Anastasiia Vixentael: 10 things you need to know before implementing cryptography
0 likes259 views
This document provides an overview of key considerations for implementing cryptography and securing an application. It discusses topics like avoiding plaintext secrets, implementing secure authentication and transport, managing third party libraries, and best practices like not overstating an app's security. The goal is to help developers protect user privacy and security throughout the development process.
![infinum.co/the-capsized-eight/ssl-pinning-revisited
let serverTrustPolicies: [String: ServerTrustPolicy] = [
“mydomain.com”: .pinPublicKeys(
publicKeys: ServerTrustPolicy.publicKeys(),
validateCertificateChain: true,
validateHost: true
)
]
let sessionManager = SessionManager(
serverTrustPolicyManager: ServerTrustPolicyManager(
policies: serverTrustPolicies
)
)
SSL PINNING
@vixentael](https://image.slidesharecdn.com/anastasiiavthings-to-know-before-crypto-mdevpdf-180528143812/85/Anastasiia-Vixentael-10-things-you-need-to-know-before-implementing-cryptography-46-320.jpg)
Anastasiia Vixentael: 10 things you need to know before implementing cryptography
- 2. X THINGS YOU NEED TO KNOW @vixentael before Implementing Cryptography
- 3. @vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :)
- 5. pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf 269 CVEs from 2011-2014 17% 83% bugs inside crypto libs misuses of crypto libs by individual apps @vixentael
- 6. Attackers can find ways to bypass security measures. @vixentael
- 7. Encryption – walls & gates. @vixentael
- 8. ! @vixentael
- 10. 🔑 protecting privacy 😶 passwords & auth 📝 plaintext secrets 🏎 transport 🌳 dependencies @vixentael
- 16. screenshieldkit.com There’s a lib for that! @vixentael (but close-sourced)
- 18. twitter.com/Viss/status/987028660585578496 Avoid accessing the data your app can work without. UNHEALTHY PERMISSIONS 🙈 @vixentael
- 20. littlemaninmyhead.wordpress.com/2018/02/18/secure-coding- understanding-input-validation/ INPUT VALIDATION 📐 check length ✋ escape SQL 📱💻 validate on both sides @vixentael
- 21. from twitter USE GOOD PASSWORD RULES (not like this) @vixentael
- 22. from twitter USE GOOD PASSWORD RULES (not like this) @vixentael
- 23. (notlikethis) USE GOOD PASSWORD RULES @vixentael
- 24. MORE LIKE THESE: Use long phrase (16+). Disallow typical passwords. Promote password managers usage. well_known_comics_about_horse.png owasp.org/index.php/ Talk:Password_length_&_complexity @vixentael
- 26. krausefx.com/blog/ios-privacy- stealpassword-easily-get-the-users- apple-id-password-just-by-asking DARK AUTH PATTERNS Avoid asking user password all the time.
- 27. TouchID/FaceID & 2FA BETTER AUTH owasp.org/index.php/Mobile_Top_10_2016-M4- Insecure_Authentication michael-brown.net/2018/touch-id- and-face-id-on-ios
- 29. https://medium.com/the-traveled-ios-developers-guide/ios-11-privacy- and-single-sign-on-6291687a2ccc Single Sign-On BETTER AUTH Ask pass on sensitive screens @vixentael
- 31. Password Autofill MAKE AUTH BETTER! Single Sign-On SFAuthenticationSession Ask pass on sensitive screens TouchID/FaceID & 2FA @vixentael
- 32. objective-see.com/blog/blog_0x24.html AUTH BUGS: DOUBLE SPACE Test your login flow 😬 @vixentael
- 34. STORING SECRETS IN PLAINTEXT facebook.com/vstyran/posts/10156368247887372 rabota.ua stored all passwords ‘very well encrypted’. @vixentael
- 35. STORING SECRETS IN PLAINTEXT businessinsider.com/data-breaches-2018-4 @vixentael
- 36. Avoid storing sensitive plaintext. passwords document pictureslicense plates SSNs credit cards health data home addresspassport num phone num @vixentael
- 37. mac4n6.com/blog/2018/3/30/omg-seriously-apfs-encrypted-plaintext- password-found-in-another-more-persistent-macos-log-file LOGGING SECRETS IN PLAINTEXT /var/log/install.log @vixentael
- 38. LOGGING SECRETS IN PLAINTEXT @vixentael
- 39. CHECK YOUR SOURCE CODE cfpb/clouseau Automate checking code for forgotten secrets. @vixentael
- 40. motherboard.vice.com/en_us/article/a34g9j/iphone- source-code-iboot-ios-leak NOT ALL CODE SHOULD BE PUBLISHED @vixentael
- 41. medium.com/@AyunasCode/how-to-hide-your-api-keys-367ef6589949 shanirivers.me/posts/hiding-your-api-keys-for-ios-projects orta/cocoapods-keys awslabs/git-secretsAvoid publishing keys. DO NOT COMMIT KEYS keys.plist → .gitignore @vixentael
- 44. github.com/ssllabs/research/wiki/SSL-and-TLS- Deployment-Best-Practices 🔑 private keys RSA-2048, ECDSA-256 👍 obtain certificate from reliable CA 🚀 use TLS v1.3-v1.2🔐 use secure cipher suites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ✅ enable Forward Secrecy ✅ enable HSTS (web) WELL-CONFIGURED SSL @vixentael
- 46. infinum.co/the-capsized-eight/ssl-pinning-revisited let serverTrustPolicies: [String: ServerTrustPolicy] = [ “mydomain.com”: .pinPublicKeys( publicKeys: ServerTrustPolicy.publicKeys(), validateCertificateChain: true, validateHost: true ) ] let sessionManager = SessionManager( serverTrustPolicyManager: ServerTrustPolicyManager( policies: serverTrustPolicies ) ) SSL PINNING @vixentael
- 47. schrauger.com/the-story-of-how-wosign-gave-me-an-ssl- certificate-for-github-com SSL IS NOT ENOUGH: WOSIGN STORY @vixentael
- 48. security.googleblog.com/2016/10/ distrusting-wosign-and-startcom.html support.apple.com/en-us/HT204132 SSL IS NOT ENOUGH: WOSIGN STORY @vixentael
- 51. krausefx.com/blog/trusting-sdks DOWNLOAD LIBS / IDE 🔐 use HTTPS / VPN ✅ check certificate 1 check hash-sum 🛠 clone & build from source Do you really need that lib? 🧐 GDPR @vixentael
- 52. CHECK 3RD PARTY LIBRARIES 🐛 Monitor & fix critical bugs 😷 Update if any security patch 😶 Update if any privacy change (GDPR) 🤖 Automate all the checks @vixentael
- 53. 🤖 AUTOMATE ALL THE CHECKS snyk.io/whitesourcesoftware.com/ @vixentael
- 54. OTHER THINGS TO DO @vixentael
- 55. store as HEX replace chars rename files to .mp3 combine from pieces OBFUSCATE SENSITIVE BITS .xib / .nib inline keys API urls pjebs/Obfuscator-iOS rename important methods / constants preemptive/PPiOS-Rename @vixentael
- 56. DO NOT FORGET ABOUT 🥅 firewalls 8 IDS ⚠ SIEM 🍯 fake targets / honey pots 🐍 poison records @vixentael
- 57. Now, after easy things are done, cryptography! it’s time for @vixentael
- 60. LAST BUT NOT LEAST @vixentael
- 61. DON’T SAY THAT YOUR SECURITY IS AMAZINGLY GOOD :) twitter.com/c_pellegrino/status/981409466242486272 @vixentael
- 62. DON’T SAY THAT YOUR SECURITY IS AMAZINGLY GOOD :) twitter.com/c_pellegrino/status/981409466242486272 @vixentael
- 63. DON’T SAY THAT YOUR SECURITY IS AMAZINGLY GOOD :) twitter.com/fabricio_giglio/status/982362735924137984 @vixentael
- 64. KEYPOINTS Keep an eye on the sensitive data during the whole data flow. do not store do not collect remove fast
- 65. https://www.digitalinterruption.com/secure-mobile-development Secure mobile development LINKS https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide Mobile security testing guide https://www.cossacklabs.com/choose-your-ios-crypto.html Choose iOS crypto lib https://github.com/forter/security-101-for-saas-startups/blob/english/security.md Organization security for startups https://agostini.tech/2017/11/20/ios-application-security-part-1-setting-up-a- testing-environment-for-ios-platform/ Series of posts about security testing
- 67. @vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :)
- 68. IMAGE CREDITS www.flaticon.com freepik, linector, switficons, pixelperfect, smashicons, icon pond, dinosoftlabs Authors: