I phone
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
625
On Slideshare
625
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
8
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. The iPhone: A Case for Software Security Dwayne Bates
  • 2. Acknowledgements
    • Graham Cluley’s Blog http://www.sophos.com/blogs/gc/g/2009/11/03/hacked-iphones-held-hostage-5-euros/
    • Nicolas Seriot (SpyPhone)-http://seriot.ch/blog.php?article=20100203
    • Apple’s Developer Site- developer.apple.com
  • 3. Overview
    • What is the iPhone?
    • History of Privacy Issues for the iPhone
    • Spyware and the iPhone
    • iPhone Applications
    • How did this information affect the development process?
    • Closing Remarks
    • References
  • 4. What is the iPhone?
    • Features:
      • iPod
      • Phone
      • Internet
  • 5. Security Overview
    • History of Security and Privacy Issues:
      • Root exploits and Personal Data Harvesting
      • Jailbreaking and Worms
  • 6. Security Overview cont.'d..
    • Spyware and the iPhone: SpyPhone
    /var/mobile/Library/Keyboard/ /var/mobile/Library/Preferences/com.apple.accountsettings.plist /var/mobile/Library/Preferences/com.apple.commcenter.plist /var/mobile/Library/Preferences/com.apple.mobilephone.settings.plist /var/mobile/Library/Preferences/com.apple.mobilephone.plist /var/mobile/Library/Preferences/com.apple.mobilesafari.plist /var/mobile/Library/Preferences/com.apple.preferences.datetime.plist /var/mobile/Library/Preferences/com.apple.weather.plist /var/mobile/Library/Preferences/com.apple.youtube.plist /var/mobile/Library/Preferences/com.apple.Maps.plist /var/mobile/Media/DCIM/ Figure 2: Paths actually read by SpyPhone
  • 7. iPhone Applications
    • Development Process
      • Enroll in iPhone Developer Program
      • Download iPhone SDK
      • Gain working knowledge of Objective-C
  • 8. iPhone Applications cont.'d..
    • Development Tools
      • Xcode- Development Environment
      • iPhone Simulator- Simulation of the application in it's environment
      • Interface Builder- Used to build the user interface
      • CLANG- Static Analysis Tool
      • Apple’s Secure Coding Guide
  • 9. Motivation
    • In my work I propose the development of an iPhone application with the information and tools provided by Apple to developers. In addition, I will be evaluating the information and tools in an effort to see if they are adequate enough for development of secure applications. The development process will be enhanced to focus on the use of software security principles throughout the entire Software Development Life Cycle (SDLC). By incorporating these principles throughout the SDLC, the resulting application will be more reliable and better quality.
  • 10. Proof of Concept Poof- is an iPhone game in which the player must try to match at least three like tiles at a time in an effort to clear the board. If the player succeeds in this effort and achieves a high score they are prompted to enter their name into a high score list.
  • 11. Contributions
    • Usability
    • Security
    • Integrity
  • 12. Risk Analysis
    • Buffer Overflow
    • File Modification
    • High Score List Hacking
    • Memory Leaks
  • 13. Buffer Overflow
    • Input Validation
      • -( BOOL ) textField:( UITextField *)textField shouldChangeCharactersInRange:( NSRange )range replacementString:( NSString *)textEntered {
      • NSCharacterSet *myCharSet = [ NSCharacterSet characterSetWithCharactersInString : @&quot;~`!@#$%^&*()_-+={}[]|:&quot;;'<>?/.,&quot; ]; for ( int i = 0 ; i < [textEntered length ]; i++) {
      • unichar c = [textEntered characterAtIndex :i];
      • if ([myCharSet characterIsMember :c]) {
      • return NO ; }
      • } return YES ;}
      • - ( void )textFieldDidEndEditing:( UITextField *)textField { if ([textField.text length ]> 0 &&[textField.text length ]<= 10 ){
      • acceptable =textField.text;}
      • else {
      • [ self getUserNameErrorMSG : YES ];}
      • if (( acceptable != nil )){[ self stringForHS : YES ];}}
  • 14. Buffer Overflow
    • Input Validation
  • 15. File Modification
  • 16. File Modification -( void ) saveSettings{ NSString * path = [[ NSBundle mainBundle ] bundlePath ]; NSString * file = [path stringByAppendingPathComponent : @&quot;settings.plist&quot; ]; [ self . settings writeToFile :file atomically : YES ]; [path release ]; [file release ]; } -( void ) saveHighScores{ NSString * path = [[ NSBundle mainBundle ] bundlePath ]; NSString * file = [path stringByAppendingPathComponent : @&quot;highscores.plist&quot; ]; [ self . highScores writeToFile :file atomically : YES ]; [path release ]; [file release ]; }
  • 17. Memory Leaks CLANG- Static Analysis Results
  • 18. Memory Leaks
  • 19. Conclusion
      • CLANG
        • Security Related Bugs
      • File Validation
        • File Paths
        • File Read function enhancement