Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security and Encryption on iOS

12,060 views

Published on

Describing how to think about the security requirements for an iOS app, and taking a whistle-stop tour of encryption APIs and features in the iOS.

Published in: Technology
  • The Speakinprivate is a consumer-grade smartphone built explicitly for privacy. It helps in preventing conversations, messages, Internet searches, Wi-Fi attacks and helps in keeping application data private. URL[s] : http://www.speakinprivate.com/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Security and Encryption on iOS

  1. 1. Security and Encryption 16ccf74271895e611555bf1f00047944
  2. 2. Security Requirements
  3. 3. Security Requirements Documents High Scores Multiplayer Chat
  4. 4. Security Requirements Documents High Scores Multiplayer Chat
  5. 5. Security Requirements Content State Ads
  6. 6. Security Requirements *
  7. 7. Security Requirements
  8. 8. Security Requirements • Ask the user (or client, product manager…)
  9. 9. Security Requirements • Ask the user (or client, product manager…) • But don’t expect them to know the answer!
  10. 10. Security Requirements • Ask the user (or client, product manager…) • But don’t expect them to know the answer! Confidentiality Exposure
  11. 11. Security Requirements • Ask the user (or client, product manager…) • But don’t expect them to know the answer! Confidentiality Exposure Integrity Tampering
  12. 12. Security Requirements • Ask the user (or client, product manager…) • But don’t expect them to know the answer! Confidentiality Exposure Integrity Tampering Availability Destruction
  13. 13. Security Requirements “In an incident that highlights the growing security challenges around wireless apps, Citi said its iPhone app accidentally saved personal account information in a hidden file on users' iPhones. Information that may have been stored includes their account numbers, bill payments and security access codes.” http://www.nypost.com/p/news/business/citibank_admits_security_flaw_in_fDLT7l6VFdqKLLaTx75cYM
  14. 14. Don’t copy me, bro iTunes ignores: •Library/Caches •tmp not: •Documents •Library/Preferences •Library/Application Support
  15. 15. Use Data Protection
  16. 16. Use Data Protection
  17. 17. Use Data Protection
  18. 18. Use Data Protection
  19. 19. Use Data Protection [myData writeToURL: location options: NSDataWritingFileProtectionComplete error: &error];
  20. 20. Use Data Protection [myData writeToURL: location options: NSDataWritingFileProtectionComplete error: &error]; NOT [[NSFileManager defaultManager] setAttributes: [NSDictionary dictionaryWithObject: NSFileProtectionComplete forKey: NSFileProtectionKey] ofItemAtPath: [location path] error: &error];
  21. 21. Use Data Protection [myData writeToURL: location options: NSDataWritingFileProtectionComplete error: &error];
  22. 22. Use the Keychain • mostly just works… • kSecReturnRef usually fails • kSecMatchItemList succeeds wrongly(!) • easiest to use attributes/persistent refs and kSecReturnData
  23. 23. Finding a Keychain Item NSDictionary *foundAttributes = nil; NSDictionary *searchAttributes = [NSDictionary dictionaryWithObjectsAndKeys: [@"info.thaesofereode.samplepassword" dataUsingEncoding: NSUTF8StringEncoding], kSecAttrApplicationTag, kCFBooleanTrue, kSecReturnAttributes, nil]; OSStatus searchResult = SecItemCopyMatching(searchAttributes, &foundAttributes); if (noErr == searchResult) { // use the keychain item Source: Professional Cocoa Application Security
  24. 24. Saving a Keychain Item attributesToStore = [searchAttributes mutableCopy]; [attributesToStore setObject: self.userNameField.text forKey: kSecAttrAccount]; [attributesToStore setObject: passwordData forKey: kSecValueData]; [attributesToStore setObject: kSecClassInternetPassword forKey: kSecClass]; [attributesToStore setObject: @"www.example.com" forKey: kSecAttrServer]; [attributesToStore setObject: kCFBooleanTrue forKey: kSecReturnPersistentRef]; [attributesToStore setObject: @"Sample password" forKey: kSecAttrDescription]; [attributesToStore setObject: @"password label" forKey: kSecAttrLabel]; [attributesToStore removeObjectForKey: kSecReturnAttributes]; NSData *persistentRef = nil; OSStatus result = SecItemAdd(attributesToStore, &persistentRef); Source: Professional Cocoa Application Security
  25. 25. Encrypt Files Yourself • CommonCrypto • OpenSSL
  26. 26. Encrypt Files Yourself • Choose appropriate algorithm, key size, mode • Note the bootstrap problem • Get randomness from SecRandomCopyBytes()
  27. 27. Encrypt Files Yourself size_t bytesNeeded = 0; CCCryptorStatus cryptResult = kCCSuccess; cryptResult = CCCrypt(kCCEncrypt, kCCAlgorithmAES128, kCCOptionPKCS7Padding, [key bytes], [key length], kCCOptionPKCS7Padding, [iv bytes], [key bytes], [plainText bytes], [key length], [plainText length], [iv bytes], NULL, [plainText bytes], 0, [plainText length], &bytesNeeded); cipherBytes, if (kCCBufferTooSmall != cryptResult) { bufferLength, *error = [NSError errorWithDomain: &bytesNeeded); GLFileEncryptorErrorDomain if (kCCSuccess != cryptResult) { code: GLFileEncryptorCryptFailed *error = [NSError errorWithDomain: userInfo: nil]; GLFileEncryptorErrorDomain return nil; code: GLFileEncryptorCryptFailed } userInfo: nil]; char *cipherBytes = malloc(bytesNeeded); free(cipherBytes); size_t bufferLength = bytesNeeded; return nil; if (NULL == cipherBytes) { } *error = [NSError errorWithDomain: GLFileEncryptorErrorDomain code: GLFileEncryptorOutOfMemory userInfo: nil]; return nil; } // now actually encrypt the file cryptResult = CCCrypt(kCCEncrypt, kCCAlgorithmAES128, Source: Professional Cocoa Application Security
  28. 28. Non-solutions • Write your own encryption algorithm • Wait until someone reports the problem
  29. 29. iamleeg
  30. 30. iamleeg

×