![MyApp
CUSTOM URL SCHEMES
myApp://
Some
Other App
openURL(myAppURL)
[scheme]://whatever/u/want/to/pass?](https://image.slidesharecdn.com/practicaliosappsecshare-150510120118-lva1-app6891/85/Practical-iOS-App-Security-14-320.jpg)
Practical iOS App Security
- 1. PRACTICAL iOS APP SECURITY CHRIS FORANT
- 2. CHRIS FORANT T R A I N I N G A P P D E V E L O P M E N T AppCritique
- 3. 1. iOS APP SECURITY PRIMER 2. SUP’ WITH SWIFT? 3. LET’S BUILD AN APP! 4. TIPS, BEST PRACTICES, AND OTHER RANDOMNESS TOPICS
- 5. iOS APPS == SMALL DESKTOP SOFTWARE, RIGHT?
- 6. MOBILE IS DIFFERENT. ✓ USE CASES ✓ HIGHLY TAILORED OS’S ✓ FRAGMENTED HARDWARE (SIZE / SHAPE / CAPABILITIES) ✓ AMOUNT OF “ALIVE” TIME ✓ DEVELOPMENT PARADIGMS
- 7. iOS IS EVEN MORE DIFFERENT.
- 8. ✓ SANDBOXING ✓ CONTROLLED API USAGE ✓ BACKGROUND MODES ✓ CODE SIGNING AND ENTITLEMENTS ✓ APP REVIEW ✓ TRUST CORNERSTONES*
- 10. SANDBOXING
- 11. /DOCUMENTS /LIBRARY /TMP RESOURCES AND EXECUTABLE BUNDLE DIR DATA DIR SANDBOXING
- 13. ✓ CUSTOM URL SCHEMES ✓ APP EXTENSIONS (8.0) ✓ AIRDROP
- 14. MyApp CUSTOM URL SCHEMES myApp:// Some Other App openURL(myAppURL) [scheme]://whatever/u/want/to/pass?
- 15. APP EXTENSIONS
- 16. APP EXTENSIONS
- 19. BACKGROUND MODES
- 20. OTHERWISE:
- 21. CODE SIGNING APP REVIEW CONTROLLED API USAGE DEVELOPER ECOSYSTEM ENTITLEMENTS
- 22. ENTITLEMENTS
- 24. ๏ DEVICE PAIRING ๏ KEYS ON MAC: ๏ /VAR/DB/LOCKDOWN ๏ REMOVING FROM iDEVICE: ๏ > RESET LOCATION/ PRIVACY TRUST?
- 25. WITH TRUST ✓ SANDBOX CONTENT* ✓ BACKUPABILITY *RESTRICTED AS OF IOS 8.3 TO YOUR OWN APPS OR ONES WITH ITUNES FILE SHARING ENABLED
- 26. ✓ OS USER LEVEL DATA ✓ APP SANDBOX DATA* ✓ DOCUMENTS ✓ LIBRARY ✓ SHARED CONTAINERS *FOR ALL 3RD-PARTY APPS BACKUPS
- 27. WITHOUT TRUST
- 28. ๏ USING APPLE CONFIGURATOR ๏ UNCHECK THIS BOX PAIR-LOCK
- 29. SWIFT.NUFF SAID.
- 30. ✓ MODERN, EXPRESSIVE ✓ FAST (COMING SOON!) ✓ “SAFE BY DEFAULT” ✓ EASY TO ADOPT SWIFT IS:
- 31. ✓ TYPE SAFE ✓ FOCUSED IMMUTABILITY ✓ SAFER STRINGS ✓ DEFINITIVE INITIALIZATION ✓ INTEGER OVERFLOW PROTECTION ✓ ARRAY OUT-OF-BOUNDS CHECKING ✓ POINTER-LESS (MOSTLY.) SWIFT SAFETY
- 33. ✓ OBJECTIVE-C STILL LARGE PART OF MANY PROJECTS ✓ C STANDARD LIBRARY STILL AVAILABLE ✓ UnsafePointer CAN BE USED FOR C INTEROPERABILITY BE AWARE:
- 34. WELL THEN.WHAT COULD POSSIBLY GO WRONG?
- 35. PLENTY. PII LEAK PHI LEAK SSL DATA PROTECTION API MISUSE HTTP OS ARTIFACTS AD/ANALYTICS ENTERPRISE BLINDNESSPLAINTEXT 3RD-PARTY CODE INVALIDATED INPUTS
- 36. APP TIME!
- 38. KEYMASTERWHAT A NOVEL IDEA!
- 41. SECURITY ANALYST TAKES A LOOK EDDIE AppCritique
- 43. ✗ SENSITIVE DATA STORED IN USER PREFERENCES (NSUserDefaults) ✗ DATA PROTECTION LEFT DEFAULT ✗ NO BACKGROUND CLEANUP PROBLEMS
- 44. USER DEFAULTS ARE FOR PREFERENCES NOT SENSITIVE INFO
- 45. IT IS A SINGLE .PLIST FILE NOT A DATABASE
- 47. PLISTS ARE XML
- 48. PLAINTEXT XML READABLE IN TEXT EDITOR BINARY PLIST USE PLUTIL TO CONVERT DEMO
- 49. DATA PROTECTION /DOCUMENTS /LIBRARY /TMP RESOURCES AND EXECUTABLE BUNDLE DIR DATA DIR
- 50. DEFAULT DATA PROTECTION /DOCUMENTS /LIBRARY /TMP DATA DIR NSFileProtectionCompleteUntilFirstUserAuthentication
- 54. PASTEBOARD TEXT FIELD CACHING SNAPSHOT IMAGES FOR MULTI- TASKING ARTIFACTS DEMO
- 55. USE NAMED PASTEBOARD INSTEAD OF GENERAL, OR CLEAR IT WHEN APP RESIGNS BLUR OR SCRUB SCREENS ON RESIGN DISABLE AUTOCOMPLETE ON TEXT FIELDS, AND USE SECURE ENTRY WHEN APPROPRIATE MITIGATE
- 56. UPDATE v2 DEMO
- 58. ✗ ADDING DATA PROTECTION “COMPLETE” IS NOT GOOD ENOUGH FOR THIS SITUATION PROBLEMS
- 59. UPDATE v3 DEMO
- 60. ALMOST AS BAD.
- 61. SRSLY…SRSLY…
- 62. ✗ MANY CONVENIENT COCOA APIS WRITE TO .PLIST ✗ USE THEM, BUT DON’T STORE SENSITIVE INFO THERE PROBLEMS
- 63. .PLISTS AGAIN!
- 64. UPDATE v4
- 65. OK. I GOT RID OF PLIST DATA DEMO
- 66. GETTING WARMER
- 67. ✗ CORE DATA USES SQLITE, WHICH CAN BE READ BY TOOLS EASILY ✗ CORE DATA BY DEFAULT USES: PROBLEMS NSFileProtectionCompleteUntilFirstUserAuthentication
- 68. INCREASE THE DATA PROTECTION TO COMPLETE ENCRYPT DATA PRIOR TO STORING IT IN CORE DATA MITIGATE
- 69. UPDATE v5 DEMO
- 71. ENCRYPTED SQLITE DB FOR STORING SENSITIVE INFO KEYCHAIN DEFAULT
- 72. IT’S STILL C- BASED API… 😾 GRAB YOURSELF A SWIFT OR OBJ-C WRAPPER LIBRARY KEYCHAIN
- 74. SUPER EASY API CAN ADD PASSWORD OPTION FOR FALLBACK CAN BE INTEGRATED WITH KEYCHAIN ITEMS TouchID kSecAccessControlUserPresence
- 75. UPDATE v6
- 76. KEYMASTER WATCH EDITIONA NO BRAINER! DEMO
- 77. APP GROUPS RESOURCES AND EXECUTABLE BUNDLE DIR /DOCUMENTS /LIBRARY /TMP DATA DIR SEPARATE CONTAINER APP GROUP DIR
- 78. ENTITLEMENT BASED ALL APPS FROM SAME DEVELOPER AND GROUP ID CAN ACCESS THIS CONTAINER APP GROUPS
- 80. ๏ APPLE WATCH USES APP GROUPS FOR SHARED CONTAINER STORAGE ✗ APP GROUPS DON’T OFFER FREE SECURITY JUST BECAUSE THEY IN A DIFFERENT DIRECTORY PROBLEMS
- 81. LESSONS LEARNED
- 82. 1. DON’T STORE SENSITIVE DATA IN THE CLEAR 2. CLEAN UP WHEN APP RESIGNS 3. CORE DATA DEFAULT PROTECTION IS NOT COMPLETE 4. KEYCHAIN IS THE GENERALLY ACCEPTED METHOD FOR PROTECTING SECRETS LOCALLY 5. USE TouchID, IT IS SWEET 6. DON’T LET NEW SHINY THINGS LIKE APPLE WATCH FOG YOUR SECURITY MIND! 7. EVALUATE WHETHER STORING SENSITIVE INFO LOCALLY IS EVEN A GOOD IDEA
- 84. ⚠ DON’T HARDCODE SENSITIVE STRINGS IN CODE ✓ CHECK FOR LEFTOVER DEV STUFF ✓ CONSIDER MOVING API KEYS OR THE LIKE ELSEWHERE HARDCODED STRINGS
- 85. ⚠ BE CAREFUL WHAT YOU LOG TO THE DEVICE’S CONSOLE ✓ USE #ifdef DEBUG ✓ SWIFT: println() NSLOG( )
- 86. ⚠ SYSTEM CALLS LIKE THIS CAN BE USED FOR BOTH GOOD AND BAD ⚠ CAN BE USED TO OBTAIN RUNNING PROCS AND NETSTAT SYSCTL ( )
- 87. ๏ PROCESS OF WRITING OBJ- C OBJECTS TO A FILE ๏ WE USED IT TODAY ๏ NSCoding PROTOCOL SERIALIZATION
- 88. ⚠ NSCoding IS VULNERABLE TO OBJECT SUBSTITUTION ATTACKS ✓ USE NSSecureCoding AND supportsSecureCoding( ) SERIALIZATION
- 89. ✓ USE HTTPS + CERTIFICATE PINNING WHEN APPLICABLE NETWORKING
- 90. ✓ CERT PINNING IS EASY WITH NSURLSession ✓ OR YOUR FAVORITE 3RD PARTY NETWORKING LIBRARY NETWORKING
- 92. RUNTIME APP BUNDLE NSData NSData== SERVER TRUST #
- 93. ⚠ NSURLSession CACHES REQUESTS IN CACHE.DB BY DEFAULT ✓ CHANGE THE SESSION POLICY TO NSURLRequestReloadIgnoringCacheData ✓ HANDLE willCacheResponse: URL CACHE
- 94. ✓ IF YOU USE THEM, KEEP THEM UP-TO-DATE ✓ WARNING: BE AWARE OF PRIVACY POLICIES AND “OPT OUT” OPTIONS ✓ DEVELOPERS WILL SEND THE DARNDEST THINGS BACK TO THEIR SERVERS (LIKE WHAT YOU ATE TODAY, AND WHERE) ✓ COULD ALSO BE DATA STORAGE CONCERN ANALYTICS LIBRARIES
- 95. iBEACONS
- 96. iBEACONS
- 97. ✓ iBEACONS ARE BLUETOOTH LE BROADCASTERS ✓ SENDS UUID, MAJOR, MINOR VERSIONS ✓ THAT’S IT… BEACON SECURITY
- 98. ✓ CAN BE SPOOFED ✓ WITHOUT AUTHENTICATION LAYER, CAN BE “REPURPOSED” ✓ DO YOU CARE? IT ALL DEPENDS ON WHAT THE APP DOES BEACON SECURITY
- 99. ๏ STACY’S SHOES APP IS VERY POPULAR ๏ APP HAS ANALYTICS RIDING ON HTTP 😱 ๏ APP USES BEACONS WHILE THEY ARE IN THE RETAIL STOREFRONT ๏ APP SENDS BACK ALL SORTS OF PII… HERE’S A RIDICULOUS SCENARIO
- 100. ๏ HACKER FINDS THIS OUT ๏ HACKER SITS ON WIFI IN HEAVY POPULATED COFFEE HOUSE ๏ HACKER SPOOFS STACY’S iBEACON TO COERCE THE APP TO SPILL ITS GUTS FROM THE COFFEE SHOP WIFI… ๏ YEAH… I TOLD YOU RIDICULOUS RIDICULOUSNESS CONTINUED
- 101. ✓ BUY BEACONS THAT PROVIDE SECURE UUIDs (rotating) ✓ APP WILL REQUIRE SPECIAL API AND INTERNET ACCESS MITIGATION
- 102. I’VE DONE ALL OF THIS… I’M A GOOD CODER!
- 103. BUT… HAVE YOU CHECKED YOUR 3rd PARTY CODE LATELY???
- 104. ! GETS YOU MOVING QUICKLY ! CAN USE COCOAPODS TO KEEP LIBRARIES UP TO DATE " LIMITS YOUR ABILITY TO TROUBLESHOOT " OPENS YOU UP TO RISK OUT OF YOUR CONTROL 3RD PARTY CODE
- 105. 1. APPLE SECURE CODING GUIDE 2. iOS SECURITY GUIDE 3. THE SWIFT PROGRAMMING LANGUAGE 4. OWASP MOBILE SECURITY PROJECT 5. THE INTERNET FURTHER READING
- 106. MOBILE SECURITY CONSULTING FORANT_CHRIS@BAH.COM THANKS. iOS DEVELOPER TRAINING WWW.TOTEM.TRAINING CONTACT@TOTEM.TRAINING @TOTEM_TRAINING T R A I N I N G