KEMBAR78
AusCERT - Developing Secure iOS Applications | PDF
eightbit, profile picture
Uploaded byeightbit
458 views

AusCERT - Developing Secure iOS Applications

Michael Gianarakis' presentation discusses developing secure iOS applications. It provides an overview of the iOS application attack surface and common security issues. It outlines secure design principles such as not trusting the client/runtime, understanding the app's risk profile, implementing anti-debugging controls, jailbreak detection, and address space validation. The presentation aims to help developers design apps that are secure against common attacks.

Download to read offline
Developing Secure iOS Applications Michael Gianarakis AusCERT 2017
whoami @mgianarakis Director, Trustwave SpiderLabs SecTalks Brisbane Flat Duck Justice Warrior
This Presentation ā€¢ Aims to give a good overview of how to design secure iOS applications ā€¢ Focuses on the key security issues commonly found in iOS applications ā€¢ Not a guide to hacking iOS applications
Topics ā€¢ Overview of the iOS attack surface ā€¢ Common iOS security issues ā€¢ Secure iOS application design principles ā€¢ Secure development approaches for key security iOS issues
iOS Application Attack Surface
Your App Other Apps Network iOS Device Your Backend 3rd Party Services IPC, Extensions WiFi, LTE
Your App Other Apps Network iOS Device Your Backend 3rd Party Services Man in the middle attacks
Your App Other Apps Network iOS Device Your Backend 3rd Party Services Man in the middle attacks Server compromise and web attacks
Your App Other Apps Network iOS Device Your Backend 3rd Party Services Man in the middle attacks Server compromise and web attacks
Your App Other Apps Network iOS Device Your Backend 3rd Party Services Man in the middle attacks Server compromise and web attacks Jailbroken or compromised device
Your App Other Apps Network iOS Device Your Backend 3rd Party Services Malicious apps Man in the middle attacks Server compromise and web attacks Jailbroken or compromised device
Your App Other Apps Network iOS Device Your Backend 3rd Party Services Malicious apps Man in the middle attacks Server compromise and web attacks Jailbroken or compromised device
Understanding the Risk Proļ¬le of Your App ā€¢ Important ļ¬rst step that is often overlooked. ā€¢ Drives the security design of your application ā€¢ Key considerations: ā€¢ What information is in the app and how sensitive/valuable is it? ā€¢ Who are the likely threat actors? How capable are they? ā€¢ What are the likely attack scenarios for each threat actor? ā€¢ What is your tolerance for risk? ā€¢ Regulatory requirements?
Common iOS Application Security Issues
Common Issues ā€¢ Based on working with a range of companies and a variety of applications including: ā€¢ Mobile banking and trading apps ā€¢ Board paper apps ā€¢ Internal business apps ā€¢ Retail apps ā€¢ Social networking apps ā€¢ Games
Binary and runtime security issues
Transport layer security issues
Data security issues
Get these right and you are ahead of the pack
Secure iOS Design Principles
Donā€™t trust the client or the runtime environment
Users will connect to untrusted networks
Donā€™t store anything sensitive on the device
Binary and Runtime Security
Binary and Runtime Security ā€¢ As a reļ¬‚ective language, Objective-C can observe and modify itā€™s own behaviour at runtime. ā€¢ Can be great from a development perspective ā€¢ Not so much from a security perspective
Binary and Runtime Security ā€¢ The ability to create and call ad hoc classes and methods on the ļ¬‚y allows attackers to manipulate and abuse the runtime of the application: ā€¢ Bypass security locks ā€¢ Break logic checks ā€¢ Escalate privilege ā€¢ Steal information from memory. ā€¢ Implementing runtime security checks signiļ¬cantly increases the security of your application ā€¢ You should always assume that your application will run on a compromised device
What about Swift? ā€¢ Less dynamic than Objective-C ā€¢ Less ļ¬‚exible than Objective-C in some areas ā€¢ Harder to perform the dynamic techniques described previously in the same way but still possible - particularly in mixed runtime apps ā€¢ Greater dynamism planned for future versions of Swift
Aside - Compromised Devices
Myths Surrounding Jailbreaking ā€¢ Generally speaking, iOS is one of the most secure operating systems available ā€¢ One of the deļ¬ning security features of iOS is the chain of trust. Every bit of code is signed and approved by Apple. ā€¢ Break that trust and all bets are off
Myths Surrounding Jailbreaking ā€¢ Some of the security issues discussed in this presentation will require a compromised device ā€¢ This is usually the cause of a lot of misunderstanding when it comes to assessing the impact of these issue
Myth 1 - Public jailbreaks are the only jailbreaks
Myth 1 - Public jailbreaks are the only jailbreaks ā€¢ I often hear ā€œbut there is no jailbreak for version x.x.x so we are safeā€ ā€¢ FACT: Public jailbreaks for every version of iOS released so far ā€¢ FACT: Not all users update to the latest ļ¬rmware ā€¢ FACT: iOS vulnerabilities are extremely valuable, there are many more exploits than just those that people give out for free on the internet
Myth 2 - Jailbreaks require physical access to the device
Myth 2 - Jailbreaks require physical access to the device ā€¢ I often hear ā€œwell someone would need to steal the device to compromise itā€ ā€¢ FACT: Not all exploits require physical access. ā€¢ jailbreakme.com TIF image processing vulnerability and PDF processing vulnerability required only a user visit a web page in Safari ā€¢ Remote code execution via SMS found by Charlie Miller (https://www.blackhat.com/ presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf) ā€¢ Nitro JIT vulnerability to download and execute unsigned code via POC app that was approved also found by Charlie Miller (http://reverse.put.as/wp-content/uploads/2011/06/ syscan11_breaking_ios_code_signing.pdf) ā€¢ Vulnerability in carrier mandated baseband control protocols by Matt Solnik and Marc Blanchou (https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular- Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf)
Myth 3 - Jailbreaks are always obvious to the user
Myth 3 - Jailbreaks are always obvious to the user ā€¢ It is a commonly held misconception that if Cydia is not on the device then it is not jailbroken. ā€¢ Cydia is an app that is commonly installed with public jailbreaks but is certainly not a prerequisite or in any way required for a jailbreak. ā€¢ In fact, any kind of targeted exploit is unlikely to install Cydia in the ļ¬rst place.
Myth 4 - Jailbreaking is Appleā€™s problem
Myth 4 - Jailbreaking is Appleā€™s problem ā€¢ FACT: The security of your app, your data and your users is your responsibility. ā€¢ FACT: The security risk to your organisation is your responsibility. You will be the one that suffers the impact if your app is compromised and you should be actively managing that risk. ā€¢ FACT: Apple wonā€™t secure your app for you.
Myth 5 - You can completely protect against jailbreaking
Myth 5 - You can completely protect against jailbreaking ā€¢ FACT: Unfortunately you will never be able to completely secure an application. ā€¢ The idea is to raise the bar for the security of your app so that it becomes too difļ¬cult or costly to attack.
</aside>
Debug Check ā€¢ A simple and effective method of securing the runtime is to implement anti-debugging control. ā€¢ There may be reasons to allow an application to run on a jailbroken device but there are no legitimate reasons for debugging a production application
Debug Check ā€¢ Debugging protection can be implemented using the following techniques: ā€¢ Periodically monitoring the process state ļ¬‚ag to determine if application process is being debugged and then terminating the process. ā€¢ Using the ptrace request PT_DENY_ATTACH two prevent future tracing of the process. This can be done with the following function call from within the application: ā€¢ ptrace(31,0,0,0) ā€¢ These techniques should be used in conjunction with each other to provide a more robust anti-debugging control.
Jailbreak Detection ā€¢ There are multiple ways to implement jailbreak detection but the two most common methods are: ā€¢ File system check ā€¢ Sandbox integrity check
File System Check ā€¢ File system checks test for the presence of ļ¬les that are typically found on jailbroken devices. ā€¢ Some examples of ļ¬les to look for: ā€¢ /Library/MobileSubstrate/MobileSubstrate.dylib ā€¢ /var/cache/apt ā€¢ /var/lib/apt ā€¢ /bin/bash and /bin/sh ā€¢ /usr/sbin/sshd and /etc/ssh/sshd_conļ¬g
File System Check ā€¢ When implementing a ļ¬le system check you should ensure you check for multiple ļ¬les using different methods such as ļ¬leExistsAtPath and isReadableFileAtPath ā€¢ This protects against attacks that simply patch the implementation of these methods.
Sandbox Integrity Check ā€¢ A sandbox integrity check tests that the integrity of Appleā€™s sandbox is intact on the device, and that the application is running inside it. ā€¢ A sandbox integrity check works by attempting to perform an operation that would not typically succeed on a device that has not been jailbroken. ā€¢ A common test is to attempt to use the fork function to spawn a new child process ā€¢ If it works - sandbox integrity is compromised ā€¢ If it doesnā€™t - all good
Jailbreak Detection ā€¢ Check out the IMAS projectā€™s Security Check module https:// github.com/project-imas/security-check ā€¢ A bit old now but still solid
Inline Functions ā€¢ Any sensitive functions such as the security checks should be compiled as inline functions ā€¢ Inlining functions complicates attacks that involve editing memory and patching the application by forcing an attacker to ļ¬nd and patch all occurrences of the code. ā€¢ Specify a function as inline using the __attribute__((always_inline)) compiler directive.
Inline Functions ā€¢ This directive may not always be honoured however. To minimise the chance that this will happen conļ¬gure the following: ā€¢ Set the -ļ¬nline-limit compiler ļ¬‚ag high enough to allow for inlining of your code (e.g. 5000) ā€¢ Set the optimisation level at least -O1 ā€¢ Donā€™t use -unit-at-a-time (note this is automatically set at -O3 and above) ā€¢ Donā€™t use -keep-inline-functions if your functions are static
Address Space Validation ā€¢ Any time malicious code is injected into your application it must be loaded into an address space ā€¢ Validating the address space adds complexity to attacks as it forces an attacker to inject the malicious code into the existing address space with the valid code or attacking dynamic linker
Address Space Validation ā€¢ The dladdr function in the dynamic linker library returns information about the address space a particular function belongs to. ā€¢ Passing it the function pointer of a classā€™s method implementation can determine whether it came from your app, Appleā€™s frameworks, or an unknown/malicious source
Avoid Simple Logic ā€¢ Simple logic checks for security functions and business logic are susceptible to to manipulation. ā€¢ Examples include: ā€¢ - (BOOL) isLoggedIn ā€¢ BOOL isJailbroken = YES ā€¢ - (void) setDebugFlag
Avoid Simple Logic
Securing Memory ā€¢ Instance variables stored within Objective-C objects can be easily mapped inside the Objective-C runtime. ā€¢ Never store anything in memory until the user has authenticated and data has been decrypted. ā€¢ Manually allocate memory for sensitive data rather than storing the data (or pointers to this data) inside Objective-C instance variables. ā€¢ Wipe sensitive data from memory when itā€™s not needed.
Securing Memory
Transport Layer Security
Transport Layer Security ā€¢ Users will connect their devices to untrusted networks ā€¢ If your app handles sensitive data you should be encrypting all trafļ¬c between the app and the back end.
App Transport Security ā€¢ App Transport Security (ATS) was introduced in iOS 9 requires that all apps use HTTPS to secure all network connections ā€¢ Use of ATS is intended to mandated by Apple for all App Store apps - original deadline was the end of 2016 but this was extended ā€¢ Forces the use of the latest protocol versions (i.e TLS v1.2)
App Transport Security ā€¢ There is some ļ¬ne grained control available to developers ā€¢ Can set per domain exceptions in Info.plist
App Transport Security ā€¢ Possible to completely bypass ATS ā€¢ Donā€™t do thisā€¦.
Cipher Suites ā€¢ You should disable support for low and medium strength cipher suites on the server. ā€¢ Can also control on the client to some extent although less relevant now with ATS ā€¢ If using NSURLSession you can specify the minimum supported TLS protocol version by setting the TLSMinimumSupportedProtocol property in the NSURLSessionConfiguration ā€¢ If using NSURLConnection there is no API to set minimum protocol however itā€™s possible by working with lower level C functions in the older Core Foundation frameworks but not worth it
Certiļ¬cate Validation ā€¢ Always perform certiļ¬cate validation checks ā€¢ When using Apple frameworks iOS will accept a certiļ¬cate if itā€™s signed by a CA in the trust store ā€¢ Certiļ¬cate validation checks will often be overridden in development to avoid issues with self-signed certs. ā€¢ Typically this is encapsulated in a variable somewhere or in some other simple logic that can be subverted.
Certiļ¬cate Validation
Certiļ¬cate Validation ā€¢ To avoid having to do this, use valid certs in development (e.g. free certs) ā€¢ If you do need to disable validation, ensure that the production builds essentially ā€œhard codeā€ validation. ā€¢ Consider certiļ¬cate pinning.
Certiļ¬cate Pinning ā€¢ Mobile apps are great candidates for certiļ¬cate pinning as they only need to communicate with a small, clearly deļ¬ned set of servers ā€¢ Certiļ¬cate pinning improves security by removing the need to trust the certiļ¬cate authorities. ā€¢ iSEC partners have a great library for implementing certiļ¬cate pinning https://github.com/iSECPartners/ssl-conservatory ā€¢ It is important to remember that when pinning a certiļ¬cate that if you need to revoke the certiļ¬cate it will mean an app update.
Data Security
Two types of data security issuesā€¦.
Sensitive data stored on the device by the application that was not secured appropriately by the developer
Unintended data leakage via system functionality
Insecure Data Storage ā€¢ Itā€™s common to ļ¬nd sensitive data stored insecurely on the device. ā€¢ As a general rule sensitive information should not be stored on the device at all. ā€¢ Really consider the need to store sensitive information on the device. Generally it is functionally and technically possible to not store the data at all.
Property List Files ā€¢ Donā€™t store sensitive information using NSUserDefaults. Plist ļ¬les are unencrypted and can easily be retrieved from the device and backups ā€¢ Find all sorts of sensitive information stored in the clear in property list ļ¬les including: ā€¢ Passwords ā€¢ Session tokens ā€¢ Sensitive conļ¬guration items ā€¢ PII (if you consider that sensitive)
SQLite Databases ā€¢ Avoid storing sensitive information in SQLite databases if at all possible. ā€¢ If you need to store sensitive information encrypt the database using SQLCipher https://github.com/sqlcipher/sqlcipher ā€¢ If you are using Core Data the Encrypted Core Data module of the IMAS project leverages SQLCipher to encrypt all data that is persisted https://github.com/project-imas/encrypted-core-data/
Data Protection APIs ā€¢ If you need to write ļ¬les with sensitive information to the device (not credentials) at a minimum write ļ¬les with an appropriate data protection attribute ā€¢ If you donā€™t need to access the ļ¬le in the background use NSFileProtectionComplete (for NSFileManager) or NSDataWritingFileComplete (for NSData). ā€¢ With this attribute set the ļ¬le is encrypted on the ļ¬le system and inaccessible when the device is locked.
Data Protection API ā€¢ If you need to access the ļ¬le in the background use NSFileProtectionCompleteUnlessOpen for (NSFileManager) or NSDataWritingFileProtectionCompleteUnlessOpen (for NSData) ā€¢ With this attribute set the ļ¬le is encrypted on the ļ¬le system and inaccessible while closed. ā€¢ When a device is unlocked an app can maintain an open handle to the ļ¬le even after it is subsequently locked, however during this time the ļ¬le will not be encrypted.
Unintended Data Leakage ā€¢ Sensitive data captured and stored automatically by the operating system. ā€¢ Often developers are unaware that the OS is storing this information.
Background Screenshot ā€¢ Every time an application suspends into the background, a snapshot is taken to facilitate the launch animation. ā€¢ Stored unencrypted in the app container. ā€¢ This allows attackers to view the last thing a user was looking at when the application was backgrounded.
Background Screenshot
Background Screenshot ā€¢ Place content clearing code in the state transition methods applicationDidEnterBackground and applicationWillResignActive ā€¢ The simplest way to clear the screen contents is to set the key windowā€™s hidden property to YES.
Background Screenshot ā€¢ Be careful, if there are any other views behind the current view, these may become visible when the key window is hidden. ā€¢ Other methods: ā€¢ Manually clearing sensitive info from the current view ā€¢ Placing the launch image in the foreground ā€¢ Note: ingoreSnapshotOnNextApplicationLaunch will not prevent the screenshot from being taken
URL Caching ā€¢ iOS automatically caches requests and responses for protocols that support caching (e.g. HTTP/HTTPS) and stores them unencrypted in a SQLite database in the app container. ā€¢ Make sure to conļ¬gure the server to send the appropriate cache control headers ā€¢ Cache-Control: no-cache, no-store ā€¢ Expires: 0 ā€¢ Pragma: no-cache
URL Caching ā€¢ Can also control caching in the client. ā€¢ For NSURLConnection implement the connection:willCacheResponse: delegate method ā€¢ For NSURLSession set the URLCache property to NULL
Logging ā€¢ Less of an issue since iOS 7 ā€¢ Pre-iOS 7 any app was able to view the device console and thus any sensitive data that was logged. ā€¢ Still a good idea to make sure nothing is sensitive is logged. ā€¢ If you must log sensitive information in development for debugging purposes special care should be taken to ensure that this code is not pushed to production. ā€¢ One way to do this is to redeļ¬ne NSLog with a pre-processor macro such as #deļ¬ne NSLog(ā€¦)
Pasteboard ā€¢ When the Cut or Copy buttons are tapped, a cached copy of the data stored on the deviceā€™s clipboard -/private/var/mobile/Library/ Caches/com.apple.UIKit.pboard/pasteboard. ā€¢ If the application handles sensitive data that may be copied to the pasteboard consider disabling Copy/Paste functionality for sensitive text ļ¬elds (note this is done by default for password ļ¬elds)
Pasteboard ā€¢ To disable pasteboard operations for sensitive ļ¬elds subclass UITextView and override the canPerformAction:withSender: method to return NO for actions that you donā€™t want to allow or just disable the menu completely
Autocorrect Cache ā€¢ iOS keeps a binary keyboard cache containing ordered phrases of text entered by the user ā€“ /private/var/mobile/Library/Keyboard/ dynamic-text.dat ā€¢ To avoid writing data to this cache you should turn autocorrect off in text ļ¬elds whose input should remain private. ā€¢ To turn autocorrect off, the developer should set textField.autocorrectionType to UITextAutocorrectionTypeNo for all sensitive text ļ¬elds
Cryptography ā€¢ Getting cryptography right in mobile apps is difļ¬cult. ā€¢ The primary challenge is key management. ā€¢ Most apps fall prey to storing the key with the lock. ā€¢ Need to use a key derivation function.
Key Management ā€¢ Donā€™t hard code an encryption key in the binary as it can easily be retrieved running strings on the binary. ā€¢ Storing an encryption key in the Keychain is not secure on compromised devices. ā€¢ On a compromised device encryption keys can also be retrieved from memory. You should manually allocate memory for encryption keys rather than storing them in Objective-C instance variables. ā€¢ Wipe keys from memory when not needed.
Key Management ā€¢ Use a key derivation function to derive a key to use to encrypt the master key. ā€¢ Should be based on a secret input such as the userā€™s password. ā€¢ Donā€™t just use a cryptographic hash of the key. ā€¢ Use a sensible salt such as the identiļ¬erForVendor
Insecure Algorithms ā€¢ Shouldnā€™t need to tell this group but ā€¢ MD5, SHA1, RC4, MD4 algorithms are weak and should not be used
Custom Encryption Algorithms ā€¢ Donā€™t do it.
Seriously. Donā€™t.
Q&A? Twitter: @mgianarakis Blog that hasnā€™t been updated in years: eightbit.io

More Related Content

PDF
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
byiphonepentest
Ā 
PPTX
Fragments-Plug the vulnerabilities in your App
byAppsecco
Ā 
PDF
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
byeightbit
Ā 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
Ā 
PDF
Malware on Smartphones and Tablets - The Inconvenient Truth
byAGILLY
Ā 
PDF
CNIT 128 Ch 3: iOS
bySam Bowne
Ā 
PDF
CNIT 128 5: Mobile malware
bySam Bowne
Ā 
PDF
Security Testing Mobile Applications
byDenim Group
Ā 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
byiphonepentest
Ā 
Fragments-Plug the vulnerabilities in your App
byAppsecco
Ā 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
byeightbit
Ā 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
Ā 
Malware on Smartphones and Tablets - The Inconvenient Truth
byAGILLY
Ā 
CNIT 128 Ch 3: iOS
bySam Bowne
Ā 
CNIT 128 5: Mobile malware
bySam Bowne
Ā 
Security Testing Mobile Applications
byDenim Group
Ā 

What's hot

PDF
Bringing Government and Enterprise Security Controls to the Android Endpoint
byHamilton Turner
Ā 
PDF
CNIT 128 Ch 4: Android
bySam Bowne
Ā 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
Ā 
PDF
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
byTeemu Tiainen
Ā 
PDF
Mobile Application Security Code Reviews
byDenim Group
Ā 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
Ā 
ODP
Mobile Apps Security Testing -1
byKrisshhna Daasaarii
Ā 
PDF
Mickey pacsec2016_final
byPacSecJP
Ā 
PPTX
Android Security
byArqum Ahmad
Ā 
PDF
Florin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTING
byIevgenii Katsan
Ā 
PPTX
Building a Mobile Security Program
byDenim Group
Ā 
PDF
Mobile Application Security
byDirk Nicol
Ā 
PDF
Developing Secure Mobile Applications
byDenim Group
Ā 
PDF
The Internet of Insecure Things: 10 Most Wanted List
bySecurity Weekly
Ā 
PPT
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
byIBM Security
Ā 
PDF
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
byShakacon
Ā 
PDF
Attacking and Defending Apple iOS Devices
byTom Eston
Ā 
PPTX
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
byDerrick Hunter
Ā 
PDF
Challenges in Testing Mobile App Security
byCygnet Infotech
Ā 
PPTX
Fortify technology
byImad Nom de famille
Ā 
Bringing Government and Enterprise Security Controls to the Android Endpoint
byHamilton Turner
Ā 
CNIT 128 Ch 4: Android
bySam Bowne
Ā 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
Ā 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
byTeemu Tiainen
Ā 
Mobile Application Security Code Reviews
byDenim Group
Ā 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
Ā 
Mobile Apps Security Testing -1
byKrisshhna Daasaarii
Ā 
Mickey pacsec2016_final
byPacSecJP
Ā 
Android Security
byArqum Ahmad
Ā 
Florin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTING
byIevgenii Katsan
Ā 
Building a Mobile Security Program
byDenim Group
Ā 
Mobile Application Security
byDirk Nicol
Ā 
Developing Secure Mobile Applications
byDenim Group
Ā 
The Internet of Insecure Things: 10 Most Wanted List
bySecurity Weekly
Ā 
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
byIBM Security
Ā 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
byShakacon
Ā 
Attacking and Defending Apple iOS Devices
byTom Eston
Ā 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
byDerrick Hunter
Ā 
Challenges in Testing Mobile App Security
byCygnet Infotech
Ā 
Fortify technology
byImad Nom de famille
Ā 

Similar to AusCERT - Developing Secure iOS Applications

PDF
YOW! Connected 2014 - Developing Secure iOS Applications
byeightbit
Ā 
PDF
Yow connected developing secure i os applications
bymgianarakis
Ā 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
Ā 
PDF
CNIT 128 2. Analyzing iOS Applications (Part 1)
bySam Bowne
Ā 
PPTX
128-ch3.pptx
byDeepakPanchal65
Ā 
PDF
What's in a Jailbreak? - BSides 2019 keynote
byMarkDowd13
Ā 
PPTX
iOS-Application-Security-iAmPr3m
byPrem Kumar (OSCP)
Ā 
PDF
OWASP Melbourne - Introduction to iOS Application Penetration Testing
byeightbit
Ā 
PDF
iOS Application Security.pdf
byRavi Aggarwal
Ā 
PDF
Ruxmon April 2014 - Introduction to iOS Penetration Testing
byeightbit
Ā 
PDF
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
byDefconRussia
Ā 
PDF
OWASP for iOS
byPhineas Huang
Ā 
PDF
Dark Side of iOS [SmartDevCon 2013]
byKuba Břečka
Ā 
PPTX
[Wroclaw #2] iOS Security - 101
byOWASP
Ā 
PDF
Introduction to iOS Penetration Testing
byOWASP
Ā 
PDF
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
byPROIDEA
Ā 
PPTX
Pentesting iOS Applications
byjasonhaddix
Ā 
PDF
iOS malware: what's the risk and how to reduce it
byCyber Security Alliance
Ā 
PPTX
Hacking and Securing iOS Applications by Satish Bomisstty
byClubHack
Ā 
PDF
ASFWS 2012 - Audit dā€™applications iOS par Julien Bachmann
byCyber Security Alliance
Ā 
YOW! Connected 2014 - Developing Secure iOS Applications
byeightbit
Ā 
Yow connected developing secure i os applications
bymgianarakis
Ā 
2a Analyzing iOS Apps Part 1
bySam Bowne
Ā 
CNIT 128 2. Analyzing iOS Applications (Part 1)
bySam Bowne
Ā 
128-ch3.pptx
byDeepakPanchal65
Ā 
What's in a Jailbreak? - BSides 2019 keynote
byMarkDowd13
Ā 
iOS-Application-Security-iAmPr3m
byPrem Kumar (OSCP)
Ā 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
byeightbit
Ā 
iOS Application Security.pdf
byRavi Aggarwal
Ā 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
byeightbit
Ā 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
byDefconRussia
Ā 
OWASP for iOS
byPhineas Huang
Ā 
Dark Side of iOS [SmartDevCon 2013]
byKuba Břečka
Ā 
[Wroclaw #2] iOS Security - 101
byOWASP
Ā 
Introduction to iOS Penetration Testing
byOWASP
Ā 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
byPROIDEA
Ā 
Pentesting iOS Applications
byjasonhaddix
Ā 
iOS malware: what's the risk and how to reduce it
byCyber Security Alliance
Ā 
Hacking and Securing iOS Applications by Satish Bomisstty
byClubHack
Ā 
ASFWS 2012 - Audit dā€™applications iOS par Julien Bachmann
byCyber Security Alliance
Ā 

More from eightbit

PDF
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
byeightbit
Ā 
PDF
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
byeightbit
Ā 
PDF
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications
byeightbit
Ā 
PDF
Rootcon X - Reverse Engineering Swift Applications
byeightbit
Ā 
PDF
Wahckon[2] - iOS Runtime Hacking Crash Course
byeightbit
Ā 
PDF
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
byeightbit
Ā 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
byeightbit
Ā 
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
byeightbit
Ā 
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications
byeightbit
Ā 
Rootcon X - Reverse Engineering Swift Applications
byeightbit
Ā 
Wahckon[2] - iOS Runtime Hacking Crash Course
byeightbit
Ā 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
byeightbit
Ā 

Recently uploaded

PPTX
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
Ā 
PDF
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
Ā 
PPTX
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
Ā 
PDF
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
Ā 
PDF
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
Ā 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
Ā 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
Ā 
PDF
NSSHOEU-J 4x35mmĀ² Cable Specification.pdf
byAnhuiĀ FeichunĀ SpecialĀ CableĀ Co.,Ā Ltd.
Ā 
PDF
Using Copilot with Microsoft Office Apps
byDeb Walther
Ā 
PDF
2025 October Patch Tuesday
byIvanti
Ā 
PDF
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
Ā 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
Ā 
PDF
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
Ā 
PDF
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
Ā 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
Ā 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
Ā 
PPTX
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
Ā 
PDF
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
Ā 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
Ā 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
Ā 
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
Ā 
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
Ā 
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
Ā 
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
Ā 
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
Ā 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
Ā 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
Ā 
NSSHOEU-J 4x35mmĀ² Cable Specification.pdf
byAnhuiĀ FeichunĀ SpecialĀ CableĀ Co.,Ā Ltd.
Ā 
Using Copilot with Microsoft Office Apps
byDeb Walther
Ā 
2025 October Patch Tuesday
byIvanti
Ā 
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
Ā 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
Ā 
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
Ā 
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
Ā 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
Ā 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
Ā 
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
Ā 
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
Ā 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
Ā 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
Ā 

AusCERT - Developing Secure iOS Applications

  • 1.
  • 2.
  • 3.
    This Presentation ā€¢ Aimsto give a good overview of how to design secure iOS applications ā€¢ Focuses on the key security issues commonly found in iOS applications ā€¢ Not a guide to hacking iOS applications
  • 4.
    Topics ā€¢ Overview ofthe iOS attack surface ā€¢ Common iOS security issues ā€¢ Secure iOS application design principles ā€¢ Secure development approaches for key security iOS issues
  • 5.
  • 6.
  • 7.
  • 8.
    Your App Other Apps Network iOS Device Your Backend 3rd Party Services Manin the middle attacks Server compromise and web attacks
  • 9.
    Your App Other Apps Network iOS Device Your Backend 3rd Party Services Manin the middle attacks Server compromise and web attacks
  • 10.
    Your App Other Apps Network iOS Device Your Backend 3rd Party Services Manin the middle attacks Server compromise and web attacks Jailbroken or compromised device
  • 11.
    Your App Other Apps Network iOS Device Your Backend 3rd Party Services Malicious apps Manin the middle attacks Server compromise and web attacks Jailbroken or compromised device
  • 12.
    Your App Other Apps Network iOS Device Your Backend 3rd Party Services Malicious apps Manin the middle attacks Server compromise and web attacks Jailbroken or compromised device
  • 13.
    Understanding the RiskProļ¬le of Your App ā€¢ Important ļ¬rst step that is often overlooked. ā€¢ Drives the security design of your application ā€¢ Key considerations: ā€¢ What information is in the app and how sensitive/valuable is it? ā€¢ Who are the likely threat actors? How capable are they? ā€¢ What are the likely attack scenarios for each threat actor? ā€¢ What is your tolerance for risk? ā€¢ Regulatory requirements?
  • 14.
  • 15.
    Common Issues ā€¢ Basedon working with a range of companies and a variety of applications including: ā€¢ Mobile banking and trading apps ā€¢ Board paper apps ā€¢ Internal business apps ā€¢ Retail apps ā€¢ Social networking apps ā€¢ Games
  • 16.
    Binary and runtimesecurity issues
  • 17.
  • 18.
  • 19.
    Get these rightand you are ahead of the pack
  • 20.
  • 21.
    Donā€™t trust theclient or the runtime environment
  • 22.
    Users will connectto untrusted networks
  • 23.
    Donā€™t store anythingsensitive on the device
  • 24.
  • 25.
    Binary and RuntimeSecurity ā€¢ As a reļ¬‚ective language, Objective-C can observe and modify itā€™s own behaviour at runtime. ā€¢ Can be great from a development perspective ā€¢ Not so much from a security perspective
  • 26.
    Binary and RuntimeSecurity ā€¢ The ability to create and call ad hoc classes and methods on the ļ¬‚y allows attackers to manipulate and abuse the runtime of the application: ā€¢ Bypass security locks ā€¢ Break logic checks ā€¢ Escalate privilege ā€¢ Steal information from memory. ā€¢ Implementing runtime security checks signiļ¬cantly increases the security of your application ā€¢ You should always assume that your application will run on a compromised device
  • 27.
    What about Swift? ā€¢Less dynamic than Objective-C ā€¢ Less ļ¬‚exible than Objective-C in some areas ā€¢ Harder to perform the dynamic techniques described previously in the same way but still possible - particularly in mixed runtime apps ā€¢ Greater dynamism planned for future versions of Swift
  • 28.
  • 29.
    Myths Surrounding Jailbreaking ā€¢Generally speaking, iOS is one of the most secure operating systems available ā€¢ One of the deļ¬ning security features of iOS is the chain of trust. Every bit of code is signed and approved by Apple. ā€¢ Break that trust and all bets are off
  • 30.
    Myths Surrounding Jailbreaking ā€¢Some of the security issues discussed in this presentation will require a compromised device ā€¢ This is usually the cause of a lot of misunderstanding when it comes to assessing the impact of these issue
  • 31.
    Myth 1 -Public jailbreaks are the only jailbreaks
  • 32.
    Myth 1 -Public jailbreaks are the only jailbreaks ā€¢ I often hear ā€œbut there is no jailbreak for version x.x.x so we are safeā€ ā€¢ FACT: Public jailbreaks for every version of iOS released so far ā€¢ FACT: Not all users update to the latest ļ¬rmware ā€¢ FACT: iOS vulnerabilities are extremely valuable, there are many more exploits than just those that people give out for free on the internet
  • 33.
    Myth 2 -Jailbreaks require physical access to the device
  • 34.
    Myth 2 -Jailbreaks require physical access to the device ā€¢ I often hear ā€œwell someone would need to steal the device to compromise itā€ ā€¢ FACT: Not all exploits require physical access. ā€¢ jailbreakme.com TIF image processing vulnerability and PDF processing vulnerability required only a user visit a web page in Safari ā€¢ Remote code execution via SMS found by Charlie Miller (https://www.blackhat.com/ presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf) ā€¢ Nitro JIT vulnerability to download and execute unsigned code via POC app that was approved also found by Charlie Miller (http://reverse.put.as/wp-content/uploads/2011/06/ syscan11_breaking_ios_code_signing.pdf) ā€¢ Vulnerability in carrier mandated baseband control protocols by Matt Solnik and Marc Blanchou (https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular- Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf)
  • 35.
    Myth 3 -Jailbreaks are always obvious to the user
  • 36.
    Myth 3 -Jailbreaks are always obvious to the user ā€¢ It is a commonly held misconception that if Cydia is not on the device then it is not jailbroken. ā€¢ Cydia is an app that is commonly installed with public jailbreaks but is certainly not a prerequisite or in any way required for a jailbreak. ā€¢ In fact, any kind of targeted exploit is unlikely to install Cydia in the ļ¬rst place.
  • 37.
    Myth 4 -Jailbreaking is Appleā€™s problem
  • 38.
    Myth 4 -Jailbreaking is Appleā€™s problem ā€¢ FACT: The security of your app, your data and your users is your responsibility. ā€¢ FACT: The security risk to your organisation is your responsibility. You will be the one that suffers the impact if your app is compromised and you should be actively managing that risk. ā€¢ FACT: Apple wonā€™t secure your app for you.
  • 39.
    Myth 5 -You can completely protect against jailbreaking
  • 40.
    Myth 5 -You can completely protect against jailbreaking ā€¢ FACT: Unfortunately you will never be able to completely secure an application. ā€¢ The idea is to raise the bar for the security of your app so that it becomes too difļ¬cult or costly to attack.
  • 41.
  • 42.
    Debug Check ā€¢ Asimple and effective method of securing the runtime is to implement anti-debugging control. ā€¢ There may be reasons to allow an application to run on a jailbroken device but there are no legitimate reasons for debugging a production application
  • 43.
    Debug Check ā€¢ Debuggingprotection can be implemented using the following techniques: ā€¢ Periodically monitoring the process state ļ¬‚ag to determine if application process is being debugged and then terminating the process. ā€¢ Using the ptrace request PT_DENY_ATTACH two prevent future tracing of the process. This can be done with the following function call from within the application: ā€¢ ptrace(31,0,0,0) ā€¢ These techniques should be used in conjunction with each other to provide a more robust anti-debugging control.
  • 44.
    Jailbreak Detection ā€¢ Thereare multiple ways to implement jailbreak detection but the two most common methods are: ā€¢ File system check ā€¢ Sandbox integrity check
  • 45.
    File System Check ā€¢File system checks test for the presence of ļ¬les that are typically found on jailbroken devices. ā€¢ Some examples of ļ¬les to look for: ā€¢ /Library/MobileSubstrate/MobileSubstrate.dylib ā€¢ /var/cache/apt ā€¢ /var/lib/apt ā€¢ /bin/bash and /bin/sh ā€¢ /usr/sbin/sshd and /etc/ssh/sshd_conļ¬g
  • 46.
    File System Check ā€¢When implementing a ļ¬le system check you should ensure you check for multiple ļ¬les using different methods such as ļ¬leExistsAtPath and isReadableFileAtPath ā€¢ This protects against attacks that simply patch the implementation of these methods.
  • 47.
    Sandbox Integrity Check ā€¢A sandbox integrity check tests that the integrity of Appleā€™s sandbox is intact on the device, and that the application is running inside it. ā€¢ A sandbox integrity check works by attempting to perform an operation that would not typically succeed on a device that has not been jailbroken. ā€¢ A common test is to attempt to use the fork function to spawn a new child process ā€¢ If it works - sandbox integrity is compromised ā€¢ If it doesnā€™t - all good
  • 48.
    Jailbreak Detection ā€¢ Checkout the IMAS projectā€™s Security Check module https:// github.com/project-imas/security-check ā€¢ A bit old now but still solid
  • 49.
    Inline Functions ā€¢ Anysensitive functions such as the security checks should be compiled as inline functions ā€¢ Inlining functions complicates attacks that involve editing memory and patching the application by forcing an attacker to ļ¬nd and patch all occurrences of the code. ā€¢ Specify a function as inline using the __attribute__((always_inline)) compiler directive.
  • 50.
    Inline Functions ā€¢ Thisdirective may not always be honoured however. To minimise the chance that this will happen conļ¬gure the following: ā€¢ Set the -ļ¬nline-limit compiler ļ¬‚ag high enough to allow for inlining of your code (e.g. 5000) ā€¢ Set the optimisation level at least -O1 ā€¢ Donā€™t use -unit-at-a-time (note this is automatically set at -O3 and above) ā€¢ Donā€™t use -keep-inline-functions if your functions are static
  • 51.
    Address Space Validation ā€¢Any time malicious code is injected into your application it must be loaded into an address space ā€¢ Validating the address space adds complexity to attacks as it forces an attacker to inject the malicious code into the existing address space with the valid code or attacking dynamic linker
  • 52.
    Address Space Validation ā€¢The dladdr function in the dynamic linker library returns information about the address space a particular function belongs to. ā€¢ Passing it the function pointer of a classā€™s method implementation can determine whether it came from your app, Appleā€™s frameworks, or an unknown/malicious source
  • 53.
    Avoid Simple Logic ā€¢Simple logic checks for security functions and business logic are susceptible to to manipulation. ā€¢ Examples include: ā€¢ - (BOOL) isLoggedIn ā€¢ BOOL isJailbroken = YES ā€¢ - (void) setDebugFlag
  • 54.
  • 55.
    Securing Memory ā€¢ Instancevariables stored within Objective-C objects can be easily mapped inside the Objective-C runtime. ā€¢ Never store anything in memory until the user has authenticated and data has been decrypted. ā€¢ Manually allocate memory for sensitive data rather than storing the data (or pointers to this data) inside Objective-C instance variables. ā€¢ Wipe sensitive data from memory when itā€™s not needed.
  • 56.
  • 57.
  • 58.
    Transport Layer Security ā€¢Users will connect their devices to untrusted networks ā€¢ If your app handles sensitive data you should be encrypting all trafļ¬c between the app and the back end.
  • 59.
    App Transport Security ā€¢App Transport Security (ATS) was introduced in iOS 9 requires that all apps use HTTPS to secure all network connections ā€¢ Use of ATS is intended to mandated by Apple for all App Store apps - original deadline was the end of 2016 but this was extended ā€¢ Forces the use of the latest protocol versions (i.e TLS v1.2)
  • 60.
    App Transport Security ā€¢There is some ļ¬ne grained control available to developers ā€¢ Can set per domain exceptions in Info.plist
  • 61.
    App Transport Security ā€¢Possible to completely bypass ATS ā€¢ Donā€™t do thisā€¦.
  • 62.
    Cipher Suites ā€¢ Youshould disable support for low and medium strength cipher suites on the server. ā€¢ Can also control on the client to some extent although less relevant now with ATS ā€¢ If using NSURLSession you can specify the minimum supported TLS protocol version by setting the TLSMinimumSupportedProtocol property in the NSURLSessionConfiguration ā€¢ If using NSURLConnection there is no API to set minimum protocol however itā€™s possible by working with lower level C functions in the older Core Foundation frameworks but not worth it
  • 63.
    Certiļ¬cate Validation ā€¢ Alwaysperform certiļ¬cate validation checks ā€¢ When using Apple frameworks iOS will accept a certiļ¬cate if itā€™s signed by a CA in the trust store ā€¢ Certiļ¬cate validation checks will often be overridden in development to avoid issues with self-signed certs. ā€¢ Typically this is encapsulated in a variable somewhere or in some other simple logic that can be subverted.
  • 64.
  • 65.
    Certiļ¬cate Validation ā€¢ Toavoid having to do this, use valid certs in development (e.g. free certs) ā€¢ If you do need to disable validation, ensure that the production builds essentially ā€œhard codeā€ validation. ā€¢ Consider certiļ¬cate pinning.
  • 66.
    Certiļ¬cate Pinning ā€¢ Mobileapps are great candidates for certiļ¬cate pinning as they only need to communicate with a small, clearly deļ¬ned set of servers ā€¢ Certiļ¬cate pinning improves security by removing the need to trust the certiļ¬cate authorities. ā€¢ iSEC partners have a great library for implementing certiļ¬cate pinning https://github.com/iSECPartners/ssl-conservatory ā€¢ It is important to remember that when pinning a certiļ¬cate that if you need to revoke the certiļ¬cate it will mean an app update.
  • 67.
  • 68.
    Two types ofdata security issuesā€¦.
  • 69.
    Sensitive data storedon the device by the application that was not secured appropriately by the developer
  • 70.
    Unintended data leakagevia system functionality
  • 71.
    Insecure Data Storage ā€¢Itā€™s common to ļ¬nd sensitive data stored insecurely on the device. ā€¢ As a general rule sensitive information should not be stored on the device at all. ā€¢ Really consider the need to store sensitive information on the device. Generally it is functionally and technically possible to not store the data at all.
  • 72.
    Property List Files ā€¢Donā€™t store sensitive information using NSUserDefaults. Plist ļ¬les are unencrypted and can easily be retrieved from the device and backups ā€¢ Find all sorts of sensitive information stored in the clear in property list ļ¬les including: ā€¢ Passwords ā€¢ Session tokens ā€¢ Sensitive conļ¬guration items ā€¢ PII (if you consider that sensitive)
  • 73.
    SQLite Databases ā€¢ Avoidstoring sensitive information in SQLite databases if at all possible. ā€¢ If you need to store sensitive information encrypt the database using SQLCipher https://github.com/sqlcipher/sqlcipher ā€¢ If you are using Core Data the Encrypted Core Data module of the IMAS project leverages SQLCipher to encrypt all data that is persisted https://github.com/project-imas/encrypted-core-data/
  • 74.
    Data Protection APIs ā€¢If you need to write ļ¬les with sensitive information to the device (not credentials) at a minimum write ļ¬les with an appropriate data protection attribute ā€¢ If you donā€™t need to access the ļ¬le in the background use NSFileProtectionComplete (for NSFileManager) or NSDataWritingFileComplete (for NSData). ā€¢ With this attribute set the ļ¬le is encrypted on the ļ¬le system and inaccessible when the device is locked.
  • 75.
    Data Protection API ā€¢If you need to access the ļ¬le in the background use NSFileProtectionCompleteUnlessOpen for (NSFileManager) or NSDataWritingFileProtectionCompleteUnlessOpen (for NSData) ā€¢ With this attribute set the ļ¬le is encrypted on the ļ¬le system and inaccessible while closed. ā€¢ When a device is unlocked an app can maintain an open handle to the ļ¬le even after it is subsequently locked, however during this time the ļ¬le will not be encrypted.
  • 76.
    Unintended Data Leakage ā€¢Sensitive data captured and stored automatically by the operating system. ā€¢ Often developers are unaware that the OS is storing this information.
  • 77.
    Background Screenshot ā€¢ Everytime an application suspends into the background, a snapshot is taken to facilitate the launch animation. ā€¢ Stored unencrypted in the app container. ā€¢ This allows attackers to view the last thing a user was looking at when the application was backgrounded.
  • 78.
  • 79.
    Background Screenshot ā€¢ Placecontent clearing code in the state transition methods applicationDidEnterBackground and applicationWillResignActive ā€¢ The simplest way to clear the screen contents is to set the key windowā€™s hidden property to YES.
  • 80.
    Background Screenshot ā€¢ Becareful, if there are any other views behind the current view, these may become visible when the key window is hidden. ā€¢ Other methods: ā€¢ Manually clearing sensitive info from the current view ā€¢ Placing the launch image in the foreground ā€¢ Note: ingoreSnapshotOnNextApplicationLaunch will not prevent the screenshot from being taken
  • 81.
    URL Caching ā€¢ iOSautomatically caches requests and responses for protocols that support caching (e.g. HTTP/HTTPS) and stores them unencrypted in a SQLite database in the app container. ā€¢ Make sure to conļ¬gure the server to send the appropriate cache control headers ā€¢ Cache-Control: no-cache, no-store ā€¢ Expires: 0 ā€¢ Pragma: no-cache
  • 82.
    URL Caching ā€¢ Canalso control caching in the client. ā€¢ For NSURLConnection implement the connection:willCacheResponse: delegate method ā€¢ For NSURLSession set the URLCache property to NULL
  • 83.
    Logging ā€¢ Less ofan issue since iOS 7 ā€¢ Pre-iOS 7 any app was able to view the device console and thus any sensitive data that was logged. ā€¢ Still a good idea to make sure nothing is sensitive is logged. ā€¢ If you must log sensitive information in development for debugging purposes special care should be taken to ensure that this code is not pushed to production. ā€¢ One way to do this is to redeļ¬ne NSLog with a pre-processor macro such as #deļ¬ne NSLog(ā€¦)
  • 84.
    Pasteboard ā€¢ When theCut or Copy buttons are tapped, a cached copy of the data stored on the deviceā€™s clipboard -/private/var/mobile/Library/ Caches/com.apple.UIKit.pboard/pasteboard. ā€¢ If the application handles sensitive data that may be copied to the pasteboard consider disabling Copy/Paste functionality for sensitive text ļ¬elds (note this is done by default for password ļ¬elds)
  • 85.
    Pasteboard ā€¢ To disablepasteboard operations for sensitive ļ¬elds subclass UITextView and override the canPerformAction:withSender: method to return NO for actions that you donā€™t want to allow or just disable the menu completely
  • 86.
    Autocorrect Cache ā€¢ iOSkeeps a binary keyboard cache containing ordered phrases of text entered by the user ā€“ /private/var/mobile/Library/Keyboard/ dynamic-text.dat ā€¢ To avoid writing data to this cache you should turn autocorrect off in text ļ¬elds whose input should remain private. ā€¢ To turn autocorrect off, the developer should set textField.autocorrectionType to UITextAutocorrectionTypeNo for all sensitive text ļ¬elds
  • 87.
    Cryptography ā€¢ Getting cryptographyright in mobile apps is difļ¬cult. ā€¢ The primary challenge is key management. ā€¢ Most apps fall prey to storing the key with the lock. ā€¢ Need to use a key derivation function.
  • 88.
    Key Management ā€¢ Donā€™thard code an encryption key in the binary as it can easily be retrieved running strings on the binary. ā€¢ Storing an encryption key in the Keychain is not secure on compromised devices. ā€¢ On a compromised device encryption keys can also be retrieved from memory. You should manually allocate memory for encryption keys rather than storing them in Objective-C instance variables. ā€¢ Wipe keys from memory when not needed.
  • 89.
    Key Management ā€¢ Usea key derivation function to derive a key to use to encrypt the master key. ā€¢ Should be based on a secret input such as the userā€™s password. ā€¢ Donā€™t just use a cryptographic hash of the key. ā€¢ Use a sensible salt such as the identiļ¬erForVendor
  • 90.
    Insecure Algorithms ā€¢ Shouldnā€™tneed to tell this group but ā€¢ MD5, SHA1, RC4, MD4 algorithms are weak and should not be used
  • 91.
  • 92.
  • 93.
    Q&A? Twitter: @mgianarakis Blog thathasnā€™t been updated in years: eightbit.io