SlideShare a Scribd company logo

"Mobile security: iOS", Yaroslav Vorontsov, DataArt

Download as PPTX, PDF
DataArt
DataArt

Yaroslav talks more about Mobile Security and his experience doing it on iOS platforms. You can see his full lecture here: https://www.youtube.com/watch?v=_f7pmwi0yfs Yaroslav Vorontsov works as a software architect at DataArt. Over the course of his professional career, he has taken part in many projects from different industrial domains, managed to grow from an intern to a tech lead quickly. He has also won two major prizes at two consecutive THacks in Berlin as a member of DataArt teams, participated in local developers’ communities and taught about 100 students in total for 3 years at the university. When he's not working, Yaroslav enjoys playing and watching football, and exploring new countries with his wife. IT talk is an open community, where anyone interested in technologies can participate. It is a real opportunity for IT professionals, teachers, students and even novice developers to share knowledge, network & discuss technical solutions and even present them at the next IT Talk seminars! Website: http://dataart.bg/ Facebook: https://www.facebook.com/dataartbulgaria/ YouTube: https://www.youtube.com/channel/UCFYE6-NmhDFhFtx4gGkHXGQ

Software
1 of 45
New York USA London UK Munich Germany Zug Switzerland Mobile Security: iOS Yaroslav Vorontsov, Software Architect, Tech Lead
Agenda • Introduction: security overview • Security whitepaper overview • Attacking iOS applications • Overview of Security APIs • Ready-to-use recipes • More materials Y . V O R O N T S O V " S E C U R I T Y I N I O S A P P S V 2 " 2
Introduction
Theoretical base • Probability theory: negligibility • PRNG: Hardware vs Software • Crypto basics: PRF/PRP • Symmetric and asymmetric encryption • OTP – Vernam cipher • Hashes and MACs • Attacks on encryption • Network and telecommunications • ISO/OSI stack: session level – SSL and TLS • Key generation/distribution schemes • Diffie-Hellmann and Kerberos • Trust and certificates • Public and private keys • Documents: PKCS, RFC
Terms Identification – providing evidences of an identity Authentication – validation of identity Authorization – check of privileges 2FA/MFA – two-/multi-factor authentication UID/GID – User/Group ID Key wrapping – Encryption of an encryption key MDM – Mobile Device Management
Security Whitepaper overview
Main document • Boot process and System Software Authorization • Secure Enclave • Passcode and Touch ID policies • AES hardware acceleration • Data protection classes and Keychain protection • Key bags • Other important features
Boot process and SSA BootROM LLB iBoot Kernel NAND memory Apple’s root CA key Apple SSA Server
Secure Enclave co-processor • Available for A7+ and S2+ CPU families • Contains built-in hardware PRNG • Communicates with CPU via Mailbox (write-only) and encrypted shared memory (read- only) • Responsible for Passcode, Touch ID, Data protection classes • Generates UID on A9+ and newer • Updates its firmware independently • Generates and stores Elliptic-Curve Cryptography keys
Passcode and Touch ID (iOS 9+) • Passcode policies: 4-digit, 6-digit, alphanumeric • Checks take 80ms • Interval is increased after N failed attempts • Max 5 fingers for Touch ID • Touch ID – 6 mandatory cases for passcode input • Wipe after 10-12 failed attempts
AES in-silicon crypto engine • Chip has embedded keys • User ID is unique for a device • Group ID is unique for a family of CPUs • Keys are not leaving crypto engine • However, these keys could be compromised on a jailbroken device by patching aes_decrypt() function in iBoot bootloader (read here)
File protection classes Class name Description Key derivation and wrapping NSFileProtectionComplete Files are available only if the device is unlocked Class key protected with a key derived from the passcode and device UID NSFileProtectionCompleteUnless Open Some files can be written even if the device is locked Asymmetric crypto is used, file key is protected using One- Pass Diffie-Hellman Key Agreement NSFileProtectionCompleteUntilFir stUserAuthentication Default class for all 3rd party apps. Files are unavailable until user enters passcode Behaves like NSFileProtectionComplete, except the fact that key is not wiped during reboot NSFileProtectionNone No protection available Class key is protected only with the device UID and stored in Effaceable storage
Per-file encryption mechanism • Encryption key (AES256-CBC) is generated by data protection engine and wrapped using file protection class key • Key and SHA1 hash are stored in file’s metadata • Metadata is encrypted using FS key (created on system installation/reset) • When file is accessed, its key is unwrapped and used for decryption
Key bags • System • Always accessible (no protection) • iTunes Backup • Backup password • Escrow • Key stored in MDM • iCloud • Same as Backup, but uses asymmetric cryptography
Other out-of-box features • Code signing – iOS verifies the digital signatures of all executables • Sandboxing – iOS applications are isolated from each other • Least available privileges – iOS applications are running under a user’s account with the least possible privileges • Entitlements – control access to hardware and software features • ASLR – preventing exploits. On by default, compile-time feature • XN – Execute Never flag for all memory pages by default (except signed) • Access limitation – user should explicitly confirm access to Contacts, etc. • Extensions – they inherit all the access rights from their parent applications.
ASLR and PIE
Attacking iOS apps
Vectors of attack
Toolkit of a penetration tester Tool Link Description Charles Burp http://www.charlesproxy.com/ http://www.portswigger.net/burp HTTP and HTTPS proxy servers OpenSSH http://www.openssh.com/ iPhone SSH connection SQLite 3 http://www.sqlite.org/ SQLite Database Client GDB http://www.gnu.org/software/gdb/ GNU Debugger otool man otool Display binary information sysctl man sysctl Manage kernel parameters cycript http://www.cycript.org/ Attack runtime Mallory http://intrepidusgroup.com/insight/mallory Proxy for binary protocols Wireshark https://www.wireshark.org/ Sniffer re_tools https://github.com/emonti/iOS_app_re_tools Reverse engineering tools
Overview of security APIs and mechanisms
Built-in Security API • The worst idea ever is to implement all encryption and decryption by yourself • You’re re-inventing the wheel • Your implementation is vulnerable to all kinds of attacks – theoretical and practical • Security framework (C API) • Common Crypto – implementation of the most common symmetric & asymmetric ciphers and hashes. Uses CC- function prefixes. • Keychain API – secure storage for credentials (SecItem- functions) • Certificate management – SecCertificate-, SecTrust- functions. • SSL3.0/TLS1.0 connection management. Should not be used!
Keychain and Keychain API • Designed for • Passwords and tokens • Certificates and public/private keys • Application codes and receipts • Data sharing • Requires kSecAttrAccessGroup • Depends on Bundle ID • Entitlements – keychain-access-groups, application-identifier, application-group • Works via keychaind, queries via dictionaries
How Keychain works
Structure of a keychain item • Encrypted data contents • Label • Access group • Service/Application • Timestamps • Dictionary of attributes • Content itself
Keychain items – Protection classes Class name File system analog Availability kSecAttrAccessibleWhenUnlocke d NSFileProtectionLevelComplete When unlocked N/A NSFileProtectionCompleteUnlessOpen While locked kSecAttrAccessibleAfterFirstUnlo ck NSFileProtectionCompleteUntilFirstUserAuthentication After first unlock kSecAttrAccessibleAlways NSFileProtectionNone Always kSecAttrAccessibleWhenPassco de SetThisDeviceOnly N/A Passcode enabled
Sharing data via Keychain • Entitlements • Specify full bundle ID • Same Team ID is required • Prevents unauthorized access • Getting items saved by Safari • Valid only for trusted sites • Trusted sites should be specified in entitlements using domain names • iCloud Keychain
Common Crypto API (plain C API) • man CC_crypto, CC_MD5, CC_SHA, CCHmac, CCCryptor • CCCryptor – supports DES, 3DES, AES • CCHmac – API for using message authentication codes • CC_MD and CC_SHA • Access to MD2, MD4, MD5 for compatibility • Access to SHA1 for compatibility and SHA2 modern hashes • kCCAlgSHA1 and kCCAlgMD5 – legacy • kCCAlgSHA2 (224, 256, 384, 512) – modern
Other Security APIs • CCKeyDerivationPBKDF (aka PBKDF2) • Number of rounds can be tweaked via CCCalibratePBKDF • SecRandomCopyBytes (proxies /dev/random) • Use this function to get a sequence of pseudo-random bytes • FORGET ABOUT RAND(), SRAND() AND ARC4RANDOM()!!! • SSLContextRef and manipulating functions • Implementation of SSL 3.0 and TLS 1.0
TLS: handshake
TLS: Certificate chains • AKA “Chains of trust” • Trusted self-signed certificates also work (by default) • If certificate’s private key has been stolen, there’s a revocation procedure • Mechanisms of revocation checks • CRL – Certificate Revocation list • OSCP – Online Cert Status protocol • OSCP Stapling – signatures from CA
ATS and its requirements • Switched on by default; forces the developers to follow security best practices • ATS-readiness: nscurl utility (OS X 10.11 and above) or CFNETWORK_DIAGNOSTICS=1 • Specifies the following requirements for the connection (and for the server): • Leaf certificate signed by CA whose certificate is incorporated into the storage of trust • Minimal TLS protocol version is 1.2 • Non-compromised cipher (AES) and SHA2+ family of hashes (SHA256+) for MAC • RSA with long key (over 2048 bits) or ECDSA (over 256 bits) for digital signatures • Perfect forward secrecy required for key exchange protocol (ECDHE)
Cipher suites supporting PFS TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38 4 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA25 6 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA38 4 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25 6 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 If PFS is disabled, ATS will support some more ciphers: TLS_RSA_WITH_AES_256_GCM_SHA38 4 TLS_RSA_WITH_AES_128_GCM_SHA25 6 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA
ATS: exceptions • Configured via NSExceptionDomains dictionary. Works in both directions • NSIncludesSubdomains • NSExceptionAllowsInsecureHTTPLoads (+ InWeb/MediaContent) • NSExceptionRequiresForwardSecrecy • NSExceptionMinimumTLSVersion • ATS completely switched off by specifying NSAllowsArbitraryLoads: YES • When to use: IP addresses used instead of FQDN • Compatible with NSExceptionDomains (see Examples there) • If ATS is disabled, standard HTTPS validations are still performed
Certificate validation • NSURLSession => NSURLAuthenticationChallenge • NSURLProtectionSpace => auth method == ServerTrust, serverTrust contains the certificate. • The algorithm is simple: set policy and validate server trust • You can validate fingerprints of the certificates (“lightweight” pinning). Use SecCertificate... functions • Several policies are supported (CRL, OSCP, OSCP Stapling) • You can choose between pinned and system certificates (SecTrustSetAnchorCertificates/Only) • Call SecTrustEvaluate/Async and check the result – it should be either Proceed or Unspecified
Recipes
Securing your cached data • If you use Core Data – use NSValueTransformer • Alternative: transient properties. NO FTS! • If you use SQLite – SQLCipher or SEE • If you use any other kind of file • Assign this file to a sufficient protection class • Use AES encryption before writing to the disk • If you want to save credentials • Encrypted, salted and hashed in Keychain • Use steganography, Luke 
Web views and caching web/HTTP content • You have a tough choice: WKWebView vs UIWebView vs SFSafariViewController • Good old UIWebView is affected by global HTTP cache policy • Modern WKWebView is generally safer – it’s running in an external process • Fresh SFSafariViewController requires no ATS tweaks to support arbitrary web content • Configure HTTP headers for cache management wisely! Use no-cache; no-store • NSURLCache + NSHTTPCookieStorage vs. WKWebsiteDataStore • Clean up everything which may be sensitive • Grab/set cookies manually using JavaScript controllers for WKWebView. Yes, it’s painful 
How to get a good encryption key? • DO NOT • Use your password or H(password) as a key • Rely only on device-stored or device-specific information • Cache the calculated key anywhere, even in memory • DO (3-2-1 principle) • Use password-based key derivation functions (PBKDF2) • Use multiple iterations of hash/key derivation function (10k+) • Use graphical pattern/secure PRNG to derive a part of your key • Split the arguments of your KDF and store them in different places • Use salt to make it harder to crack the key
Building secure authentication scheme • Do not transfer passwords • Unencrypted • Weakly encrypted • Hashed few times • Prevent stealing session ID and fixation attacks • Use tokens/session IDs with limited TTL and explicit expiration time • Store tokens securely • Even if a request has been intercepted • Resistance against replay attack – digest authentication, nonce values • Resistance against brute-force attack – account lockout policies • Let users identify their “trusted” locations - warn them via a side channel (i.e., SMS codes) • Supply only generic information about authentication failures to the users
And something more… • Use ptrace() to catch and deny debuggers in Release mode • Clean Pasteboard while going into background • Forbid auto-correction for “sensitive” text fields • Introduce password policies (complexity, expiration, leaked passwords) • Cover views with splash screen or blur them • Use 2FA/MFA – push messages/code generation apps/hardware tokens/API keys • “Lock” application or perform logout after a predefined period of inactivity • Remember: it’s better to protect against particular threats
Keep this in mind! If you’re using non-public domain implementation of encryption algorithms, you’re responsible for its registration in CCATS (Bureau of Industry and Security) Read this article for more details Fortunately, iTunes Connect allows you selecting one of predefined options during the binary submission (personal/health data, network connections, banking transactions) Even implicit usage of encryption (via SQLCipher or HTTPS connections) makes you answer “YES” in iTunes Connect Contact Apple Support DIRECTLY in case of issues with “crypto” app submission
Further reading
Other materials • Useful web links • PKCS – Public Key Cryptography Standards • iOS Encryption • iOS Developer Cheat Sheet from OWASP • Books • J. Zdziarski. Hacking and securing iOS Applications • Watch WWDC videos • WWDC 2010, Session 209 – Securing your application data • WWDC 2011, Session 202 – Security overview • WWDC 2011, Session 208 – Securing iOS Applications • WWDC 2012, Session 704 – The Security Framework • WWDC 2013, Session 709 – Protecting Secrets with the Keychain • WWDC 2014, Session 711 – Keychain and Authentication with Touch ID • WWDC 2015, Session 706 – Security and your apps
Other materials More web links iOS App Security Zdziarski Blog HTTP Server trust evaluation SSL Pinning with self-signed certificates Penetration testing for iPhone applications TN2232: Server Trust Evaluation App Transport Security …And even more web links… iPhone Forensics: Analysis of iOS Backups Password storage cheat sheet How to store salt correctly (v1)? How to store salt correctly (v2)? Changing passwords when files are encrypted with PBKDF2-derived key PBKDF2 and password history Salted password hashing – doing it right
"Mobile security: iOS", Yaroslav Vorontsov, DataArt

Recommended

How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoArash Ramez
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsSam Bowne
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)Sam Bowne
 
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...mfrancis
 

Recommended

How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoArash Ramez
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsSam Bowne
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)Sam Bowne
 
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...mfrancis
 
CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)Sam Bowne
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSRudy De Busscher
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app developmentDusan Klinec
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
Flak+technologies
Flak+technologiesFlak+technologies
Flak+technologiesTatyana Kobets
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLSSam Bowne
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber SecuritySatria Ady Pradana
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
CNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementCNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementSam Bowne
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartSatria Ady Pradana
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red TeamSatria Ady Pradana
 
Intro to the sel4 Microkernel
Intro to the sel4 MicrokernelIntro to the sel4 Microkernel
Intro to the sel4 MicrokernelMatthew Russell
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544Hfz Mushtaq
 
lamacchia-palladium
lamacchia-palladiumlamacchia-palladium
lamacchia-palladiumNed Hayes
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Ramesh Nagappan
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.pptajajkhan16
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.DataArt
 

More Related Content

What's hot

CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)Sam Bowne
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app developmentDusan Klinec
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLSSam Bowne
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
CNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementCNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementSam Bowne
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartSatria Ady Pradana
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Intro to the sel4 Microkernel
Intro to the sel4 MicrokernelIntro to the sel4 Microkernel
Intro to the sel4 MicrokernelMatthew Russell
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544Hfz Mushtaq
 
lamacchia-palladium
lamacchia-palladiumlamacchia-palladium
lamacchia-palladiumNed Hayes
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Ramesh Nagappan
 

What's hot (20)

CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app development
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
 
Flak+technologies
Flak+technologiesFlak+technologies
Flak+technologies
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLS
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
 
CNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementCNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session Management
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A Jumpstart
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
 
Intro to the sel4 Microkernel
Intro to the sel4 MicrokernelIntro to the sel4 Microkernel
Intro to the sel4 Microkernel
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544
 
lamacchia-palladium
lamacchia-palladiumlamacchia-palladium
lamacchia-palladium
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
 

Similar to "Mobile security: iOS", Yaroslav Vorontsov, DataArt

20-security.ppt
20-security.ppt20-security.ppt
20-security.pptajajkhan16
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.DataArt
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesST_World
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki conceptMostafa El Lathy
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...Vincent Giersch
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
 
Implementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldImplementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldLINE Corporation
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overviewRishi Pathak
 

Similar to "Mobile security: iOS", Yaroslav Vorontsov, DataArt (20)

20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Crypto academy
Crypto academyCrypto academy
Crypto academy
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept
 
Web security
Web securityWeb security
Web security
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
Ip sec
Ip secIp sec
Ip sec
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
 
Implementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldImplementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile World
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right Way
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overview
 

More from DataArt

DataArt Custom Software Engineering with a Human Approach
DataArt Custom Software Engineering with a Human ApproachDataArt Custom Software Engineering with a Human Approach
DataArt Custom Software Engineering with a Human ApproachDataArt
 
DataArt Healthcare & Life Sciences
DataArt Healthcare & Life SciencesDataArt Healthcare & Life Sciences
DataArt Healthcare & Life SciencesDataArt
 
DataArt Financial Services and Capital Markets
DataArt Financial Services and Capital MarketsDataArt Financial Services and Capital Markets
DataArt Financial Services and Capital MarketsDataArt
 
About DataArt HR Partners
About DataArt HR PartnersAbout DataArt HR Partners
About DataArt HR PartnersDataArt
 
Event management в IT
Event management в ITEvent management в IT
Event management в ITDataArt
 
Digital Marketing from inside
Digital Marketing from insideDigital Marketing from inside
Digital Marketing from insideDataArt
 
What's new in Android, Igor Malytsky ( Google Post I|O Tour)
What's new in Android, Igor Malytsky ( Google Post I|O Tour)What's new in Android, Igor Malytsky ( Google Post I|O Tour)
What's new in Android, Igor Malytsky ( Google Post I|O Tour)DataArt
 
DevOps Workshop:Что бывает, когда DevOps приходит на проект
DevOps Workshop:Что бывает, когда DevOps приходит на проектDevOps Workshop:Что бывает, когда DevOps приходит на проект
DevOps Workshop:Что бывает, когда DevOps приходит на проектDataArt
 
IT Talk Kharkiv: «‎Soft skills в IT. Польза или вред? Максим Бастион, DataArt
IT Talk Kharkiv: «‎Soft skills в IT. Польза или вред? Максим Бастион, DataArtIT Talk Kharkiv: «‎Soft skills в IT. Польза или вред? Максим Бастион, DataArt
IT Talk Kharkiv: «‎Soft skills в IT. Польза или вред? Максим Бастион, DataArtDataArt
 
«Ноль копеек. Спастись от выгорания» — Сергей Чеботарев (Head of Design, Han...
«Ноль копеек. Спастись от выгорания» — Сергей Чеботарев (Head of Design, Han... «Ноль копеек. Спастись от выгорания» — Сергей Чеботарев (Head of Design, Han...
«Ноль копеек. Спастись от выгорания» — Сергей Чеботарев (Head of Design, Han...DataArt
 
Communication in QA's life
Communication in QA's lifeCommunication in QA's life
Communication in QA's lifeDataArt
 
Нельзя просто так взять и договориться, или как мы работали со сложными людьми
Нельзя просто так взять и договориться, или как мы работали со сложными людьмиНельзя просто так взять и договориться, или как мы работали со сложными людьми
Нельзя просто так взять и договориться, или как мы работали со сложными людьмиDataArt
 
Знакомьтесь, DevOps
Знакомьтесь, DevOpsЗнакомьтесь, DevOps
Знакомьтесь, DevOpsDataArt
 
DevOps in real life
DevOps in real lifeDevOps in real life
DevOps in real lifeDataArt
 
Codeless: автоматизация тестирования
Codeless: автоматизация тестированияCodeless: автоматизация тестирования
Codeless: автоматизация тестированияDataArt
 
Selenoid
SelenoidSelenoid
SelenoidDataArt
 
Selenide
SelenideSelenide
SelenideDataArt
 
A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"DataArt
 
Эмоциональный интеллект или как не сойти с ума в условиях сложного и динамичн...
Эмоциональный интеллект или как не сойти с ума в условиях сложного и динамичн...Эмоциональный интеллект или как не сойти с ума в условиях сложного и динамичн...
Эмоциональный интеллект или как не сойти с ума в условиях сложного и динамичн...DataArt
 
IT talk: Как я перестал бояться и полюбил TestNG
IT talk: Как я перестал бояться и полюбил TestNGIT talk: Как я перестал бояться и полюбил TestNG
IT talk: Как я перестал бояться и полюбил TestNGDataArt
 

More from DataArt (20)

DataArt Custom Software Engineering with a Human Approach
DataArt Custom Software Engineering with a Human ApproachDataArt Custom Software Engineering with a Human Approach
DataArt Custom Software Engineering with a Human Approach
 
DataArt Healthcare & Life Sciences
DataArt Healthcare & Life SciencesDataArt Healthcare & Life Sciences
DataArt Healthcare & Life Sciences
 
DataArt Financial Services and Capital Markets
DataArt Financial Services and Capital MarketsDataArt Financial Services and Capital Markets
DataArt Financial Services and Capital Markets
 
About DataArt HR Partners
About DataArt HR PartnersAbout DataArt HR Partners
About DataArt HR Partners
 
Event management в IT
Event management в ITEvent management в IT
Event management в IT
 
Digital Marketing from inside
Digital Marketing from insideDigital Marketing from inside
Digital Marketing from inside
 
What's new in Android, Igor Malytsky ( Google Post I|O Tour)
What's new in Android, Igor Malytsky ( Google Post I|O Tour)What's new in Android, Igor Malytsky ( Google Post I|O Tour)
What's new in Android, Igor Malytsky ( Google Post I|O Tour)
 
DevOps Workshop:Что бывает, когда DevOps приходит на проект
DevOps Workshop:Что бывает, когда DevOps приходит на проектDevOps Workshop:Что бывает, когда DevOps приходит на проект
DevOps Workshop:Что бывает, когда DevOps приходит на проект
 
IT Talk Kharkiv: «‎Soft skills в IT. Польза или вред? Максим Бастион, DataArt
IT Talk Kharkiv: «‎Soft skills в IT. Польза или вред? Максим Бастион, DataArtIT Talk Kharkiv: «‎Soft skills в IT. Польза или вред? Максим Бастион, DataArt
IT Talk Kharkiv: «‎Soft skills в IT. Польза или вред? Максим Бастион, DataArt
 
«Ноль копеек. Спастись от выгорания» — Сергей Чеботарев (Head of Design, Han...
«Ноль копеек. Спастись от выгорания» — Сергей Чеботарев (Head of Design, Han... «Ноль копеек. Спастись от выгорания» — Сергей Чеботарев (Head of Design, Han...
«Ноль копеек. Спастись от выгорания» — Сергей Чеботарев (Head of Design, Han...
 
Communication in QA's life
Communication in QA's lifeCommunication in QA's life
Communication in QA's life
 
Нельзя просто так взять и договориться, или как мы работали со сложными людьми
Нельзя просто так взять и договориться, или как мы работали со сложными людьмиНельзя просто так взять и договориться, или как мы работали со сложными людьми
Нельзя просто так взять и договориться, или как мы работали со сложными людьми
 
Знакомьтесь, DevOps
Знакомьтесь, DevOpsЗнакомьтесь, DevOps
Знакомьтесь, DevOps
 
DevOps in real life
DevOps in real lifeDevOps in real life
DevOps in real life
 
Codeless: автоматизация тестирования
Codeless: автоматизация тестированияCodeless: автоматизация тестирования
Codeless: автоматизация тестирования
 
Selenoid
SelenoidSelenoid
Selenoid
 
Selenide
SelenideSelenide
Selenide
 
A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"
 
Эмоциональный интеллект или как не сойти с ума в условиях сложного и динамичн...
Эмоциональный интеллект или как не сойти с ума в условиях сложного и динамичн...Эмоциональный интеллект или как не сойти с ума в условиях сложного и динамичн...
Эмоциональный интеллект или как не сойти с ума в условиях сложного и динамичн...
 
IT talk: Как я перестал бояться и полюбил TestNG
IT talk: Как я перестал бояться и полюбил TestNGIT talk: Как я перестал бояться и полюбил TestNG
IT talk: Как я перестал бояться и полюбил TestNG
 

Recently uploaded

AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...Alluxio, Inc.
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandIES VE
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1KnowledgeSeed
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfmbmh111980
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEJelle | Nordend
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfkalichargn70th171
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareinfo611746
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfOrtus Solutions, Corp
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAlluxio, Inc.
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAlluxio, Inc.
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisNeo4j
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessWSO2
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILNatan Silnitsky
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAlluxio, Inc.
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownloadvrstrong314
 

Recently uploaded (20)

AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 

"Mobile security: iOS", Yaroslav Vorontsov, DataArt

  • 1. New York USA London UK Munich Germany Zug Switzerland Mobile Security: iOS Yaroslav Vorontsov, Software Architect, Tech Lead
  • 2. Agenda • Introduction: security overview • Security whitepaper overview • Attacking iOS applications • Overview of Security APIs • Ready-to-use recipes • More materials Y . V O R O N T S O V " S E C U R I T Y I N I O S A P P S V 2 " 2
  • 4. Theoretical base • Probability theory: negligibility • PRNG: Hardware vs Software • Crypto basics: PRF/PRP • Symmetric and asymmetric encryption • OTP – Vernam cipher • Hashes and MACs • Attacks on encryption • Network and telecommunications • ISO/OSI stack: session level – SSL and TLS • Key generation/distribution schemes • Diffie-Hellmann and Kerberos • Trust and certificates • Public and private keys • Documents: PKCS, RFC
  • 5. Terms Identification – providing evidences of an identity Authentication – validation of identity Authorization – check of privileges 2FA/MFA – two-/multi-factor authentication UID/GID – User/Group ID Key wrapping – Encryption of an encryption key MDM – Mobile Device Management
  • 7. Main document • Boot process and System Software Authorization • Secure Enclave • Passcode and Touch ID policies • AES hardware acceleration • Data protection classes and Keychain protection • Key bags • Other important features
  • 8. Boot process and SSA BootROM LLB iBoot Kernel NAND memory Apple’s root CA key Apple SSA Server
  • 9. Secure Enclave co-processor • Available for A7+ and S2+ CPU families • Contains built-in hardware PRNG • Communicates with CPU via Mailbox (write-only) and encrypted shared memory (read- only) • Responsible for Passcode, Touch ID, Data protection classes • Generates UID on A9+ and newer • Updates its firmware independently • Generates and stores Elliptic-Curve Cryptography keys
  • 10. Passcode and Touch ID (iOS 9+) • Passcode policies: 4-digit, 6-digit, alphanumeric • Checks take 80ms • Interval is increased after N failed attempts • Max 5 fingers for Touch ID • Touch ID – 6 mandatory cases for passcode input • Wipe after 10-12 failed attempts
  • 11. AES in-silicon crypto engine • Chip has embedded keys • User ID is unique for a device • Group ID is unique for a family of CPUs • Keys are not leaving crypto engine • However, these keys could be compromised on a jailbroken device by patching aes_decrypt() function in iBoot bootloader (read here)
  • 12. File protection classes Class name Description Key derivation and wrapping NSFileProtectionComplete Files are available only if the device is unlocked Class key protected with a key derived from the passcode and device UID NSFileProtectionCompleteUnless Open Some files can be written even if the device is locked Asymmetric crypto is used, file key is protected using One- Pass Diffie-Hellman Key Agreement NSFileProtectionCompleteUntilFir stUserAuthentication Default class for all 3rd party apps. Files are unavailable until user enters passcode Behaves like NSFileProtectionComplete, except the fact that key is not wiped during reboot NSFileProtectionNone No protection available Class key is protected only with the device UID and stored in Effaceable storage
  • 13. Per-file encryption mechanism • Encryption key (AES256-CBC) is generated by data protection engine and wrapped using file protection class key • Key and SHA1 hash are stored in file’s metadata • Metadata is encrypted using FS key (created on system installation/reset) • When file is accessed, its key is unwrapped and used for decryption
  • 14. Key bags • System • Always accessible (no protection) • iTunes Backup • Backup password • Escrow • Key stored in MDM • iCloud • Same as Backup, but uses asymmetric cryptography
  • 15. Other out-of-box features • Code signing – iOS verifies the digital signatures of all executables • Sandboxing – iOS applications are isolated from each other • Least available privileges – iOS applications are running under a user’s account with the least possible privileges • Entitlements – control access to hardware and software features • ASLR – preventing exploits. On by default, compile-time feature • XN – Execute Never flag for all memory pages by default (except signed) • Access limitation – user should explicitly confirm access to Contacts, etc. • Extensions – they inherit all the access rights from their parent applications.
  • 19. Toolkit of a penetration tester Tool Link Description Charles Burp http://www.charlesproxy.com/ http://www.portswigger.net/burp HTTP and HTTPS proxy servers OpenSSH http://www.openssh.com/ iPhone SSH connection SQLite 3 http://www.sqlite.org/ SQLite Database Client GDB http://www.gnu.org/software/gdb/ GNU Debugger otool man otool Display binary information sysctl man sysctl Manage kernel parameters cycript http://www.cycript.org/ Attack runtime Mallory http://intrepidusgroup.com/insight/mallory Proxy for binary protocols Wireshark https://www.wireshark.org/ Sniffer re_tools https://github.com/emonti/iOS_app_re_tools Reverse engineering tools
  • 20. Overview of security APIs and mechanisms
  • 21. Built-in Security API • The worst idea ever is to implement all encryption and decryption by yourself • You’re re-inventing the wheel • Your implementation is vulnerable to all kinds of attacks – theoretical and practical • Security framework (C API) • Common Crypto – implementation of the most common symmetric & asymmetric ciphers and hashes. Uses CC- function prefixes. • Keychain API – secure storage for credentials (SecItem- functions) • Certificate management – SecCertificate-, SecTrust- functions. • SSL3.0/TLS1.0 connection management. Should not be used!
  • 22. Keychain and Keychain API • Designed for • Passwords and tokens • Certificates and public/private keys • Application codes and receipts • Data sharing • Requires kSecAttrAccessGroup • Depends on Bundle ID • Entitlements – keychain-access-groups, application-identifier, application-group • Works via keychaind, queries via dictionaries
  • 24. Structure of a keychain item • Encrypted data contents • Label • Access group • Service/Application • Timestamps • Dictionary of attributes • Content itself
  • 25. Keychain items – Protection classes Class name File system analog Availability kSecAttrAccessibleWhenUnlocke d NSFileProtectionLevelComplete When unlocked N/A NSFileProtectionCompleteUnlessOpen While locked kSecAttrAccessibleAfterFirstUnlo ck NSFileProtectionCompleteUntilFirstUserAuthentication After first unlock kSecAttrAccessibleAlways NSFileProtectionNone Always kSecAttrAccessibleWhenPassco de SetThisDeviceOnly N/A Passcode enabled
  • 26. Sharing data via Keychain • Entitlements • Specify full bundle ID • Same Team ID is required • Prevents unauthorized access • Getting items saved by Safari • Valid only for trusted sites • Trusted sites should be specified in entitlements using domain names • iCloud Keychain
  • 27. Common Crypto API (plain C API) • man CC_crypto, CC_MD5, CC_SHA, CCHmac, CCCryptor • CCCryptor – supports DES, 3DES, AES • CCHmac – API for using message authentication codes • CC_MD and CC_SHA • Access to MD2, MD4, MD5 for compatibility • Access to SHA1 for compatibility and SHA2 modern hashes • kCCAlgSHA1 and kCCAlgMD5 – legacy • kCCAlgSHA2 (224, 256, 384, 512) – modern
  • 28. Other Security APIs • CCKeyDerivationPBKDF (aka PBKDF2) • Number of rounds can be tweaked via CCCalibratePBKDF • SecRandomCopyBytes (proxies /dev/random) • Use this function to get a sequence of pseudo-random bytes • FORGET ABOUT RAND(), SRAND() AND ARC4RANDOM()!!! • SSLContextRef and manipulating functions • Implementation of SSL 3.0 and TLS 1.0
  • 30. TLS: Certificate chains • AKA “Chains of trust” • Trusted self-signed certificates also work (by default) • If certificate’s private key has been stolen, there’s a revocation procedure • Mechanisms of revocation checks • CRL – Certificate Revocation list • OSCP – Online Cert Status protocol • OSCP Stapling – signatures from CA
  • 31. ATS and its requirements • Switched on by default; forces the developers to follow security best practices • ATS-readiness: nscurl utility (OS X 10.11 and above) or CFNETWORK_DIAGNOSTICS=1 • Specifies the following requirements for the connection (and for the server): • Leaf certificate signed by CA whose certificate is incorporated into the storage of trust • Minimal TLS protocol version is 1.2 • Non-compromised cipher (AES) and SHA2+ family of hashes (SHA256+) for MAC • RSA with long key (over 2048 bits) or ECDSA (over 256 bits) for digital signatures • Perfect forward secrecy required for key exchange protocol (ECDHE)
  • 32. Cipher suites supporting PFS TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38 4 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA25 6 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA38 4 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25 6 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 If PFS is disabled, ATS will support some more ciphers: TLS_RSA_WITH_AES_256_GCM_SHA38 4 TLS_RSA_WITH_AES_128_GCM_SHA25 6 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA
  • 33. ATS: exceptions • Configured via NSExceptionDomains dictionary. Works in both directions • NSIncludesSubdomains • NSExceptionAllowsInsecureHTTPLoads (+ InWeb/MediaContent) • NSExceptionRequiresForwardSecrecy • NSExceptionMinimumTLSVersion • ATS completely switched off by specifying NSAllowsArbitraryLoads: YES • When to use: IP addresses used instead of FQDN • Compatible with NSExceptionDomains (see Examples there) • If ATS is disabled, standard HTTPS validations are still performed
  • 34. Certificate validation • NSURLSession => NSURLAuthenticationChallenge • NSURLProtectionSpace => auth method == ServerTrust, serverTrust contains the certificate. • The algorithm is simple: set policy and validate server trust • You can validate fingerprints of the certificates (“lightweight” pinning). Use SecCertificate... functions • Several policies are supported (CRL, OSCP, OSCP Stapling) • You can choose between pinned and system certificates (SecTrustSetAnchorCertificates/Only) • Call SecTrustEvaluate/Async and check the result – it should be either Proceed or Unspecified
  • 36. Securing your cached data • If you use Core Data – use NSValueTransformer • Alternative: transient properties. NO FTS! • If you use SQLite – SQLCipher or SEE • If you use any other kind of file • Assign this file to a sufficient protection class • Use AES encryption before writing to the disk • If you want to save credentials • Encrypted, salted and hashed in Keychain • Use steganography, Luke 
  • 37. Web views and caching web/HTTP content • You have a tough choice: WKWebView vs UIWebView vs SFSafariViewController • Good old UIWebView is affected by global HTTP cache policy • Modern WKWebView is generally safer – it’s running in an external process • Fresh SFSafariViewController requires no ATS tweaks to support arbitrary web content • Configure HTTP headers for cache management wisely! Use no-cache; no-store • NSURLCache + NSHTTPCookieStorage vs. WKWebsiteDataStore • Clean up everything which may be sensitive • Grab/set cookies manually using JavaScript controllers for WKWebView. Yes, it’s painful 
  • 38. How to get a good encryption key? • DO NOT • Use your password or H(password) as a key • Rely only on device-stored or device-specific information • Cache the calculated key anywhere, even in memory • DO (3-2-1 principle) • Use password-based key derivation functions (PBKDF2) • Use multiple iterations of hash/key derivation function (10k+) • Use graphical pattern/secure PRNG to derive a part of your key • Split the arguments of your KDF and store them in different places • Use salt to make it harder to crack the key
  • 39. Building secure authentication scheme • Do not transfer passwords • Unencrypted • Weakly encrypted • Hashed few times • Prevent stealing session ID and fixation attacks • Use tokens/session IDs with limited TTL and explicit expiration time • Store tokens securely • Even if a request has been intercepted • Resistance against replay attack – digest authentication, nonce values • Resistance against brute-force attack – account lockout policies • Let users identify their “trusted” locations - warn them via a side channel (i.e., SMS codes) • Supply only generic information about authentication failures to the users
  • 40. And something more… • Use ptrace() to catch and deny debuggers in Release mode • Clean Pasteboard while going into background • Forbid auto-correction for “sensitive” text fields • Introduce password policies (complexity, expiration, leaked passwords) • Cover views with splash screen or blur them • Use 2FA/MFA – push messages/code generation apps/hardware tokens/API keys • “Lock” application or perform logout after a predefined period of inactivity • Remember: it’s better to protect against particular threats
  • 41. Keep this in mind! If you’re using non-public domain implementation of encryption algorithms, you’re responsible for its registration in CCATS (Bureau of Industry and Security) Read this article for more details Fortunately, iTunes Connect allows you selecting one of predefined options during the binary submission (personal/health data, network connections, banking transactions) Even implicit usage of encryption (via SQLCipher or HTTPS connections) makes you answer “YES” in iTunes Connect Contact Apple Support DIRECTLY in case of issues with “crypto” app submission
  • 43. Other materials • Useful web links • PKCS – Public Key Cryptography Standards • iOS Encryption • iOS Developer Cheat Sheet from OWASP • Books • J. Zdziarski. Hacking and securing iOS Applications • Watch WWDC videos • WWDC 2010, Session 209 – Securing your application data • WWDC 2011, Session 202 – Security overview • WWDC 2011, Session 208 – Securing iOS Applications • WWDC 2012, Session 704 – The Security Framework • WWDC 2013, Session 709 – Protecting Secrets with the Keychain • WWDC 2014, Session 711 – Keychain and Authentication with Touch ID • WWDC 2015, Session 706 – Security and your apps
  • 44. Other materials More web links iOS App Security Zdziarski Blog HTTP Server trust evaluation SSL Pinning with self-signed certificates Penetration testing for iPhone applications TN2232: Server Trust Evaluation App Transport Security …And even more web links… iPhone Forensics: Analysis of iOS Backups Password storage cheat sheet How to store salt correctly (v1)? How to store salt correctly (v2)? Changing passwords when files are encrypted with PBKDF2-derived key PBKDF2 and password history Salted password hashing – doing it right