This document summarizes a presentation on iPhone and iPad security. It discusses how to configure passcode policy and other restrictions on devices through configuration profiles. It also covers securing data through encryption, securing network communications through VPNs and SSL, and developing secure applications that properly handle authentication, authorization, data storage and cryptography. The presentation warns of risks from jailbreaking devices and accessing unsecured configuration profiles and provides recommendations for addressing these risks.
Pentesting iPhone Applications - It mainly focuses on the techniques and the tools that will help security testers while assessing the security of iPhone applications.
Fore more info visit - http://www.securitylearn.net
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
This whitepaper details research conducted by Rapid7, which reveals that around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol. UPnP enables devices such as routers, printers, network-attached storage (NAS), media players and smart TVs to communicate with each other. The paper investigates how three groups of security flaws relating to the UPnP protocol are exposing millions of users to attacks that could lead to a remote compromise of the vulnerable device.
iOS device protection techniques include Secure Enclave, Touch ID, keychain, code sign, and baseband hardware integration. Main iOS device protection originates from Apple’s Secure Enclave mechanism, which is likely based on ARM TrustZone technology and is highly customized.
iOS Secure Enclave protection based on ARM TrustZone technology provides fairly good security by using both hardware segregation and proven cryptographic algorithms. This hardware assisted security implementation is by far the most secure solution for mobile device applications.
However, software/firmware with defects is still the weakest link under attack. In such case there is no complete security guarantee for both normal world and secure world.
-Specifically, low-level device attack could come from direct TrustZone hardware attack, driver reverse engineering, TEE firmware attack, and device jailbreaking
This presentation is based on the security and encryption measures adopted by Apple for its iPhones.
It was submitted to RTU, Kota during final year seminars.
Pentesting iPhone Applications - It mainly focuses on the techniques and the tools that will help security testers while assessing the security of iPhone applications.
Fore more info visit - http://www.securitylearn.net
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
This whitepaper details research conducted by Rapid7, which reveals that around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol. UPnP enables devices such as routers, printers, network-attached storage (NAS), media players and smart TVs to communicate with each other. The paper investigates how three groups of security flaws relating to the UPnP protocol are exposing millions of users to attacks that could lead to a remote compromise of the vulnerable device.
iOS device protection techniques include Secure Enclave, Touch ID, keychain, code sign, and baseband hardware integration. Main iOS device protection originates from Apple’s Secure Enclave mechanism, which is likely based on ARM TrustZone technology and is highly customized.
iOS Secure Enclave protection based on ARM TrustZone technology provides fairly good security by using both hardware segregation and proven cryptographic algorithms. This hardware assisted security implementation is by far the most secure solution for mobile device applications.
However, software/firmware with defects is still the weakest link under attack. In such case there is no complete security guarantee for both normal world and secure world.
-Specifically, low-level device attack could come from direct TrustZone hardware attack, driver reverse engineering, TEE firmware attack, and device jailbreaking
This presentation is based on the security and encryption measures adopted by Apple for its iPhones.
It was submitted to RTU, Kota during final year seminars.
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
The Internet of Fails - Where IoT (the Internet of Things) has gone wrong and how we’re making it right. By Mark Stanislav @mstanislav, Senior Security Consultant, Rapid7
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
Andersson Elffers Felix integrates physical and digital access with SafeNet e...SafeNet
Andersson Elffers Felix, based in Utrecht in the Netherlands, is a
strategy and organizational consultancy fi rm that specializes in the
public sector. All fi fty consultants at Andersson ElffersFelix (AEF)
require fl exible, remote access to the corporate network. To safeguard
the security and integrity of corporate data, AEF deployed a tokenbased
solution. In 2008, the system had reached the end of its life
cycle. AEF needed to fi nd an alternative. After evaluating various
solutions, it selected SafeNet’s eToken NG-OTP.
Palo Alto Networks - инновационная платформа сетевой безопасности ядром которой является next generation firewall, на базе уникальной, разработанной PA Networks технологии App-ID, обеспечивает безопасность сети на уровне приложений, пользователей и контента с использованием как физической так и виртуальной архитектуры. Решения сетевой защиты PAN соответствуют самым высоким требованиям к сетевой безопасности, как по производительности так и по функциональности, и являются безусловными лидерами отрасли, что подтверждено отчетами Gartner, количеством пользователей и растущим объемом продаж компании.
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
The Internet of Fails - Where IoT (the Internet of Things) has gone wrong and how we’re making it right. By Mark Stanislav @mstanislav, Senior Security Consultant, Rapid7
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
Andersson Elffers Felix integrates physical and digital access with SafeNet e...SafeNet
Andersson Elffers Felix, based in Utrecht in the Netherlands, is a
strategy and organizational consultancy fi rm that specializes in the
public sector. All fi fty consultants at Andersson ElffersFelix (AEF)
require fl exible, remote access to the corporate network. To safeguard
the security and integrity of corporate data, AEF deployed a tokenbased
solution. In 2008, the system had reached the end of its life
cycle. AEF needed to fi nd an alternative. After evaluating various
solutions, it selected SafeNet’s eToken NG-OTP.
Palo Alto Networks - инновационная платформа сетевой безопасности ядром которой является next generation firewall, на базе уникальной, разработанной PA Networks технологии App-ID, обеспечивает безопасность сети на уровне приложений, пользователей и контента с использованием как физической так и виртуальной архитектуры. Решения сетевой защиты PAN соответствуют самым высоким требованиям к сетевой безопасности, как по производительности так и по функциональности, и являются безусловными лидерами отрасли, что подтверждено отчетами Gartner, количеством пользователей и растущим объемом продаж компании.
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
Summary of what you need to know to get started with iPhone development: your relationship with Apple, developer tools, the iPhone Platform, and Objective-C
In 2007 the iPhone was the next big thing. It was revolutionary because it was totally unexpected and really was something revolutionary in the world of clamshell mobile phones. But every year since, Apple has just re-released the same phone, only with slightly better specifications. This is an evolution, not the revolution as touted by that fruit company. Also, we reveal the specs of the upcoming iPhone 6. And the specs for the next 6-7 years of iPhones!
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
We asked LinkedIn members worldwide about their levels of interest in the latest wave of technology: whether they’re using wearables, and whether they intend to buy self-driving cars and VR headsets as they become available. We asked them too about their attitudes to technology and to the growing role of Artificial Intelligence (AI) in the devices that they use. The answers were fascinating – and in many cases, surprising.
This SlideShare explores the full results of this study, including detailed market-by-market breakdowns of intention levels for each technology – and how attitudes change with age, location and seniority level. If you’re marketing a tech brand – or planning to use VR and wearables to reach a professional audience – then these are insights you won’t want to miss.
Artificial intelligence (AI) is everywhere, promising self-driving cars, medical breakthroughs, and new ways of working. But how do you separate hype from reality? How can your company apply AI to solve real business problems?
Here’s what AI learnings your business should keep in mind for 2017.
Beveiligingsdag SLBdiesten: 26 juni 2015
Presentatie McAfee: Leer hoe op een (kosten)efficiënte manier gebruik kunt maken van nieuwe, geïntegreerde McAfee-technologieën voor de bescherming tegen geavanceerde malware. Door Wim van Campen, Regional Vice President North & East Europe, Intel Security.
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)mike parks
Work-in-Progress!
IoT Cyber+Physical+Social Security
An encyclopedic compendium of tools, techniques, and practices to defend systems that sit at the intersection of the cyber and physical domains; chiefly building automation systems and the Internet of Things.
This is a PowerPoint presentation from Cormac M. Kelly on behalf of Beyond Encryption Technologies Ltd. Cormac is the Director Of Business Development at Global Defence & Safety Solutions Ltd in Ireland and one of the leading distributors of the End-Point Security solutions from BETL.
Download DOC Word file from below links
Link 1: http://gestyy.com/eiT4zZ
Link 2: http://fumacrom.com/RQRL
Disclaimer: Above doc file is only for education purpose only
Contains some important questions on information security/cyber security
Q1) When you want to authenticate yourself to your computer, most likely you type in your username and password. The username is considered public knowledge, so it is the password that authenticates you. Your password is something you know.
1.1 It is also possible to authenticate based on something you are, that is, a physical characteristic. Such a characteristic is known as a biometric. Give an example of biometric-based authentication.
1.2 It is also possible to authenticate based on something you have, that is, something in your possession. Give an example of authentication based on something you have.
1.3 Two-factor authentication requires that two of the three authentication methods (something you know, something you have, something you are) be used. Give an example from everyday life where two-factor authentication is used. Which two of the three are used?
Q2) Malware is software that is intentionally malicious, in the sense that it is designed to do damage or break the security of a system. Malware comes in many familiar varieties, including viruses, worms, and Trojans.
2.1 Has your computer ever been infected with malware? If so, what did the malware do and how did you get rid of the problem? If not, why have you been so lucky?
2.2 In the past, most malware was designed to annoy users. Today, it is often claimed that most malware is written for profit. How could malware possibly be profitable?
Q3) What is war dialling and war driving?
Q4) Suppose that we have a computer that can test 240 keys each second.
4.1 What is the expected time (in years) to find a key by exhaustive search if the key space is of size 288?
4.2 What is the expected time (in years) to find a key by exhaustive search if the key space is of size 2112?
4.3 What is the expected time (in years) to find a key by exhaustive search if the key space is of size 2256?
Q5) What kind of attacks are possible on mobile/cell phones? Explain with example.
Q6) Explain the countermeasures to be practiced for possible attacks on mobile/cell phones.
Presentation on conducting mobile device forensics without the use of expensive commercial tools, instead utilising FOSS alternatives. Conducting manual analysis makes you a better forensic analyst as well as helps to discover more potential evidence. From acquisition, to analysis, to malware disassembly, this presentation will provide a primer on all facets of mobile forensics.
Preventing Stealthy Threats with Next Generation Endpoint SecurityIntel IT Center
Step up security management and prevent stealthy threats with integrated solutions from Intel and McAfee that work beyond the operating system to stop attacks in real time while helping you manage endpoint security.
Tips and Tricks for Building Secure Mobile AppsTechWell
Mobile application development is now a mission-critical component of IT organizations and a big part of software industry’s landscape. Due to the security threats associated with mobile devices, it is critical we build our apps—from the ground up—to be secure and trustworthy. However, many application developers and testers do not understand how to build and test secure mobile applications. Jeffery Payne discusses the risks associated with mobile platforms/applications and describes proven practices for ensuring the safety of your mobile applications. Jeffery delves into the unique nuances of mobile platforms and how these differences impact the security approach when you are developing and testing mobile applications. Topics include session management, data encryption, securing legacy code, and platform security models. Learn what to watch out for when you start developing your next mobile app and take away tips and tricks for effectively securing and testing existing apps.
Presentation Anti-Patterns: 10 things you should avoid in your next presentation. Taken from the book, "File > New > Presentation" by Simon Guest. http://goo.gl/FAZZms
Session from GIDS 2014, showing how to do automated Web testing using a variety of JavaScript frameworks, including QUnit, Jasmine, Protractor, Selenium, and PhantomJS
Enterprise Social Networking - Myth or Magic?Simon Guest
In the time it takes you to read this abstract, Facebook will have received another 150,000 unique page views from around the world. LinkedIn adds 10 new members every 5 seconds, with over 50% contributing to active discussions. And from flash mobs to #OccupyWallStreet, Twitter has already established itself as the tool of choice to redefine organized movements and protests.
Despite these incredible advances in social technology, however, collaboration in most organizations is still performed using a product first invented in 1971: Email.
In this presentation, we’ll look at the taxonomy of social networking and ask the question if and how it can be applied and extended to a traditional business. We’ll push the boundaries of what social networking can mean within an organization, from “friending” ERP and CRM systems through to using a social network as a knowledge library where employees can discover skills and share ideas. We’ll investigate the power of context as it relates to an organization’s social graph, and even look at how social networking can be used to transform reporting for your organization.
Whether you are new to the subject, or already have an implementation plan, you’ll walk away with a thorough understanding of how the technology can be effectively used within the four walls of your organization, and maybe even a different perspective on why we are all still relying on that technology from the 1970′s!
Are MEAPs the answer to all our problems with mobile device development and deployment, or simply a recurring fallacy from what we saw in the mid-late 90's with cross-platform development for PC, Mac, Unix, and the Web? In this presentation I take an objective view on the category, highlight potential issues, and offer thoughts on an alternative approach.
Slides from a WebCast I held on 1/25 on the "Future of Mobility". You can download the recording here: http://www.neudesic.com/insight/Presentation/Pages/PW20110125.aspx
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
JMeter webinar - integration with InfluxDB and Grafana
iPhone and iPad Security
1. Mobility WebCastiPhone and iPad Security Simon Guest Director, Mobility Solutions Neudesic, LLC simon.guest@neudesic.com
2. Common Questions I don’t want my employees doing [x]. How do I configure policy? What happens if I leave my device on the [bus|train|plane]? How do I secure communication from the device? I’m writing an application. How do I make my application secure? What other bad stuff should I be thinking about?
3. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda
4. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda I don’t want my employees doing [x] on their device. How do I configure policy?
52. Policy for GPRS access point, username, and password. Policy for Proxy Server (but this is for GPRS access point only)
53.
54. Policy Mobile Device Management (MDM) Remote Configuration Pushing of configuration profiles to the device Remote Query Device, network, security, and application information Remote Management Remote wipe, remote lock, clear passcode, OTA application delivery
55. Policy Mobile Device Management (MDM) API Level MDMS APIs announced with iOS 4.2 Very little public information, only available to MDM providers via separate agreement from Apple Products/Vendors AirWatch, Sybase Afaria, MobileIron Microsoft announced MDM support in SCCM 2012 http://www.zdnet.com/blog/microsoft/microsoft-readies-tool-for-managing-ipads-iphones-and-android-devices/8987 Beta 2 - http://www.microsoft.com/systemcenter/en/us/configuration-manager/cm-vnext-beta.aspx
56. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda What happens if I leave my device on the [bus|train|plane]?
57. Data Hardware Based Encryption Anything written to (flash) storage encrypted with a 256-bit AES key Cannot be disabled by users Primarily designed for remote wipe (delete the key, and data is inaccessible) Savvy hacker can very easily get access to the data, even if pin-code protected Boot the device in recovery mode, SSH and various shell scripts to extract the data
58. Data Data Protection (post iOS 4.2) Anything written to (flash) storage encrypted with a 256-bit AES key, derived from the user’s passcode Strength of data protection dependent on passcode strength Brute force with 4 digit simple PIN. A little more challenging when alphanumeric, including non-alpha characters Mitigated by PBKDF2 iterations (50ms derivation = ~20 passwords per second) However, only applies to applications that use Data Protection API
59. Data Data Protection API When writing NSData object to file, include the NSDataWritingFileProtectionComplete attribute However, your application now needs to handle failure If application is running in background when the device is locked, you will not be able to access file
60. Data Keychain The keychain is an encrypted container that holds passwords for multiple applications and secure services. (Apple Keychain services programming guide) Franhofer Institute Paper and Video “Lost Phone? Lost Passwords!” http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf http://www.youtube.com/watch?v=uVGiNAs-QbY Accessed the keychain using techniques described in last section “Jailbroke” the device, booted into tethered Jailbreak mode, copied script to dump contents of Keychain Some passwords, not all, were revealed
61. Data Keychain The Keychain supports several methods of encryption: kSecAttrAccessibleAlways – always accessible kSecAttrAccessibleWhenUnlocked - only accessible when device is unlocked kSecAttrAccessibleAfterFirstUnlock - accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again kSecAttrAccessibleWhenUnlockedThisDeviceOnly - only accessible when device is unlocked – device specific kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly - accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again – device specific kSecAttrAccessibleAlwaysThisDeviceOnly – always accessible– device specific Resources http://labs.neohapsis.com/2011/02/28/researchers-steal-iphone-passwords-in-6-minutes-true-but-not-the-whole-story/
62. Data Try to avoid – no protection Keychain The Keychain supports several methods of encryption: kSecAttrAccessibleAlways – always accessible kSecAttrAccessibleWhenUnlocked - only accessible when device is unlocked kSecAttrAccessibleAfterFirstUnlock - accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again kSecAttrAccessibleWhenUnlockedThisDeviceOnly - only accessible when device is unlocked – device specific kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly - accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again – device specific kSecAttrAccessibleAlwaysThisDeviceOnly – always accessible– device specific Resources http://labs.neohapsis.com/2011/02/28/researchers-steal-iphone-passwords-in-6-minutes-true-but-not-the-whole-story/ Recommended for most apps Recommended for apps with background needs
63. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda How do I secure communication from the device?
64. Network SSL/TLS SSL v3 / TLS v1 support for Web based applications Wireless Security Supported schemes WEP/WPA/WPA2 Enterprise Recommended: WPA2 Enterprise (128bit AES) 802.1x authentication protocols EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM, PEAP v0, v1, LEAP
65. Network VPN (Virtual Private Network) Support Supported Schemes Cisco IPSec, L2TP/IPSec, PPTP, SSL VPN Additional AppStore clients from Juniper, Cisco, and F5 Deployable via configuration profile VPN Proxy also configurable Support for Split IP Tunneling VPN on Demand (for cert-based authentication) Authentication Username/Password X.509 Certificate (Cisco IPSec only) Two Factor Authentication (RSA SecurID and CRYPTOCard) Resources http://developer.apple.com/library/ios/#featuredarticles/FA_VPN_Server_Configuration_for_iPhone_OS/Introduction/Introduction.html
66. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda I’m writing an application. How do I make my application secure?
67. Application Authentication and Authorization Authentication No concept of users, accounts, passwords on the device Unlike Mac OS X, user is assumed to be authenticated (via pincode) No way of re-prompting user for pincode programmatically, nor locking the device Authentication for your own application will have to be custom (against back end services) Authorization No concept of roles, permissions on the device Unlike Mac OS X, user is assumed to be authorized (within the sandbox of the signed application) Resources http://developer.apple.com/library/mac/#documentation/Security/Conceptual/SecureCodingGuide/Articles/SecuritySvcs.html
68. Application Accessing Secure Server-Side Resources Authentication NSURLConnection does not support NTLM auth Need to use CFNetwork or 3rd party, such as ASIHTTPRequest SSL support NSURLConnection supports SSL (prefix “https” on NSURL) Support for bypassing invalid certificates using continueWithoutCredentialForAuthenticationChallenge Support for client side certificate requests using didReceiveAuthenticationChallenge callback Resources http://stackoverflow.com/questions/933331/how-to-use-nsurlconnection-to-connect-with-ssl-for-an-untrusted-cert http://markmail.org/message/tnh2g6u5h42ive53 http://jameswilliams.me/developer/blog/2008/08/http-post-via-the-cfnetwork-stack/
69. Application Password Storage Don’t store them in NSUserDefaults UI Abstracts the password, but can be easily accessed from the FileSystem/a simple backup/iPhone Explorer Use the Keychain instead (albeit referring to the previous section on Keychain) Resources http://software-security.sans.org/blog/2011/01/05/using-keychain-to-store-passwords-ios-iphone-ipad/
70. Application Cryptography Support Asymmetric support through Certificate, Key, and Trust Services Manage certificates, public and private keys, trust policies Create, request certificate objects (CERs) Import certificates, keys, and identities Create public/private key pairs Represent trust policies SecKeyGeneratePair Example OSStatusSecKeyGeneratePair( CFDictionaryRefparameters, SecKeyRef*publicKey, SecKeyRef*privateKey ); Resources http://developer.apple.com/library/ios/#documentation/Security/Reference/certifkeytrustservices/Reference/reference.html#//apple_ref/doc/uid/TP30000157
72. Application Cryptography Support Cryptographically secure random numbers SecRandomCopyBytes API returns cryptographically secure random number from accelerometer, compass, radio baseband Resources http://developer.apple.com/library/ios/#documentation/Security/Reference/RandomizationReference/Reference/reference.html
73. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda What other bad stuff should I be thinking about?
74. Bad Stuff Jailbreaking What is Jailbreaking? Process of unlocking a device to gain full access (a.k.a. root access) to a device Allowing more control on the device by bypassing previous restrictions e.g. custom ringtones, wallpapers, software to capture network packets, VNC server for the device, etc. Constant battle between jailbreakers (iPhone Dev Team) and Apple releasing new software updates Is it Legal? In the US, under exemption to DMCA 2010, although it will void Apple’s device warranty. In other countries, best to check local laws. Is it the same as SIM unlocking? No. SIM unlocking is about using different SIMs from different operators.
75. Bad Stuff Jailbreaking in the Enterprise Tethered vs. Untethered Jailbreaking Untethered = does not required USB cable and s/w to reboot device Most jailbreaks post 4.2.1 require tether Security Risks Frequent speculation on security for jailbroken devices Most originate to SSH/default password exploit iKee worm (changes wallpaper to Rick Astley background) Netherlands-based botnet-like worm uploading /etc/master.passwd file to a server in Lithuania
76. Bad Stuff Plaintext in Configuration Profile Scenario Attacker grabs .mobileconfig from Email or public URL Investigates XML file for plaintext details (e.g. WLAN SSID and password) Mitigation Encrypting .mobileconfig files for device-specific deployments Placing .mobileconfig files behind authenticated pages (avoid Google filetype:mobileconfig Password)
77. Bad Stuff Evil Configuration Profile Scenario Attacker generates evil .mobileconfig Signs using signature-only cert from one of the 224 root certs in the iPhone keystore SMS the .mobileconfig to a victim, fake them into installing it Mitigation Create a locked default profile to prevent this User education Apple’s removal of certain policy configuration options (e.g. proxy) Resources http://www.enterprisenetworkingplanet.com/netsecur/article.php/10952_3892776_1/Three-Steps-to-a-Cracked-iPhone.htm
78. Bad Stuff Bypassing PIN code/Forensic Recovery of Disk Scenario Attacker has physical access to your device Even though locked with a PIN code, the device can still be placed in recovery code to override the PIN protection Mitigation Physical security of device Use of Data Protection API by applications installed on device (mail stores by default) Correct use of Key Chain algorithms to ensure passwords are not stored in clear Resources http://www.youtube.com/watch?v=5wS3AMbXRLs
79. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda
81. Conclusion A lot to consider for iPhone and iPad Security Divide the problem in four ways Policy, data, network, and application …but also understand about the bad stuff! Your device is as secure as the weakest link Don’t rely on one mechanism (e.g. password policy) in lieu of the rest Think like a hacker What tools would they have? What would they try? What’s the worst that could happen if they got hold of your device?
82. How Neudesic Can Help Application/Device Security Review Simulate losing one of your locked devices We run it through the tools that the hackers have You get a full report of our findings Mobile Strategy Review CxO Level Mobility Review Construct mobile landscape of your organization together with the applications, integration points, and security considerations that make sense You get a framework and roadmap for mobile adoption in your organization