Creando aplicaciones más seguras para iPhone/iPad

502 views

Published on

http://sg.com.mx/sgce/2013/sessions/creando-aplicaciones-m%C3%A1s-seguras-para-iphoneipad

Conforme los dispositivos basados en iOS como el iPhone y el iPad se utilizan cada vez más en contextos empresariales, los desarrolladores de software que construyen aplicaciones empresariales móviles y los administradores de sistemas que gestionan dicha infraestructura, se ven en la necesidad de incorporar mecanismos de seguridad requeridos en dicho contexto. En esta plática exploraremos los principales elementos del modelo de seguridad de iOS y cómo se pueden utilizar para construir aplicaciones mas seguras para contextos empresariales.

Esta es una plática técnica donde se abordarán conceptos de bajo nivel del sistema operativo.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
502
On SlideShare
0
From Embeds
0
Number of Embeds
30
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Creando aplicaciones más seguras para iPhone/iPad

  1. 1. Creando aplicaciones más seguras para iPhone/iPad Norberto Ortigoza
  2. 2. Tuesday, July 9, 13
  3. 3. iOS Creating Secure Applications Norberto Ortigoza iOS/OS X Instructor Tuesday, July 9, 13
  4. 4. iOS Creating Secure Applications Norberto Ortigoza iOS/OS X Instructor Tuesday, July 9, 13
  5. 5. Why are you here? Avoid the consequences of security issues Realize that security is complicated Determine optimal ways to prevent security issues Tuesday, July 9, 13
  6. 6. Content • Hacking Tools • iOS Security Technologies • Myths about Security • Common Mistakes Tuesday, July 9, 13
  7. 7. Hacking Tools Tuesday, July 9, 13
  8. 8. Hacking Tools • ps, nice, lsof, tcpdump, ifconfig, route, netstat and sysctl Tuesday, July 9, 13
  9. 9. Hacking Tools • ps, nice, lsof, tcpdump, ifconfig, route, netstat and sysctl • otool, nm, gdb/lldb, class-dump, apple developer tools, Cycript Tuesday, July 9, 13
  10. 10. Hacking Tools • ps, nice, lsof, tcpdump, ifconfig, route, netstat and sysctl • otool, nm, gdb/lldb, class-dump, apple developer tools, Cycript • iphone-dataprotection Tuesday, July 9, 13
  11. 11. iOS Security Technologies Tuesday, July 9, 13
  12. 12. Sandboxing Tuesday, July 9, 13
  13. 13. Keychain Tuesday, July 9, 13
  14. 14. Data Protection Tuesday, July 9, 13
  15. 15. CommonCrypto 3DES Key derivation functions (KDFs) SHA AES Tuesday, July 9, 13
  16. 16. Myths Tuesday, July 9, 13
  17. 17. Certifications mean a device is secure and can be trusted (FIPS 140-2) Myth #1 Tuesday, July 9, 13
  18. 18. Depending on a central set of manufacturer’s security mechanisms improves the overall security Myth #2 Tuesday, July 9, 13
  19. 19. The iOS File system encryption prevents data on the device from being stolen Myth #3 Tuesday, July 9, 13
  20. 20. If an application implements encryption securely, data cannot be recovered from the device Myth #4 Tuesday, July 9, 13
  21. 21. Remote wipe and data erasure features will protect your data in the event of a theft Myth #5 Tuesday, July 9, 13
  22. 22. Applications can securely manage access control and enforce process rules Myth #6 Tuesday, July 9, 13
  23. 23. Case Study Tuesday, July 9, 13
  24. 24. Case Study @interface DTPinLockController : XXUnknownSuperclass <UITextFieldDelegate> { int mode; NSArray *pins; UITextField *hiddenTextField; BOOL first; NSString *pin; unsigned numberOfDigits; } @property(retain, nonatomic) NSString* pin; @property(retain, nonatomic) unsigned numberOfDigits; - (void)pinLockControllerDidFinishUnloking; @end Tuesday, July 9, 13
  25. 25. Common Mistakes Tuesday, July 9, 13
  26. 26. Storing the key with the lock Mistake #1 Tuesday, July 9, 13
  27. 27. Unencrypted Application Data Mistake #2 Tuesday, July 9, 13
  28. 28. Failure to use one-way hashes for passwords Mistake #3 Tuesday, July 9, 13
  29. 29. Relying on logic checks, instead of enforcing security with encryption Mistake #4 Tuesday, July 9, 13
  30. 30. Relying on Application- level policy enforcement Mistake #5 Tuesday, July 9, 13
  31. 31. Failing to marry data encryption keys to a user passphrase Mistake #6 Tuesday, July 9, 13
  32. 32. Case Study Tuesday, July 9, 13
  33. 33. Case Study @interface SharedConfiguration { NSMutableDictionary* applicationData; NSMutableDictionary* currentTransaction; NSMutableArray *transactionsList; NSString *merchant; }... data = [SharedConfiguration sharedConfiguration]; data.applicationData.AccountInformation; { securityQuestion: “What is the name of the city you were born in?”, securityAnswer: “New York City”, rpnumber: “12345”, terminalID: “1234”, gpsLatitude: “40.XXXXXXXXX”, gpsLongitude: “80.XXXXXXXXX”, merchantID: “1234567890123”, merchantUserName: “username”, merchantPassword: “password”, applicationPassword: “49283” } Tuesday, July 9, 13
  34. 34. Summary • Password strength • Use Master passwords • Random password generators • Hash functions • Server validation • Hacking tools Tuesday, July 9, 13
  35. 35. Q&A Tuesday, July 9, 13
  36. 36. Contact Information Norberto Ortigoza norberto.ortigoza@gmail.com http://www.hiphoox.com Twitter: @hiphoox CocoaHeads Group http://www.cocoaheads.org/mx/MexicoCity/index.html Twitter: @cocoaheadsmx Tuesday, July 9, 13
  37. 37. Books Hacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It Mac OS X and iOS Internals: To the Apple's Core Apple Coding Guide https://developer.apple.com/library/ios/documentation/Security/ Conceptual/SecureCodingGuide/Introduction.html iPhone-dataprotection http://code.google.com/p/iphone-dataprotection References Tuesday, July 9, 13

×