Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iOS App Security Basics

iOS App Security Basics

Have you ever exposed your company to intellectual or financial loss? Have you ever written an app that doesn’t have security and privacy in mind? Join in the talk by our invited speaker from Poland, Maciej, to get to know iOS security basics and best practices to build secure apps!

https://www.meetup.com/CocoaHeads-Tricity/events/237364434/

Maciej Piotrowski

February 15, 2017
Tweet

More Decks by Maciej Piotrowski

Other Decks in Technology

Transcript

  1. ! & OS • Secure Enclave • Passcode • TouchID

    • Secure Boot • Code Signing • Sandboxing
  2. Updates • 1.2% Android devices → Android 7.x Nougat [Feb

    6th, 2017] • 76% iOS devices → iOS 10 [Jan 4th, 2017]
  3. Building Secure Apps • Network • Data Protec.on • Inter-Process

    Communica.on (IPC) • Jailbreak - detec.on & ac.on
  4. Why apps can be a,acked? • !!! financial transac,ons •

    PCI - Personal Card Informa,on " • PII - Personal Iden,fiable Informa,on # • PHI - Personal Health Informa,on $
  5. Who might be an a-acker? • ! Criminals • Business

    compe1tors " • # Internet Service Providers (ISP) • Governments $ • ❤ Roman1c partners, family, friends
  6. When can they a*ack? • Direct access • No passcode

    • Jailbroken • Malware • Zero-day device
  7. Network • Secure connec*on (HTTPS) • App Transport Security (ATS)

    • Cer*ficate pinning • Cer*ficate Transparency (new mechanism)
  8. Data Protec*on • FileProtec+onType → .complete or .completeUnlessOpen • Creden+als

    → Keychain • Default Snapshot → replaced • UIPasteboard → cleared • Custom keyboard extensions → disabled • Database files → exclude from backup
  9. Inter-Process Communica1on (IPC) • URL Schemes • ❌ application:handleOpenURL: •

    ✔ application:openURL:options: • validate Bundle ID & URL params
  10. Jailbreak • Cydia app • access outside sandbox • fork

    a process • method hooks & code injec1on • debugger a4ached • non-standard ports open
  11. Jailbreak - how to live? • slow down an a*acker

    • wipe out sensi3ve data • mark account as fraudolent on backend
  12. Materials Security @ swi-ing.io My Cards project Replace snapshot example

    Protect store example Disable keyboard extensions example Validate IPC example
  13. Materials Apple's iOS Security Guide Apple's Secure Coding Guide WWDC

    2016 - How iOS Security Really Works WWDC 2016 - What's New in Security XcodeGhost Bypassing Jailbreak DetecHon