Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iOS App Security Basics - Singapore, iOS Dev Sc...

iOS App Security Basics - Singapore, iOS Dev Scout Meetup, January 17th 2017

Have you ever exposed your company to intellectual or financial loss? Have you ever written an app that doesn’t have security and privacy in mind? Join in the talk by our invited speaker from Poland, Maciej, to get to know iOS security basics and best practices to build secure apps!

Meetup: https://www.meetup.com/Singapore-iOS-Dev-Scout-Meetup/events/236474670/
Recording: https://engineers.sg/v/1356

Maciej Piotrowski

January 17, 2017
Tweet

More Decks by Maciej Piotrowski

Other Decks in Technology

Transcript

  1. Passcode • 80 unlocks per day • 49% people used

    in the past • 89% people use now (Touch ID)
  2. Updates • 0.7% people use Android 7.0 - 7.1 Nougat

    [Jan 9th, 2017] • 76% people use iOS 10 [Jan 4th, 2017]
  3. Building Secure Apps • Network • Data Protec.on • Inter-Process

    Communica.on (IPC) • Jailbreak - detec.on & ac.on
  4. Why apps can be a,acked? • PII - Personal Iden.fiable

    Informa.on • PCI - Personal Card Informa.on • PHI - Personal Health Informa.on • financial transac.ons
  5. Who might be an a-acker? • Criminals • Business compe1tors

    • Internet Service Providers (ISP) • Governments • Roman1c partners, family, friends
  6. When can they a*ack? • Direct access • No passcode

    • Jailbroken • Malware • Zero-day device
  7. Network • Secure connec'on (HTTPS) • App Transport Security (ATS)

    • Cer'ficate pinning • Cer'ficate Transparency (new mechanism)
  8. Data Protec*on • FileProtec*onType.complete or .completeUnlessOpen for data • Keychain

    for creden,als • Default Snapshot replaced • UIPasteboard cleared • Custom keyboard extensions disabled
  9. Inter-Process Communica1on (IPC) • URL Schemes • validate Bundle ID

    & URL params • ❌ application:handleOpenURL: • ✔ application:openURL:options:
  10. Jailbreak • Cydia app • system calls outside sandbox •

    method hooks & code injec2on • debugger a2ached • non-standard ports open
  11. Jailbreak - how to live? • slow down an a*acker

    • wipe out sensi3ve data • mark account as fraud on backend
  12. Materials Security @ swi-ing.io My Cards project Replace snapshot example

    Protect store example Validate IPC example Disable keyboard extensions example
  13. Materials Apple's iOS Security Guide Apple's Secure Coding Guide WWDC

    2016 How iOS Security Really Works WWDC 2016 What's New in Security Max Bazily's slides Vixantel's slides The Mobile ApplicaJon Hacker's Handbook OWASP Mobile Security Project Damn Vulnerable iOS ApplicaJon (DVIA) Make use of - Appstore Malware