Data transfer security for mobile apps

Data transfer security
for mobile apps
what the fish doesn’t notice in the ocean? 🐟
#mddaylviv2015 @vixentael

There ain’t
enough talks
about security

Apple Security Guide
Every program is a potential target.
Your customers’ property and your reputation
are at stake.
https://developer.apple.com/library/mac/documentation/Security/
Conceptual/SecureCodingGuide/Introduction.html
data transfer security for mobile apps #mddaylviv2015 @vixentael

3 kinds of data to protect
Data in storage
Data in memory
Data in motion

Data in motion:
what could
possibly go wrong

Communication with server. Usually.

Imagine little fish...

active
eavesdropping
data leakage
evil twin
replay attack
...in the ocean of threats

* SSL experimenting with
Android Top100 apps
http://bit.ly/1NqpheM
* Intercepting the App
Store's Traffic on iOS
http://bit.ly/1H3xMrs
One proxy to rule ‘em all!

Attack reasons
Many apps use HTTP*
*iOS9 ATS will decrease this number

Attack reasons
Many apps use HTTP*
Some apps use HTTPS

Attack reasons
Many apps use HTTP*
Some apps use HTTPS
Few apps encrypt user’s data

1. Security is hard.
STACKOVERFLOW!

Let’s StackOverflow!
http://stackoverflow.com/a/21826729

Weird padding

Remove padding!

Omg WTF is going on
WTF
WTF
WTF

3. Illusion of safety is still a illusion
#define kUserPassword
@“1111111”

Realize security risks

Amateurs Produce Amateur Cryptography
Anyone can invent a security system
that he himself cannot break
— Schneier's Law
https://www.schneier.com/blog/archives/
2011/04/schneiers_law.html

Do not re-implement existing things

Security is a
system, not a
pluggable library

Build stout architecture

Build stout architecture
cryptolib
key
management

Use great tools
Themis https://github.com/cossacklabs/themis
RNCryptor https://github.com/RNCryptor/RNCryptor
MIHCrypto https://github.com/hohl/MIHCrypto
OTRKit https://github.com/ChatSecure/OTRKit
libsodium/NaCL https://github.com/mochtu/libsodium-ios
scientific background trust big guys good track record

Use SSL? Do it right!
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
✤use long keys
✤remove backward compatibility
✤use good ciphers (EC vs RSA)
✤SSL pinning
✤use cheat sheet
https://www.cossacklabs.com/avoid-ssl-for-your-next-app.htmlSSL has a lot of problems
To survive you need to:

TLS/SSL in short

Where can it break?

SSL pinning

SSL pinning on iOS
https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/
https://www.paypal-engineering.com/2015/10/14/key-pinning-in-mobile-
applications/
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:
(NSURLAuthenticationChallenge *)challenge {
SecTrustRef serverTrust = challenge.protectionSpace.serverTrust;
id<NSURLAuthenticationChallengeSender> sender = challenge.sender;
SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0);
NSData * remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate));
NSString * cerPath = [[NSBundle mainBundle] pathForResource:@"MyLocalCertificate" ofType:@"cer"];
NSData * localCertData = [NSData dataWithContentsOfFile:cerPath];
if ([remoteCertificateData isEqualToData:localCertData]) {
NSURLCredential * credential = [NSURLCredential credentialForTrust:serverTrust];
[sender useCredential:credential forAuthenticationChallenge:challenge];
} else {
[sender cancelAuthenticationChallenge:challenge];
}
}

SSL pinning more easy :)
Swift lib for HTTPS with SSL pinning
https://github.com/johnlui/Pitaya/wiki
let
certData
=
NSData(contentsOfFile:

NSBundle.mainBundle().pathForResource("lvwenhancom",
ofType:
"cer")!)! 
...
... 
.addSSLPinning(LocalCertData:
certData)
{
()
-‐>
Void
in 

print("Under
Man-‐in-‐the-‐middle
attack!") 
}

Let’s imagine chatting app
simple API
authentication meaningfull communication
confidentiality thread

Securing app step by step
1. HTTPS everywhere
2. SSL pinning
3. Encrypt messages by persistent keys

Securing app step by step
1. HTTPS everywhere
----> SSL/TLS has lots of bugs and bad crypto
2. SSL pinning
----> is not a panacea
3. Encrypt messages by persistent keys
----> can be easily cracked

Securing in a more proper way
perfect forward secrecy
use good ciphers

Using ephemeral key

How to achieve it easily
https://github.com/cossacklabs/themis
1. establish session
2. encrypt message with SecureSession before sending
3. decrypt message after receive
4. encrypt history with SecureCell

How to achieve it easily
https://github.com/cossacklabs/mobile-
websocket-example

Security is hard, but
if you’re smart,
security is not so
hard :)

The last slide
@vixentael
iOS developer
at stanfy.com
[creating awesome mobile
and IoT apps]

To read
★ CryptoCat iOS app security audit
https://nabla-c0d3.github.io/documents/iSEC_Cryptocat_iOS.pdf
★ Why you should avoid SSL for your next application
https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html
★ OAuth1, OAuth2, OAuth...?
http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html

To watch youtube
★ All tasks of Moxie Marlinspike
https://www.youtube.com/watch?v=ibF36Yyeehw
https://www.youtube.com/watch?v=8N4sb-SEpcg
https://www.youtube.com/watch?v=tOMiAeRwpPA

To read more slides
★ Securing iOS apps
https://speakerdeck.com/mbazaliy/securing-ios-applications
★ Users' data security in iOS applications
https://speakerdeck.com/vixentael/users-data-security-in-ios-applications
★ Reversing 101
https://speakerdeck.com/0xc010d/reversing-101

Data transfer security for mobile apps

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (16)

Similar to Data transfer security for mobile apps

Similar to Data transfer security for mobile apps (20)

More from Stanfy

More from Stanfy (14)

Data transfer security for mobile apps