Prepared by Anastasiia, iOS Engineer at Stanfy for speaking at Mobile Dev Day 2015 in Lviv, Ukraine.
* Wise fish knows there ain’t enough talks about security
* Communication with server: security, reliability, ease of use, choose two
* Applied cryptography: should you manually configure CommonCrypto or …?
* Network security is piranha in risk and ruff in implementation
* Practical example: protecting network transport without breaking app
3. Apple Security Guide
Every program is a potential target.
Your customers’ property and your reputation
are at stake.
https://developer.apple.com/library/mac/documentation/Security/
Conceptual/SecureCodingGuide/Introduction.html
data transfer security for mobile apps #mddaylviv2015 @vixentael
4. 3 kinds of data to protect
Data in storage
Data in memory
Data in motion
data transfer security for mobile apps #mddaylviv2015 @vixentael
10. * SSL experimenting with
Android Top100 apps
http://bit.ly/1NqpheM
* Intercepting the App
Store's Traffic on iOS
http://bit.ly/1H3xMrs
One proxy to rule ‘em all!
11. Attack reasons
Many apps use HTTP*
data transfer security for mobile apps #mddaylviv2015 @vixentael
*iOS9 ATS will decrease this number
12. Attack reasons
Many apps use HTTP*
Some apps use HTTPS
data transfer security for mobile apps #mddaylviv2015 @vixentael
*iOS9 ATS will decrease this number
13. Attack reasons
Many apps use HTTP*
Some apps use HTTPS
Few apps encrypt user’s data
*iOS9 ATS will decrease this number
data transfer security for mobile apps #mddaylviv2015 @vixentael
24. Amateurs Produce Amateur Cryptography
Anyone can invent a security system
that he himself cannot break
— Schneier's Law
https://www.schneier.com/blog/archives/
2011/04/schneiers_law.html
data transfer security for mobile apps #mddaylviv2015 @vixentael
25. Do not re-implement existing things
data transfer security for mobile apps #mddaylviv2015 @vixentael
29. Use great tools
Themis https://github.com/cossacklabs/themis
RNCryptor https://github.com/RNCryptor/RNCryptor
MIHCrypto https://github.com/hohl/MIHCrypto
OTRKit https://github.com/ChatSecure/OTRKit
libsodium/NaCL https://github.com/mochtu/libsodium-ios
scientific background trust big guys good track record
data transfer security for mobile apps #mddaylviv2015 @vixentael
30.
31. Use SSL? Do it right!
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
✤use long keys
✤remove backward compatibility
✤use good ciphers (EC vs RSA)
✤SSL pinning
✤use cheat sheet
https://www.cossacklabs.com/avoid-ssl-for-your-next-app.htmlSSL has a lot of problems
To survive you need to:
data transfer security for mobile apps #mddaylviv2015 @vixentael
36. SSL pinning more easy :)
Swift lib for HTTPS with SSL pinning
https://github.com/johnlui/Pitaya/wiki
let
certData
=
NSData(contentsOfFile:
NSBundle.mainBundle().pathForResource("lvwenhancom",
ofType:
"cer")!)!
...
...
.addSSLPinning(LocalCertData:
certData)
{
()
-‐>
Void
in
print("Under
Man-‐in-‐the-‐middle
attack!")
}
data transfer security for mobile apps #mddaylviv2015 @vixentael
38. Let’s imagine chatting app
simple API
authentication meaningfull communication
confidentiality thread
data transfer security for mobile apps #mddaylviv2015 @vixentael
39. Securing app step by step
1. HTTPS everywhere
2. SSL pinning
3. Encrypt messages by persistent keys
data transfer security for mobile apps #mddaylviv2015 @vixentael
40. Securing app step by step
1. HTTPS everywhere
----> SSL/TLS has lots of bugs and bad crypto
2. SSL pinning
----> is not a panacea
3. Encrypt messages by persistent keys
----> can be easily cracked
data transfer security for mobile apps #mddaylviv2015 @vixentael
41.
42. Securing in a more proper way
perfect forward secrecy
use good ciphers
data transfer security for mobile apps #mddaylviv2015 @vixentael
44. How to achieve it easily
https://github.com/cossacklabs/themis
1. establish session
2. encrypt message with SecureSession before sending
3. decrypt message after receive
4. encrypt history with SecureCell
data transfer security for mobile apps #mddaylviv2015 @vixentael
45. How to achieve it easily
https://github.com/cossacklabs/mobile-
websocket-example
data transfer security for mobile apps #mddaylviv2015 @vixentael
48. To read
★ CryptoCat iOS app security audit
https://nabla-c0d3.github.io/documents/iSEC_Cryptocat_iOS.pdf
★ Why you should avoid SSL for your next application
https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html
★ OAuth1, OAuth2, OAuth...?
http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html
49. To watch youtube
★ All tasks of Moxie Marlinspike
https://www.youtube.com/watch?v=ibF36Yyeehw
https://www.youtube.com/watch?v=8N4sb-SEpcg
https://www.youtube.com/watch?v=tOMiAeRwpPA
50. To read more slides
★ Securing iOS apps
https://speakerdeck.com/mbazaliy/securing-ios-applications
★ Users' data security in iOS applications
https://speakerdeck.com/vixentael/users-data-security-in-ios-applications
★ Reversing 101
https://speakerdeck.com/0xc010d/reversing-101