Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Data transfer security for mobile apps: what th...

vixentael
October 31, 2015

Data transfer security for mobile apps: what the fish doesn’t notice in the ocean? 🐟

If you can't tap on the link inside slides, please open as pdf (button on the right).

-------------------

Talk on Lviv Mobile Day.

* Wise fish knows there ain’t enough talks about security
* Communication with server: security, reliability, ease of use, choose two
* Applied cryptography: should you manually configure CommonCrypto or …?
* Network security is piranha in risk and ruff in implementation
* Practical example: protecting network transport without breaking app

vixentael

October 31, 2015
Tweet

More Decks by vixentael

Other Decks in Programming

Transcript

  1. Data transfer security for mobile apps what the fish doesn’t

    notice in the ocean? #mddaylviv2015 @vixentael
  2. Apple Security Guide Every program is a potential target. Your

    customers’ property and your reputation are at stake. https://developer.apple.com/library/mac/documentation/Security/ Conceptual/SecureCodingGuide/Introduction.html data transfer security for mobile apps #mddaylviv2015 @vixentael
  3. 3 kinds of data to protect Data in storage Data

    in memory Data in motion data transfer security for mobile apps #mddaylviv2015 @vixentael
  4. * SSL experimenting with Android Top100 apps http://bit.ly/1NqpheM * Intercepting

    the App Store's Traffic on iOS http://bit.ly/1H3xMrs One proxy to rule ‘em all!
  5. Attack reasons Many apps use HTTP* data transfer security for

    mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number
  6. Attack reasons Many apps use HTTP* Some apps use HTTPS

    data transfer security for mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number
  7. Attack reasons Many apps use HTTP* Some apps use HTTPS

    Few apps encrypt user’s data *iOS9 ATS will decrease this number data transfer security for mobile apps #mddaylviv2015 @vixentael
  8. Omg WTF is going on WTF http://stackoverflow.com/a/26147479 WTF WTF data

    transfer security for mobile apps #mddaylviv2015 @vixentael
  9. 3. Illusion of safety is still a illusion data transfer

    security for mobile apps #mddaylviv2015 @vixentael #define kUserPassword @“1111111”
  10. Amateurs Produce Amateur Cryptography Anyone can invent a security system

    that he himself cannot break — Schneier's Law https://www.schneier.com/blog/archives/ 2011/04/schneiers_law.html data transfer security for mobile apps #mddaylviv2015 @vixentael
  11. Use great tools Themis https://github.com/cossacklabs/themis RNCryptor https://github.com/RNCryptor/RNCryptor MIHCrypto https://github.com/hohl/MIHCrypto OTRKit

    https://github.com/ChatSecure/OTRKit libsodium/NaCL https://github.com/mochtu/libsodium-ios scientific background trust big guys good track record data transfer security for mobile apps #mddaylviv2015 @vixentael
  12. Use SSL? Do it right! https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet ✤use long keys ✤remove

    backward compatibility ✤use good ciphers (EC vs RSA) ✤SSL pinning ✤use cheat sheet https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html SSL has a lot of problems To survive you need to: data transfer security for mobile apps #mddaylviv2015 @vixentael
  13. SSL pinning on iOS https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/ https://www.paypal-engineering.com/2015/10/14/key-pinning-in-mobile- applications/ - (void)connection:(NSURLConnection *)connection

    willSendRequestForAuthenticationChallenge: (NSURLAuthenticationChallenge *)challenge { SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; id<NSURLAuthenticationChallengeSender> sender = challenge.sender; SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0); NSData * remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate)); NSString * cerPath = [[NSBundle mainBundle] pathForResource:@"MyLocalCertificate" ofType:@"cer"]; NSData * localCertData = [NSData dataWithContentsOfFile:cerPath]; if ([remoteCertificateData isEqualToData:localCertData]) { NSURLCredential * credential = [NSURLCredential credentialForTrust:serverTrust]; [sender useCredential:credential forAuthenticationChallenge:challenge]; } else { [sender cancelAuthenticationChallenge:challenge]; } } data transfer security for mobile apps #mddaylviv2015 @vixentael
  14. SSL pinning more easy :) Swift lib for HTTPS with

    SSL pinning https://github.com/johnlui/Pitaya/wiki let  certData  =  NSData(contentsOfFile:   NSBundle.mainBundle().pathForResource("lvwenhancom",  ofType:  "cer")!)!
 ...  ...
 .addSSLPinning(LocalCertData:  certData)  {  ()  -­‐>  Void  in
        print("Under  Man-­‐in-­‐the-­‐middle  attack!")
 } data transfer security for mobile apps #mddaylviv2015 @vixentael
  15. Let’s imagine chatting app simple API authentication meaningfull communication confidentiality

    thread data transfer security for mobile apps #mddaylviv2015 @vixentael
  16. Securing app step by step 1. HTTPS everywhere 2. SSL

    pinning 3. Encrypt messages by persistent keys data transfer security for mobile apps #mddaylviv2015 @vixentael
  17. Securing app step by step 1. HTTPS everywhere ----> SSL/TLS

    has lots of bugs and bad crypto 2. SSL pinning ----> is not a panacea 3. Encrypt messages by persistent keys ----> can be easily cracked data transfer security for mobile apps #mddaylviv2015 @vixentael
  18. Securing in a more proper way perfect forward secrecy use

    good ciphers data transfer security for mobile apps #mddaylviv2015 @vixentael
  19. How to achieve it easily https://github.com/cossacklabs/themis 1. establish session 2.

    encrypt message with SecureSession before sending 3. decrypt message after receive 4. encrypt history with SecureCell data transfer security for mobile apps #mddaylviv2015 @vixentael
  20. To read ★ CryptoCat iOS app security audit https://nabla-c0d3.github.io/documents/iSEC_Cryptocat_iOS.pdf ★

    Why you should avoid SSL for your next application https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html ★ OAuth1, OAuth2, OAuth...? http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html
  21. To watch youtube ★ All tasks of Moxie Marlinspike https://www.youtube.com/watch?v=ibF36Yyeehw

    https://www.youtube.com/watch?v=8N4sb-SEpcg https://www.youtube.com/watch?v=tOMiAeRwpPA
  22. To read more slides ★ Securing iOS apps https://speakerdeck.com/mbazaliy/securing-ios-applications ★

    Users' data security in iOS applications https://speakerdeck.com/vixentael/users-data-security-in-ios-applications ★ Reversing 101 https://speakerdeck.com/0xc010d/reversing-101