apfs-encrypted-plaintext- password-found-in-another-more-persistent-macos-log-file /var/log/install.log @vixentael LOGGING SECRETS IN PLAINTEXT

  48. LOGGING SECRETS IN PLAINTEXT @vixentael

  49. CHECK YOUR SOURCE CODE cfpb/clouseau Automate checking code for forgotten

    secrets. @vixentael
  50. motherboard.vice.com/en_us/article/a34g9j/iphone- source-code-iboot-ios-leak NOT ALL CODE SHOULD BE PUBLISHED @vixentael

  51. medium.com/@AyunasCode/how-to-hide-your-api-keys-367ef6589949 shanirivers.me/posts/hiding-your-api-keys-for-ios-projects orta/cocoapods-keys awslabs/git-secrets Avoid publishing keys. DO NOT COMMIT

    KEYS keys.plist → .gitignore @vixentael
  52. TRANSPORT SECURITY

  53. <key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <false/> </dict> <key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoadsInWebContent</key> <true/> </dict>

    agostini.tech/2018/04/01/ios-application-security-part-five- app-transport-security-ats/ @vixentael
  54. github.com/ssllabs/research/wiki/SSL-and-TLS- Deployment-Best-Practices private keys RSA-2048, ECDSA-256 obtain certificate from reliable

    CA use TLS v1.3-v1.2 use secure cipher suites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ✅ enable Forward Secrecy ✅ enable HSTS (web) WELL-CONFIGURED SSL @vixentael
  55. owasp.org/index.php/Pinning_Cheat_Sheet @vixentael SSL PINNING

  56. infinum.co/the-capsized-eight/ssl-pinning-revisited let serverTrustPolicies: [String: ServerTrustPolicy] = [ “mydomain.com”: .pinPublicKeys( publicKeys:

    ServerTrustPolicy.publicKeys(), validateCertificateChain: true, validateHost: true ) ] let sessionManager = SessionManager( serverTrustPolicyManager: ServerTrustPolicyManager( policies: serverTrustPolicies ) ) SSL PINNING @vixentael
  57. schrauger.com/the-story-of-how-wosign-gave-me-an-ssl- certificate-for-github-com @vixentael SSL IS NOT ENOUGH: WOSIGN STORY

  58. security.googleblog.com/2016/10/ distrusting-wosign-and-startcom.html support.apple.com/en-us/HT204132 @vixentael SSL IS NOT ENOUGH: WOSIGN STORY

  59. @vixentael BREAKING SSL PINNING https://habr.com/post/424485/ https://medium.com/@kennethpoon/lets-write-swift-code-to- intercept-ssl-pinning-https-requests-12446303cc9d

  60. transport = Transport() transport?.setupKeys(serverId, serverPublicKey: serverPublicKey) session = TSSession(userId: clientIdData,

    privateKey: clientPrivateKeyData, callbacks: transport!) startSession(clientId: clientId, message: connectionMessage) github.com/cossacklabs/themis/wiki/Swift-Howto#secure-session ENCRYPT OVER SSL @vixentael
  61. 3RD PARTY CODE

  62. krausefx.com/blog/trusting-sdks DOWNLOAD LIBS / IDE use HTTPS / VPN ✅

    check certificate 2 check hash-sum clone & build from source Do you really need that lib? GDPR @vixentael
  63. CHECK 3RD PARTY LIBRARIES Monitor & fix critical bugs Update

    if any security patch Update if any privacy change (GDPR) Automate all the checks @vixentael
  64. snyk.io/ whitesourcesoftware.com/ @vixentael

  65. OTHER THINGS TO DO #uikonf @vixentael

  66. store as HEX replace chars rename files to .mp3 combine

    from pieces OBFUSCATION .xib / .nib inline keys API urls pjebs/Obfuscator-iOS rename important methods / constants preemptive/PPiOS-Rename @vixentael
  67. DO NOT FORGET ABOUT firewalls 9 IDS ⚠ SIEM fake

    targets / honey pots poison records @vixentael
  68. None
  69. Now, after easy things are done, cryptography! it’s time for

    @vixentael
  70. cryptography! storage encryption transport encryption key management @vixentael

  71. Storage Transport Multi- platform themis libsodium tink TLS
 themis libsodium

    OTRKit Works with 
 iOS/macOS only CryptoSwift RNCryptor CommonCrypto @vixentael https://www.cossacklabs.com/choose-your-ios-crypto.html
  72. LAST BUT NOT LEAST

  73. twitter.com/c_pellegrino/status/981409466242486272 DON’T SAY THAT YOUR SECURITY IS AMAZINGLY GOOD :)

  74. twitter.com/c_pellegrino/status/981409466242486272 DON’T SAY THAT YOUR SECURITY IS AMAZINGLY GOOD :)

  75. twitter.com/fabricio_giglio/status/982362735924137984 @vixentael

  76. twitter.com/fabricio_giglio/status/982362735924137984 @vixentael

  77. KEY POINTS Keep an eye on the sensitive data during

    the whole data flow. do not store do not collect remove fast
  78. https://www.digitalinterruption.com/secure-mobile-development Secure mobile development LINKS https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide Mobile security testing guide

    https://github.com/forter/security-101-for-saas-startups/blob/english/security.md Organization security for startups https://agostini.tech/2017/11/20/ios-application-security-part-1-setting-up-a- testing-environment-for-ios-platform/ Series of posts about security testing
  79. My other security slides github.com/vixentael/ my-talks

  80. Security Basics SECURITY WORKSHOPS Enterprise Secure Architecture Secure Web apps

    Secure Software Development Secure Mobile apps
  81. @vixentael Product Engineer Feel free to reach me with security

    questions. I do check my inbox :)
  82. IMAGE CREDITS www.flaticon.com freepik, linector, switficons, pixelperfect, smashicons, icon pond,

    dinosoftlabs Authors: