Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iOS App Security Basics - Mobile Warsaw, Januar...

iOS App Security Basics - Mobile Warsaw, January 23rd 2017

Have you ever exposed your company to intellectual or financial loss? Have you ever written an app that doesn’t have security and privacy in mind? Join in the talk by our invited speaker from Poland, Maciej, to get to know iOS security basics and best practices to build secure apps!

Meetup: https://www.meetup.com/Mobile-Warsaw/events/237011962/
Recording: https://www.youtube.com/watch?v=kcH24P6uVOA

Maciej Piotrowski

January 23, 2017
Tweet

More Decks by Maciej Piotrowski

Other Decks in Technology

Transcript

  1. Updates • 0.7% Android devices → Android 7 Nougat [Jan

    9th, 2017] • 76% iOS devices → iOS 10 [Jan 4th, 2017]
  2. Building Secure Apps • Network • Data Protec.on • Inter-Process

    Communica.on (IPC) • Jailbreak - detec.on & ac.on
  3. Why apps can be a,acked? • !!! financial transac,ons •

    PCI - Personal Card Informa,on " • PII - Personal Iden,fiable Informa,on # • PHI - Personal Health Informa,on $
  4. Who might be an a-acker? • ! Criminals • Business

    compe1tors " • # Internet Service Providers (ISP) • Governments $ • ❤ Roman1c partners, family, friends
  5. When can they a*ack? • Direct access • No passcode

    • Jailbroken • Malware • Zero-day device
  6. Network • Secure connec*on (HTTPS) • App Transport Security (ATS)

    • Cer*ficate pinning • Cer*ficate Transparency (new mechanism)
  7. Data Protec*on • FileProtec+onType → .complete or .completeUnlessOpen • Creden+als

    → Keychain • Default Snapshot → replaced • UIPasteboard → cleared • Custom keyboard extensions → disabled
  8. Inter-Process Communica1on (IPC) • URL Schemes • ❌ application:handleOpenURL: •

    ✔ application:openURL:options: • validate Bundle ID & URL params
  9. Jailbreak • Cydia app • access outside sandbox • fork

    a process • method hooks & code injec1on • debugger a4ached • non-standard ports open
  10. Jailbreak - how to live? • slow down an a*acker

    • wipe out sensi3ve data • mark account as fraudolent on backend
  11. Materials Security @ swi-ing.io My Cards project Replace snapshot example

    Protect store example Disable keyboard extensions example Validate IPC example
  12. Materials Apple's iOS Security Guide Apple's Secure Coding Guide WWDC

    2016 - How iOS Security Really Works WWDC 2016 - What's New in Security XcodeGhost Bypassing Jailbreak DetecHon