SlideShare a Scribd company logo

AusCERT - Developing Secure iOS Applications

eightbit
eightbit

AusCERT - Developing Secure iOS Applications

Technology
1 of 93
Download to read offline
Developing Secure iOS Applications Michael Gianarakis AusCERT 2017
whoami @mgianarakis Director, Trustwave SpiderLabs SecTalks Brisbane Flat Duck Justice Warrior
This Presentation • Aims to give a good overview of how to design secure iOS applications • Focuses on the key security issues commonly found in iOS applications • Not a guide to hacking iOS applications
Topics • Overview of the iOS attack surface • Common iOS security issues • Secure iOS application design principles • Secure development approaches for key security iOS issues
iOS Application Attack Surface
Your App Other Apps Network iOS Device Your Backend 3rd Party Services IPC, Extensions WiFi, LTE
Your App Other Apps Network iOS Device Your Backend 3rd Party Services Man in the middle attacks
Your App Other Apps Network iOS Device Your Backend 3rd Party Services Man in the middle attacks Server compromise and web attacks
Your App Other Apps Network iOS Device Your Backend 3rd Party Services Man in the middle attacks Server compromise and web attacks
Your App Other Apps Network iOS Device Your Backend 3rd Party Services Man in the middle attacks Server compromise and web attacks Jailbroken or compromised device
Your App Other Apps Network iOS Device Your Backend 3rd Party Services Malicious apps Man in the middle attacks Server compromise and web attacks Jailbroken or compromised device
Your App Other Apps Network iOS Device Your Backend 3rd Party Services Malicious apps Man in the middle attacks Server compromise and web attacks Jailbroken or compromised device
Understanding the Risk Profile of Your App • Important first step that is often overlooked. • Drives the security design of your application • Key considerations: • What information is in the app and how sensitive/valuable is it? • Who are the likely threat actors? How capable are they? • What are the likely attack scenarios for each threat actor? • What is your tolerance for risk? • Regulatory requirements?
Common iOS Application Security Issues
Common Issues • Based on working with a range of companies and a variety of applications including: • Mobile banking and trading apps • Board paper apps • Internal business apps • Retail apps • Social networking apps • Games
Binary and runtime security issues
Transport layer security issues
Data security issues
Get these right and you are ahead of the pack
Secure iOS Design Principles
Don’t trust the client or the runtime environment
Users will connect to untrusted networks
Don’t store anything sensitive on the device
Binary and Runtime Security
Binary and Runtime Security • As a reflective language, Objective-C can observe and modify it’s own behaviour at runtime. • Can be great from a development perspective • Not so much from a security perspective
Binary and Runtime Security • The ability to create and call ad hoc classes and methods on the fly allows attackers to manipulate and abuse the runtime of the application: • Bypass security locks • Break logic checks • Escalate privilege • Steal information from memory. • Implementing runtime security checks significantly increases the security of your application • You should always assume that your application will run on a compromised device
What about Swift? • Less dynamic than Objective-C • Less flexible than Objective-C in some areas • Harder to perform the dynamic techniques described previously in the same way but still possible - particularly in mixed runtime apps • Greater dynamism planned for future versions of Swift
Aside - Compromised Devices
Myths Surrounding Jailbreaking • Generally speaking, iOS is one of the most secure operating systems available • One of the defining security features of iOS is the chain of trust. Every bit of code is signed and approved by Apple. • Break that trust and all bets are off
Myths Surrounding Jailbreaking • Some of the security issues discussed in this presentation will require a compromised device • This is usually the cause of a lot of misunderstanding when it comes to assessing the impact of these issue
Myth 1 - Public jailbreaks are the only jailbreaks
Myth 1 - Public jailbreaks are the only jailbreaks • I often hear “but there is no jailbreak for version x.x.x so we are safe” • FACT: Public jailbreaks for every version of iOS released so far • FACT: Not all users update to the latest firmware • FACT: iOS vulnerabilities are extremely valuable, there are many more exploits than just those that people give out for free on the internet
Myth 2 - Jailbreaks require physical access to the device
Myth 2 - Jailbreaks require physical access to the device • I often hear “well someone would need to steal the device to compromise it” • FACT: Not all exploits require physical access. • jailbreakme.com TIF image processing vulnerability and PDF processing vulnerability required only a user visit a web page in Safari • Remote code execution via SMS found by Charlie Miller (https://www.blackhat.com/ presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf) • Nitro JIT vulnerability to download and execute unsigned code via POC app that was approved also found by Charlie Miller (http://reverse.put.as/wp-content/uploads/2011/06/ syscan11_breaking_ios_code_signing.pdf) • Vulnerability in carrier mandated baseband control protocols by Matt Solnik and Marc Blanchou (https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular- Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf)
Myth 3 - Jailbreaks are always obvious to the user
Myth 3 - Jailbreaks are always obvious to the user • It is a commonly held misconception that if Cydia is not on the device then it is not jailbroken. • Cydia is an app that is commonly installed with public jailbreaks but is certainly not a prerequisite or in any way required for a jailbreak. • In fact, any kind of targeted exploit is unlikely to install Cydia in the first place.
Myth 4 - Jailbreaking is Apple’s problem
Myth 4 - Jailbreaking is Apple’s problem • FACT: The security of your app, your data and your users is your responsibility. • FACT: The security risk to your organisation is your responsibility. You will be the one that suffers the impact if your app is compromised and you should be actively managing that risk. • FACT: Apple won’t secure your app for you.
Myth 5 - You can completely protect against jailbreaking
Myth 5 - You can completely protect against jailbreaking • FACT: Unfortunately you will never be able to completely secure an application. • The idea is to raise the bar for the security of your app so that it becomes too difficult or costly to attack.
</aside>
Debug Check • A simple and effective method of securing the runtime is to implement anti-debugging control. • There may be reasons to allow an application to run on a jailbroken device but there are no legitimate reasons for debugging a production application
Debug Check • Debugging protection can be implemented using the following techniques: • Periodically monitoring the process state flag to determine if application process is being debugged and then terminating the process. • Using the ptrace request PT_DENY_ATTACH two prevent future tracing of the process. This can be done with the following function call from within the application: • ptrace(31,0,0,0) • These techniques should be used in conjunction with each other to provide a more robust anti-debugging control.
Jailbreak Detection • There are multiple ways to implement jailbreak detection but the two most common methods are: • File system check • Sandbox integrity check
File System Check • File system checks test for the presence of files that are typically found on jailbroken devices. • Some examples of files to look for: • /Library/MobileSubstrate/MobileSubstrate.dylib • /var/cache/apt • /var/lib/apt • /bin/bash and /bin/sh • /usr/sbin/sshd and /etc/ssh/sshd_config
File System Check • When implementing a file system check you should ensure you check for multiple files using different methods such as fileExistsAtPath and isReadableFileAtPath • This protects against attacks that simply patch the implementation of these methods.
Sandbox Integrity Check • A sandbox integrity check tests that the integrity of Apple’s sandbox is intact on the device, and that the application is running inside it. • A sandbox integrity check works by attempting to perform an operation that would not typically succeed on a device that has not been jailbroken. • A common test is to attempt to use the fork function to spawn a new child process • If it works - sandbox integrity is compromised • If it doesn’t - all good
Jailbreak Detection • Check out the IMAS project’s Security Check module https:// github.com/project-imas/security-check • A bit old now but still solid
Inline Functions • Any sensitive functions such as the security checks should be compiled as inline functions • Inlining functions complicates attacks that involve editing memory and patching the application by forcing an attacker to find and patch all occurrences of the code. • Specify a function as inline using the __attribute__((always_inline)) compiler directive.
Inline Functions • This directive may not always be honoured however. To minimise the chance that this will happen configure the following: • Set the -finline-limit compiler flag high enough to allow for inlining of your code (e.g. 5000) • Set the optimisation level at least -O1 • Don’t use -unit-at-a-time (note this is automatically set at -O3 and above) • Don’t use -keep-inline-functions if your functions are static
Address Space Validation • Any time malicious code is injected into your application it must be loaded into an address space • Validating the address space adds complexity to attacks as it forces an attacker to inject the malicious code into the existing address space with the valid code or attacking dynamic linker
Address Space Validation • The dladdr function in the dynamic linker library returns information about the address space a particular function belongs to. • Passing it the function pointer of a class’s method implementation can determine whether it came from your app, Apple’s frameworks, or an unknown/malicious source
Avoid Simple Logic • Simple logic checks for security functions and business logic are susceptible to to manipulation. • Examples include: • - (BOOL) isLoggedIn • BOOL isJailbroken = YES • - (void) setDebugFlag
Avoid Simple Logic
Securing Memory • Instance variables stored within Objective-C objects can be easily mapped inside the Objective-C runtime. • Never store anything in memory until the user has authenticated and data has been decrypted. • Manually allocate memory for sensitive data rather than storing the data (or pointers to this data) inside Objective-C instance variables. • Wipe sensitive data from memory when it’s not needed.
Securing Memory
Transport Layer Security
Transport Layer Security • Users will connect their devices to untrusted networks • If your app handles sensitive data you should be encrypting all traffic between the app and the back end.
App Transport Security • App Transport Security (ATS) was introduced in iOS 9 requires that all apps use HTTPS to secure all network connections • Use of ATS is intended to mandated by Apple for all App Store apps - original deadline was the end of 2016 but this was extended • Forces the use of the latest protocol versions (i.e TLS v1.2)
App Transport Security • There is some fine grained control available to developers • Can set per domain exceptions in Info.plist
App Transport Security • Possible to completely bypass ATS • Don’t do this….
Cipher Suites • You should disable support for low and medium strength cipher suites on the server. • Can also control on the client to some extent although less relevant now with ATS • If using NSURLSession you can specify the minimum supported TLS protocol version by setting the TLSMinimumSupportedProtocol property in the NSURLSessionConfiguration • If using NSURLConnection there is no API to set minimum protocol however it’s possible by working with lower level C functions in the older Core Foundation frameworks but not worth it
Certificate Validation • Always perform certificate validation checks • When using Apple frameworks iOS will accept a certificate if it’s signed by a CA in the trust store • Certificate validation checks will often be overridden in development to avoid issues with self-signed certs. • Typically this is encapsulated in a variable somewhere or in some other simple logic that can be subverted.
Certificate Validation
Certificate Validation • To avoid having to do this, use valid certs in development (e.g. free certs) • If you do need to disable validation, ensure that the production builds essentially “hard code” validation. • Consider certificate pinning.
Certificate Pinning • Mobile apps are great candidates for certificate pinning as they only need to communicate with a small, clearly defined set of servers • Certificate pinning improves security by removing the need to trust the certificate authorities. • iSEC partners have a great library for implementing certificate pinning https://github.com/iSECPartners/ssl-conservatory • It is important to remember that when pinning a certificate that if you need to revoke the certificate it will mean an app update.
Data Security
Two types of data security issues….
Sensitive data stored on the device by the application that was not secured appropriately by the developer
Unintended data leakage via system functionality
Insecure Data Storage • It’s common to find sensitive data stored insecurely on the device. • As a general rule sensitive information should not be stored on the device at all. • Really consider the need to store sensitive information on the device. Generally it is functionally and technically possible to not store the data at all.
Property List Files • Don’t store sensitive information using NSUserDefaults. Plist files are unencrypted and can easily be retrieved from the device and backups • Find all sorts of sensitive information stored in the clear in property list files including: • Passwords • Session tokens • Sensitive configuration items • PII (if you consider that sensitive)
SQLite Databases • Avoid storing sensitive information in SQLite databases if at all possible. • If you need to store sensitive information encrypt the database using SQLCipher https://github.com/sqlcipher/sqlcipher • If you are using Core Data the Encrypted Core Data module of the IMAS project leverages SQLCipher to encrypt all data that is persisted https://github.com/project-imas/encrypted-core-data/
Data Protection APIs • If you need to write files with sensitive information to the device (not credentials) at a minimum write files with an appropriate data protection attribute • If you don’t need to access the file in the background use NSFileProtectionComplete (for NSFileManager) or NSDataWritingFileComplete (for NSData). • With this attribute set the file is encrypted on the file system and inaccessible when the device is locked.
Data Protection API • If you need to access the file in the background use NSFileProtectionCompleteUnlessOpen for (NSFileManager) or NSDataWritingFileProtectionCompleteUnlessOpen (for NSData) • With this attribute set the file is encrypted on the file system and inaccessible while closed. • When a device is unlocked an app can maintain an open handle to the file even after it is subsequently locked, however during this time the file will not be encrypted.
Unintended Data Leakage • Sensitive data captured and stored automatically by the operating system. • Often developers are unaware that the OS is storing this information.
Background Screenshot • Every time an application suspends into the background, a snapshot is taken to facilitate the launch animation. • Stored unencrypted in the app container. • This allows attackers to view the last thing a user was looking at when the application was backgrounded.
Background Screenshot
Background Screenshot • Place content clearing code in the state transition methods applicationDidEnterBackground and applicationWillResignActive • The simplest way to clear the screen contents is to set the key window’s hidden property to YES.
Background Screenshot • Be careful, if there are any other views behind the current view, these may become visible when the key window is hidden. • Other methods: • Manually clearing sensitive info from the current view • Placing the launch image in the foreground • Note: ingoreSnapshotOnNextApplicationLaunch will not prevent the screenshot from being taken
URL Caching • iOS automatically caches requests and responses for protocols that support caching (e.g. HTTP/HTTPS) and stores them unencrypted in a SQLite database in the app container. • Make sure to configure the server to send the appropriate cache control headers • Cache-Control: no-cache, no-store • Expires: 0 • Pragma: no-cache
URL Caching • Can also control caching in the client. • For NSURLConnection implement the connection:willCacheResponse: delegate method • For NSURLSession set the URLCache property to NULL
Logging • Less of an issue since iOS 7 • Pre-iOS 7 any app was able to view the device console and thus any sensitive data that was logged. • Still a good idea to make sure nothing is sensitive is logged. • If you must log sensitive information in development for debugging purposes special care should be taken to ensure that this code is not pushed to production. • One way to do this is to redefine NSLog with a pre-processor macro such as #define NSLog(…)
Pasteboard • When the Cut or Copy buttons are tapped, a cached copy of the data stored on the device’s clipboard -/private/var/mobile/Library/ Caches/com.apple.UIKit.pboard/pasteboard. • If the application handles sensitive data that may be copied to the pasteboard consider disabling Copy/Paste functionality for sensitive text fields (note this is done by default for password fields)
Pasteboard • To disable pasteboard operations for sensitive fields subclass UITextView and override the canPerformAction:withSender: method to return NO for actions that you don’t want to allow or just disable the menu completely
Autocorrect Cache • iOS keeps a binary keyboard cache containing ordered phrases of text entered by the user – /private/var/mobile/Library/Keyboard/ dynamic-text.dat • To avoid writing data to this cache you should turn autocorrect off in text fields whose input should remain private. • To turn autocorrect off, the developer should set textField.autocorrectionType to UITextAutocorrectionTypeNo for all sensitive text fields
Cryptography • Getting cryptography right in mobile apps is difficult. • The primary challenge is key management. • Most apps fall prey to storing the key with the lock. • Need to use a key derivation function.
Key Management • Don’t hard code an encryption key in the binary as it can easily be retrieved running strings on the binary. • Storing an encryption key in the Keychain is not secure on compromised devices. • On a compromised device encryption keys can also be retrieved from memory. You should manually allocate memory for encryption keys rather than storing them in Objective-C instance variables. • Wipe keys from memory when not needed.
Key Management • Use a key derivation function to derive a key to use to encrypt the master key. • Should be based on a secret input such as the user’s password. • Don’t just use a cryptographic hash of the key. • Use a sensible salt such as the identifierForVendor
Insecure Algorithms • Shouldn’t need to tell this group but • MD5, SHA1, RC4, MD4 algorithms are weak and should not be used
Custom Encryption Algorithms • Don’t do it.
Seriously. Don’t.
Q&A? Twitter: @mgianarakis Blog that hasn’t been updated in years: eightbit.io

Recommended

Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSSam Bowne
 
CNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareCNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareSam Bowne
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 

Recommended

Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSSam Bowne
 
CNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareCNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareSam Bowne
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointHamilton Turner
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Krisshhna Daasaarii
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Florin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTING
Florin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTINGFlorin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTING
Florin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTINGIevgenii Katsan
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityDirk Nicol
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...IBM Security
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityCygnet Infotech
 
Fortify technology
Fortify technologyFortify technology
Fortify technologyImad Nom de famille
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 

More Related Content

What's hot

Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointHamilton Turner
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Florin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTING
Florin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTINGFlorin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTING
Florin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTINGIevgenii Katsan
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityDirk Nicol
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...IBM Security
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityCygnet Infotech
 

What's hot (20)

Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_final
 
Android Security
Android SecurityAndroid Security
Android Security
 
Florin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTING
Florin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTINGFlorin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTING
Florin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTING
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App Security
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 

Similar to AusCERT - Developing Secure iOS Applications

YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
What's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynoteWhat's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynoteMarkDowd13
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNorth Texas Chapter of the ISSA
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 

Similar to AusCERT - Developing Secure iOS Applications (20)

YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
What's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynoteWhat's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynote
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 

More from eightbit

Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly ExaggeratedCrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggeratedeightbit
 
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications
Hack in the Box GSEC 2016 - Reverse Engineering Swift ApplicationsHack in the Box GSEC 2016 - Reverse Engineering Swift Applications
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applicationseightbit
 
Rootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift ApplicationsRootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift Applicationseightbit
 
Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Courseeightbit
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Courseeightbit
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 

More from eightbit (8)

Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly ExaggeratedCrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
 
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications
Hack in the Box GSEC 2016 - Reverse Engineering Swift ApplicationsHack in the Box GSEC 2016 - Reverse Engineering Swift Applications
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications
 
Rootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift ApplicationsRootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift Applications
 
Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Course
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

AusCERT - Developing Secure iOS Applications

  • 3. This Presentation • Aims to give a good overview of how to design secure iOS applications • Focuses on the key security issues commonly found in iOS applications • Not a guide to hacking iOS applications
  • 4. Topics • Overview of the iOS attack surface • Common iOS security issues • Secure iOS application design principles • Secure development approaches for key security iOS issues
  • 8. Your App Other Apps Network iOS Device Your Backend 3rd Party Services Man in the middle attacks Server compromise and web attacks
  • 9. Your App Other Apps Network iOS Device Your Backend 3rd Party Services Man in the middle attacks Server compromise and web attacks
  • 10. Your App Other Apps Network iOS Device Your Backend 3rd Party Services Man in the middle attacks Server compromise and web attacks Jailbroken or compromised device
  • 11. Your App Other Apps Network iOS Device Your Backend 3rd Party Services Malicious apps Man in the middle attacks Server compromise and web attacks Jailbroken or compromised device
  • 12. Your App Other Apps Network iOS Device Your Backend 3rd Party Services Malicious apps Man in the middle attacks Server compromise and web attacks Jailbroken or compromised device
  • 13. Understanding the Risk Profile of Your App • Important first step that is often overlooked. • Drives the security design of your application • Key considerations: • What information is in the app and how sensitive/valuable is it? • Who are the likely threat actors? How capable are they? • What are the likely attack scenarios for each threat actor? • What is your tolerance for risk? • Regulatory requirements?
  • 15. Common Issues • Based on working with a range of companies and a variety of applications including: • Mobile banking and trading apps • Board paper apps • Internal business apps • Retail apps • Social networking apps • Games
  • 16. Binary and runtime security issues
  • 19. Get these right and you are ahead of the pack
  • 20. Secure iOS Design Principles
  • 21. Don’t trust the client or the runtime environment
  • 22. Users will connect to untrusted networks
  • 23. Don’t store anything sensitive on the device
  • 24. Binary and Runtime Security
  • 25. Binary and Runtime Security • As a reflective language, Objective-C can observe and modify it’s own behaviour at runtime. • Can be great from a development perspective • Not so much from a security perspective
  • 26. Binary and Runtime Security • The ability to create and call ad hoc classes and methods on the fly allows attackers to manipulate and abuse the runtime of the application: • Bypass security locks • Break logic checks • Escalate privilege • Steal information from memory. • Implementing runtime security checks significantly increases the security of your application • You should always assume that your application will run on a compromised device
  • 27. What about Swift? • Less dynamic than Objective-C • Less flexible than Objective-C in some areas • Harder to perform the dynamic techniques described previously in the same way but still possible - particularly in mixed runtime apps • Greater dynamism planned for future versions of Swift
  • 29. Myths Surrounding Jailbreaking • Generally speaking, iOS is one of the most secure operating systems available • One of the defining security features of iOS is the chain of trust. Every bit of code is signed and approved by Apple. • Break that trust and all bets are off
  • 30. Myths Surrounding Jailbreaking • Some of the security issues discussed in this presentation will require a compromised device • This is usually the cause of a lot of misunderstanding when it comes to assessing the impact of these issue
  • 31. Myth 1 - Public jailbreaks are the only jailbreaks
  • 32. Myth 1 - Public jailbreaks are the only jailbreaks • I often hear “but there is no jailbreak for version x.x.x so we are safe” • FACT: Public jailbreaks for every version of iOS released so far • FACT: Not all users update to the latest firmware • FACT: iOS vulnerabilities are extremely valuable, there are many more exploits than just those that people give out for free on the internet
  • 33. Myth 2 - Jailbreaks require physical access to the device
  • 34. Myth 2 - Jailbreaks require physical access to the device • I often hear “well someone would need to steal the device to compromise it” • FACT: Not all exploits require physical access. • jailbreakme.com TIF image processing vulnerability and PDF processing vulnerability required only a user visit a web page in Safari • Remote code execution via SMS found by Charlie Miller (https://www.blackhat.com/ presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf) • Nitro JIT vulnerability to download and execute unsigned code via POC app that was approved also found by Charlie Miller (http://reverse.put.as/wp-content/uploads/2011/06/ syscan11_breaking_ios_code_signing.pdf) • Vulnerability in carrier mandated baseband control protocols by Matt Solnik and Marc Blanchou (https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular- Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf)
  • 35. Myth 3 - Jailbreaks are always obvious to the user
  • 36. Myth 3 - Jailbreaks are always obvious to the user • It is a commonly held misconception that if Cydia is not on the device then it is not jailbroken. • Cydia is an app that is commonly installed with public jailbreaks but is certainly not a prerequisite or in any way required for a jailbreak. • In fact, any kind of targeted exploit is unlikely to install Cydia in the first place.
  • 37. Myth 4 - Jailbreaking is Apple’s problem
  • 38. Myth 4 - Jailbreaking is Apple’s problem • FACT: The security of your app, your data and your users is your responsibility. • FACT: The security risk to your organisation is your responsibility. You will be the one that suffers the impact if your app is compromised and you should be actively managing that risk. • FACT: Apple won’t secure your app for you.
  • 39. Myth 5 - You can completely protect against jailbreaking
  • 40. Myth 5 - You can completely protect against jailbreaking • FACT: Unfortunately you will never be able to completely secure an application. • The idea is to raise the bar for the security of your app so that it becomes too difficult or costly to attack.
  • 42. Debug Check • A simple and effective method of securing the runtime is to implement anti-debugging control. • There may be reasons to allow an application to run on a jailbroken device but there are no legitimate reasons for debugging a production application
  • 43. Debug Check • Debugging protection can be implemented using the following techniques: • Periodically monitoring the process state flag to determine if application process is being debugged and then terminating the process. • Using the ptrace request PT_DENY_ATTACH two prevent future tracing of the process. This can be done with the following function call from within the application: • ptrace(31,0,0,0) • These techniques should be used in conjunction with each other to provide a more robust anti-debugging control.
  • 44. Jailbreak Detection • There are multiple ways to implement jailbreak detection but the two most common methods are: • File system check • Sandbox integrity check
  • 45. File System Check • File system checks test for the presence of files that are typically found on jailbroken devices. • Some examples of files to look for: • /Library/MobileSubstrate/MobileSubstrate.dylib • /var/cache/apt • /var/lib/apt • /bin/bash and /bin/sh • /usr/sbin/sshd and /etc/ssh/sshd_config
  • 46. File System Check • When implementing a file system check you should ensure you check for multiple files using different methods such as fileExistsAtPath and isReadableFileAtPath • This protects against attacks that simply patch the implementation of these methods.
  • 47. Sandbox Integrity Check • A sandbox integrity check tests that the integrity of Apple’s sandbox is intact on the device, and that the application is running inside it. • A sandbox integrity check works by attempting to perform an operation that would not typically succeed on a device that has not been jailbroken. • A common test is to attempt to use the fork function to spawn a new child process • If it works - sandbox integrity is compromised • If it doesn’t - all good
  • 48. Jailbreak Detection • Check out the IMAS project’s Security Check module https:// github.com/project-imas/security-check • A bit old now but still solid
  • 49. Inline Functions • Any sensitive functions such as the security checks should be compiled as inline functions • Inlining functions complicates attacks that involve editing memory and patching the application by forcing an attacker to find and patch all occurrences of the code. • Specify a function as inline using the __attribute__((always_inline)) compiler directive.
  • 50. Inline Functions • This directive may not always be honoured however. To minimise the chance that this will happen configure the following: • Set the -finline-limit compiler flag high enough to allow for inlining of your code (e.g. 5000) • Set the optimisation level at least -O1 • Don’t use -unit-at-a-time (note this is automatically set at -O3 and above) • Don’t use -keep-inline-functions if your functions are static
  • 51. Address Space Validation • Any time malicious code is injected into your application it must be loaded into an address space • Validating the address space adds complexity to attacks as it forces an attacker to inject the malicious code into the existing address space with the valid code or attacking dynamic linker
  • 52. Address Space Validation • The dladdr function in the dynamic linker library returns information about the address space a particular function belongs to. • Passing it the function pointer of a class’s method implementation can determine whether it came from your app, Apple’s frameworks, or an unknown/malicious source
  • 53. Avoid Simple Logic • Simple logic checks for security functions and business logic are susceptible to to manipulation. • Examples include: • - (BOOL) isLoggedIn • BOOL isJailbroken = YES • - (void) setDebugFlag
  • 55. Securing Memory • Instance variables stored within Objective-C objects can be easily mapped inside the Objective-C runtime. • Never store anything in memory until the user has authenticated and data has been decrypted. • Manually allocate memory for sensitive data rather than storing the data (or pointers to this data) inside Objective-C instance variables. • Wipe sensitive data from memory when it’s not needed.
  • 58. Transport Layer Security • Users will connect their devices to untrusted networks • If your app handles sensitive data you should be encrypting all traffic between the app and the back end.
  • 59. App Transport Security • App Transport Security (ATS) was introduced in iOS 9 requires that all apps use HTTPS to secure all network connections • Use of ATS is intended to mandated by Apple for all App Store apps - original deadline was the end of 2016 but this was extended • Forces the use of the latest protocol versions (i.e TLS v1.2)
  • 60. App Transport Security • There is some fine grained control available to developers • Can set per domain exceptions in Info.plist
  • 61. App Transport Security • Possible to completely bypass ATS • Don’t do this….
  • 62. Cipher Suites • You should disable support for low and medium strength cipher suites on the server. • Can also control on the client to some extent although less relevant now with ATS • If using NSURLSession you can specify the minimum supported TLS protocol version by setting the TLSMinimumSupportedProtocol property in the NSURLSessionConfiguration • If using NSURLConnection there is no API to set minimum protocol however it’s possible by working with lower level C functions in the older Core Foundation frameworks but not worth it
  • 63. Certificate Validation • Always perform certificate validation checks • When using Apple frameworks iOS will accept a certificate if it’s signed by a CA in the trust store • Certificate validation checks will often be overridden in development to avoid issues with self-signed certs. • Typically this is encapsulated in a variable somewhere or in some other simple logic that can be subverted.
  • 65. Certificate Validation • To avoid having to do this, use valid certs in development (e.g. free certs) • If you do need to disable validation, ensure that the production builds essentially “hard code” validation. • Consider certificate pinning.
  • 66. Certificate Pinning • Mobile apps are great candidates for certificate pinning as they only need to communicate with a small, clearly defined set of servers • Certificate pinning improves security by removing the need to trust the certificate authorities. • iSEC partners have a great library for implementing certificate pinning https://github.com/iSECPartners/ssl-conservatory • It is important to remember that when pinning a certificate that if you need to revoke the certificate it will mean an app update.
  • 68. Two types of data security issues….
  • 69. Sensitive data stored on the device by the application that was not secured appropriately by the developer
  • 70. Unintended data leakage via system functionality
  • 71. Insecure Data Storage • It’s common to find sensitive data stored insecurely on the device. • As a general rule sensitive information should not be stored on the device at all. • Really consider the need to store sensitive information on the device. Generally it is functionally and technically possible to not store the data at all.
  • 72. Property List Files • Don’t store sensitive information using NSUserDefaults. Plist files are unencrypted and can easily be retrieved from the device and backups • Find all sorts of sensitive information stored in the clear in property list files including: • Passwords • Session tokens • Sensitive configuration items • PII (if you consider that sensitive)
  • 73. SQLite Databases • Avoid storing sensitive information in SQLite databases if at all possible. • If you need to store sensitive information encrypt the database using SQLCipher https://github.com/sqlcipher/sqlcipher • If you are using Core Data the Encrypted Core Data module of the IMAS project leverages SQLCipher to encrypt all data that is persisted https://github.com/project-imas/encrypted-core-data/
  • 74. Data Protection APIs • If you need to write files with sensitive information to the device (not credentials) at a minimum write files with an appropriate data protection attribute • If you don’t need to access the file in the background use NSFileProtectionComplete (for NSFileManager) or NSDataWritingFileComplete (for NSData). • With this attribute set the file is encrypted on the file system and inaccessible when the device is locked.
  • 75. Data Protection API • If you need to access the file in the background use NSFileProtectionCompleteUnlessOpen for (NSFileManager) or NSDataWritingFileProtectionCompleteUnlessOpen (for NSData) • With this attribute set the file is encrypted on the file system and inaccessible while closed. • When a device is unlocked an app can maintain an open handle to the file even after it is subsequently locked, however during this time the file will not be encrypted.
  • 76. Unintended Data Leakage • Sensitive data captured and stored automatically by the operating system. • Often developers are unaware that the OS is storing this information.
  • 77. Background Screenshot • Every time an application suspends into the background, a snapshot is taken to facilitate the launch animation. • Stored unencrypted in the app container. • This allows attackers to view the last thing a user was looking at when the application was backgrounded.
  • 79. Background Screenshot • Place content clearing code in the state transition methods applicationDidEnterBackground and applicationWillResignActive • The simplest way to clear the screen contents is to set the key window’s hidden property to YES.
  • 80. Background Screenshot • Be careful, if there are any other views behind the current view, these may become visible when the key window is hidden. • Other methods: • Manually clearing sensitive info from the current view • Placing the launch image in the foreground • Note: ingoreSnapshotOnNextApplicationLaunch will not prevent the screenshot from being taken
  • 81. URL Caching • iOS automatically caches requests and responses for protocols that support caching (e.g. HTTP/HTTPS) and stores them unencrypted in a SQLite database in the app container. • Make sure to configure the server to send the appropriate cache control headers • Cache-Control: no-cache, no-store • Expires: 0 • Pragma: no-cache
  • 82. URL Caching • Can also control caching in the client. • For NSURLConnection implement the connection:willCacheResponse: delegate method • For NSURLSession set the URLCache property to NULL
  • 83. Logging • Less of an issue since iOS 7 • Pre-iOS 7 any app was able to view the device console and thus any sensitive data that was logged. • Still a good idea to make sure nothing is sensitive is logged. • If you must log sensitive information in development for debugging purposes special care should be taken to ensure that this code is not pushed to production. • One way to do this is to redefine NSLog with a pre-processor macro such as #define NSLog(…)
  • 84. Pasteboard • When the Cut or Copy buttons are tapped, a cached copy of the data stored on the device’s clipboard -/private/var/mobile/Library/ Caches/com.apple.UIKit.pboard/pasteboard. • If the application handles sensitive data that may be copied to the pasteboard consider disabling Copy/Paste functionality for sensitive text fields (note this is done by default for password fields)
  • 85. Pasteboard • To disable pasteboard operations for sensitive fields subclass UITextView and override the canPerformAction:withSender: method to return NO for actions that you don’t want to allow or just disable the menu completely
  • 86. Autocorrect Cache • iOS keeps a binary keyboard cache containing ordered phrases of text entered by the user – /private/var/mobile/Library/Keyboard/ dynamic-text.dat • To avoid writing data to this cache you should turn autocorrect off in text fields whose input should remain private. • To turn autocorrect off, the developer should set textField.autocorrectionType to UITextAutocorrectionTypeNo for all sensitive text fields
  • 87. Cryptography • Getting cryptography right in mobile apps is difficult. • The primary challenge is key management. • Most apps fall prey to storing the key with the lock. • Need to use a key derivation function.
  • 88. Key Management • Don’t hard code an encryption key in the binary as it can easily be retrieved running strings on the binary. • Storing an encryption key in the Keychain is not secure on compromised devices. • On a compromised device encryption keys can also be retrieved from memory. You should manually allocate memory for encryption keys rather than storing them in Objective-C instance variables. • Wipe keys from memory when not needed.
  • 89. Key Management • Use a key derivation function to derive a key to use to encrypt the master key. • Should be based on a secret input such as the user’s password. • Don’t just use a cryptographic hash of the key. • Use a sensible salt such as the identifierForVendor
  • 90. Insecure Algorithms • Shouldn’t need to tell this group but • MD5, SHA1, RC4, MD4 algorithms are weak and should not be used
  • 93. Q&A? Twitter: @mgianarakis Blog that hasn’t been updated in years: eightbit.io