Download to read offline
![[Wroclaw #2] iOS Security - 101](https://cdn.slidesharecdn.com/ss_thumbnails/owaspios101-160429210915-thumbnail.jpg?width=640&height=640&fit=bounds)
![OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]](https://cdn.slidesharecdn.com/ss_thumbnails/opensouthcode19-applicationsecurityfundamentals-210905095336-thumbnail.jpg?width=640&height=640&fit=bounds)
Research Group Presentation
- 1. iOS Team Yu Wang(Tommy ) Kunlakan (Jeen) Cherdchusilp
- 2.
- 3. Origin Crossing Intent Web-accessing class URLscheme “youtube://watch?toke n=xxx”
- 4. Solution Morbs - originbased protection mechanism Labels every message with its origin Customize specific security policy
- 5. Security Techniques forMHS What’s the major problem?
- 6.
- 7. Major problem inhealthcare: Lack of ability from patient/physician for frequent health monitoring Smartphone and PDAs: Overcome such a barrier due to its functionality Strong impact on: typical remote monitoring system healthcare alerting system clinical and administrative data collection patient records maintain
- 8. Mobile Health Application DevelopmentLimitation 1. Small Screen 2. Limited Storage Space & Slow Processing 3. Security Limitation 4. Inadequate Third Party Application Support
- 9. Without Jailbreak 1. UsingAFC Protocol to Retrieve Data Stored on the Device 2. Retrieving Data From Backups With Jailbreak 1. Retrieving User Password & Keychain Content 2. Retrieving the 0x835 Key Practical iOS Attacks
- 10. Defending iOS Application Checkingfor Jailbreak: Check for jailbreak files such as “/Application/Cydia.app”, “/bin/apt/”, “/usr/sbin/sshd/”… Checking for shell which comes with jailbreak. calling system(0) nonzero → shell is available. zero → shell is not available Defending Technique: 1. Anti-Analysis 1 Use anti-debugging feature 2. Anti-Analysis 2 Silently wipe all confidential data and encryption keys.
- 11. Future Work Collaboration withschool of IAS Stress Evaluation App in summer
Editor's Notes
- #2 focusing on not only construction and development of ios application on health perspective, but also trying to introduce our own security mechanism into our research project. In order to achieve this goal and gain this domain-specific knowledge, our group have kept researching in this quarter by reviewing published papers to broaden our overall insight on this specific topic. me: security problem on mobile computing and the solutions Jeen: why we need to use mobile devices in health service; some of practical attacks and the mitigations
- #3 in papers i have reviewed, researchers discovered security problems, two of them
- #4 unlike the traditional web browser, today’s mobile os do not have a comparable security mechanism such as SOP, which prevents the the resource of one domain directly accessing the resource from different domain, as a result, those resource could be exposed to the harms from a malicious origin on the mobile device. three ways to communicate intent: it’s an inter-process msg delivered through an IPC, only available on android provided several utility class for apps to communicate with the web scheme allows an app or web service to use a URL to invoke another app on ios, when such a call is invoked, the os will launch the target app with this URL as input example: health care provider’s device, app launched by an URL from malicious origin to overdose to a patient.
- #5 so that the devs could build protections based on such information like devs could specify their intentions such as creating the form of whitelist of origins can get msg from and send the msg to
- #6 DDos as one of major threats in current internet and the challenges when it comes to dealing with the attacks on mobile device because of their limited resource.
- #7 some of researchers introduced techniques for contracting denial of service on mobile devices that being used in provision of mobile health services. Their model makes use of IPSec protocol for traceback and prevention of attack traffic at upstream nodes As shown in Figure 1, the information captured by different body sensors is forwarded to user’s mobile device using wireless technologies such as Bluetooth, and WLAN. And since the body sensor information has to be accessed by the HSPs, this could incur high overhead on the mobile devices for storing the keys required for secure communication, establishing secure channels and transferring the body sensor information. In addition, the mobile devices are also used for other purposes such as accessing internet, social networks and playing online games, so they are easily vulnerable to DoS attacks in Current Scenario. Figure 2 shows the proposed model for securing the mobile healthcare services. They consider that all users’ traffic that need to be protected from DoS attacks passed through a Security Enforcement Component ( SEC ). SEC can be implemented on an existing router or can be realized as add on module to existing routers. So in this model, the attacks can be prevented at the upstream nodes which co-operate with the SEC.
- #8 Major problem in healthcare is the lack of ability from patient/physician for frequent health monitoring, especially for patient who live in remote rural area or travel constantly are still inaccessible to receive health monitoring or treatment. Smartphone and personal digital assistants (PDAs) has several technologies – such as Wi-Fi, 3G/GSM, GPS receiver, and processing and storage capability – that make a strong impact on health-care models such as typical remote monitoring system, healthcare alerting system, clinical and administrative data collection, patient records maintain, healthcare delivery program, and detection and prevention system.
- #9 Small Screen Minimize text-based data entry Limited Storage Space & Slow Processing Data should be store on file other than database on mobile application Complicated tasks and storage function should be mostly on the desktop application Choose a device that supports Compact Framework. Security Limitation & Inadequate Third Party Application Support Select the device and implementation platform that supports those developments.