APIs are the building blocks of interoperability on the web and are a key component of scalable and successful technology companies. As externally-consumable APIs expose more information and functionality, ensuring privacy and security of customer data is an increasingly risky proposition. In this session, we’ll talk about some of Slack’s learnings around building Developer APIs and best practices for keeping your APIs safe.
Slides originally for a presentation at the Rocky Mountain Technology Summit. Slightly reduced content.
Fragments-Plug the vulnerabilities in your AppAppsecco
Appsecco presented on the common mistakes that developers make when building mobile apps.
This session covered how these mistakes make your app vulnerable to attack and abuse? How an attacker perceives security of mobile app?
https://youtu.be/EzC86gWVPZk
iOS Security: The Never-Ending Story of Malicious ProfilesYair Amit
iOS is probably the most security mobile operating system nowadays. However, is it enough? Last year, we identified the malicious profiles attack, which leverages features of iOS to grant remote hackers deep control over victim’s devices. This presentation reviews recent threats, their evolvements and uncover a new vulnerability that makes it possible to effectively conceal attacks.
APIs are the building blocks of interoperability on the web and are a key component of scalable and successful technology companies. As externally-consumable APIs expose more information and functionality, ensuring privacy and security of customer data is an increasingly risky proposition. In this session, we’ll talk about some of Slack’s learnings around building Developer APIs and best practices for keeping your APIs safe.
Slides originally for a presentation at the Rocky Mountain Technology Summit. Slightly reduced content.
Fragments-Plug the vulnerabilities in your AppAppsecco
Appsecco presented on the common mistakes that developers make when building mobile apps.
This session covered how these mistakes make your app vulnerable to attack and abuse? How an attacker perceives security of mobile app?
https://youtu.be/EzC86gWVPZk
iOS Security: The Never-Ending Story of Malicious ProfilesYair Amit
iOS is probably the most security mobile operating system nowadays. However, is it enough? Last year, we identified the malicious profiles attack, which leverages features of iOS to grant remote hackers deep control over victim’s devices. This presentation reviews recent threats, their evolvements and uncover a new vulnerability that makes it possible to effectively conceal attacks.
Due to the fast-growing on mobile application trends along with business competition, the lack of security concern on mobile development become critical issues which may lead to reputation damage, financial loss and non-compliance (e.g. Privacy and Cybersecurity laws). It's time to focus on Mobile Defense-in-Dev(Depth) !!
The talk will provide the real-world case-studies on mobile application threats in conjunction with the cybersecurity risk mitigation using Secure development standard and guideline which should be integrated into the development process.
Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web applications and present real world advice for defending yourself against these types of attacks.
Learn about the OWASP Top 10 Mobile Risks and best practices to avoid mobile application security pitfalls such as insecure data storage, insecure communication, reverse engineering, and more.
These slides were originally presented on a webinar November 2016. Watch the presentation here: https://youtu.be/LuDe3u0cSVs
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
This whitepaper details research conducted by Rapid7, which reveals that around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol. UPnP enables devices such as routers, printers, network-attached storage (NAS), media players and smart TVs to communicate with each other. The paper investigates how three groups of security flaws relating to the UPnP protocol are exposing millions of users to attacks that could lead to a remote compromise of the vulnerable device.
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
As the pace of Microsoft SharePoint adoption continues, most organizations are turning to third party add-ons to support demands for functionality. It's for these reasons that experts compare SharePoint without add-ons to an iPhone without apps. Third party add-ons, however, arrive pre-packaged with unique security risks -- vulnerabilities that IT cannot directly fix.
This presentation will (1) identify risks associated with using SharePoint plug-ins and web parts developed by third parties (2) describe how hackers target and exploit third-party code using attacks such as SQL injection (3) Introduce a three-layered approach to securing SharePoint.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
The curious case of mobile app security.pptxAnkit Giri
A talk on the essence of Mobile app and mobile security. The agenda was as follows:
Why we need to secure the mobile apps!
What do you check when installing an app ?
Mobile app security assessment
Some interesting cases of vulnerabilities
Let’s takeover your account
My Research and reported vulnerabilities
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
This paper discusses the research outcomes on implementing a runtime application patching algorithm on an insecurely-coded application to protect it against code injection vulnerabilities and other logical issues related to web applications, and will introduce the next generation web application defending technology dubbed as Runtime Application Self-Protection (RASP) that defends against web attacks by working inside your web application. RASP relies on runtime patching to inject security into web apps implicitly without introducing additional code changes. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.
The session will provide the risk of insecure mobile application development in various types with demonstration; Client-side, Communication channel and Server side. The presentation includes case study of insecure development practice which lead attacker to abuse the vulnerable application (e.g. Coin/Gem cheating on gaming app, Bypassing security control on client-side and server-side).
Oh, WASP! Security Essentials for Web AppsTechWell
The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.
Identified by OWASP as one of the top-10 security threats facing developers, Underprotected APIs are subject to common exploitation that can be difficult to detect. This presentation outlines the reasoning and methodology behind securing these APIs. By Adam Cecchetti, CEO of Deja vu Security
Due to the fast-growing on mobile application trends along with business competition, the lack of security concern on mobile development become critical issues which may lead to reputation damage, financial loss and non-compliance (e.g. Privacy and Cybersecurity laws). It's time to focus on Mobile Defense-in-Dev(Depth) !!
The talk will provide the real-world case-studies on mobile application threats in conjunction with the cybersecurity risk mitigation using Secure development standard and guideline which should be integrated into the development process.
Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web applications and present real world advice for defending yourself against these types of attacks.
Learn about the OWASP Top 10 Mobile Risks and best practices to avoid mobile application security pitfalls such as insecure data storage, insecure communication, reverse engineering, and more.
These slides were originally presented on a webinar November 2016. Watch the presentation here: https://youtu.be/LuDe3u0cSVs
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
This whitepaper details research conducted by Rapid7, which reveals that around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol. UPnP enables devices such as routers, printers, network-attached storage (NAS), media players and smart TVs to communicate with each other. The paper investigates how three groups of security flaws relating to the UPnP protocol are exposing millions of users to attacks that could lead to a remote compromise of the vulnerable device.
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
As the pace of Microsoft SharePoint adoption continues, most organizations are turning to third party add-ons to support demands for functionality. It's for these reasons that experts compare SharePoint without add-ons to an iPhone without apps. Third party add-ons, however, arrive pre-packaged with unique security risks -- vulnerabilities that IT cannot directly fix.
This presentation will (1) identify risks associated with using SharePoint plug-ins and web parts developed by third parties (2) describe how hackers target and exploit third-party code using attacks such as SQL injection (3) Introduce a three-layered approach to securing SharePoint.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
The curious case of mobile app security.pptxAnkit Giri
A talk on the essence of Mobile app and mobile security. The agenda was as follows:
Why we need to secure the mobile apps!
What do you check when installing an app ?
Mobile app security assessment
Some interesting cases of vulnerabilities
Let’s takeover your account
My Research and reported vulnerabilities
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
This paper discusses the research outcomes on implementing a runtime application patching algorithm on an insecurely-coded application to protect it against code injection vulnerabilities and other logical issues related to web applications, and will introduce the next generation web application defending technology dubbed as Runtime Application Self-Protection (RASP) that defends against web attacks by working inside your web application. RASP relies on runtime patching to inject security into web apps implicitly without introducing additional code changes. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.
The session will provide the risk of insecure mobile application development in various types with demonstration; Client-side, Communication channel and Server side. The presentation includes case study of insecure development practice which lead attacker to abuse the vulnerable application (e.g. Coin/Gem cheating on gaming app, Bypassing security control on client-side and server-side).
Oh, WASP! Security Essentials for Web AppsTechWell
The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.
Identified by OWASP as one of the top-10 security threats facing developers, Underprotected APIs are subject to common exploitation that can be difficult to detect. This presentation outlines the reasoning and methodology behind securing these APIs. By Adam Cecchetti, CEO of Deja vu Security
The OWASP Mobile Top 10 is a nice start for any developer or a security professional, but the road is still ahead and there is so much to do to destroy most of the possible doors that hackers can use to find out about app’s vulnerabilities. We look forward to the OWASP to continue their work, but let’s not stay on the sidelines!
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
Explore how FIDO UAF works, how to perform FIDO registration, and how FIDO is used in the world today, as well as the process from start to finish of UAF authentication.
From FIDO Alliance Seminar in Washington, D.C., October, 2015.
From Reversing to Exploitation: Android Application Security in EssenceSatria Ady Pradana
Seminar on Explicit's Art of Hacking
Telkom University Bandung
Bandung, 2017-11-04
Android security mostly seen as only "exploiting the device with RAT" and some of it. Here, I want to show that there are more than that.
Seminar on November 4, 2017
Currently many things has its own app on android. Are they secure enough? What if they are not engineered with security in mind? But most importantly, can we do something to them?
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...apidays
apidays LIVE Singapore 2021 - Digitisation, Connected Services and Embedded Finance
April 21 & 22, 2021
Why verifying user identity Is not enough In 2021
David Stewart, CEO of Approov
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
The Internet of Fails - Where IoT (the Internet of Things) has gone wrong and how we’re making it right. By Mark Stanislav @mstanislav, Senior Security Consultant, Rapid7
As companies move towards offering SaaS products in the cloud, it becomes increasingly important to ensure these products are secured by default. This is because customers are no longer in control of their data, but data now resides on a third-party cloud provider.
Security is everyone's responsibility. It is now imperative that these cloud products be built with security in mind from the beginning.
In this session, Anshuman Bhartiya will discuss ways to build secure applications in the cloud.
Security engineering 101 when good design & security work togetherWendy Knox Everette
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesBlueboxer2014
This year at RSA 2015, Andrew Blaich, lead security analyst at Bluebox, presented the findings of his in-depth investigation into the PKI certificate authorities (CA) that are shipped on mobile devices. The findings proved that users must assume a zero-trust model with their mobile devices to ensure their data is protected from potential risk.
Read more about Andrew’s research here:
https://bluebox.com/blog/technical/cnnic-latest-ca-security-compromise-further-questions-the-trustability-of-devices/
https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-mobile-devices/
4. We’re software company, not an agency :)
iOS engineer / mobile architect
I will talk about what’s important when building a software product.
5. TRUST
I think the most important is not a scale, performance, but a trust.
When we deal with customer’s data, they trust us.
It’s especially important in the age of GDPR.
Above all it’s good to know about security features of iOS when you deal with law enforcement, especially in time of unrest.
6. If something can harm your business, it will be security leak.
It’s easy to loose a trust by a data breach, and hard to regain.
Some customers may quickly jump the ship.
7.
8. MOTIVATORS
INTERNAL
EXTERNAL
Where are drivers of your care about security?
Inside - you care about your users.
Outside - you care about prospective contract and allow external audit. PREPARE.
13. HTTPS
TRUSTED CERTIFICATE
TLS 1.2
…
It does by putting some restrictions, like using encrypted channel.
Trusted Certificates - the other party of connection is verified.
TLS in a version considered safe (at least for now).
Previous were vulnerable to number of attacks.
14. ATS EXCEPTIONS
GLOBALLY
PER DOMAIN
NSAllowArbitraryLoads
NSExceptionAllowsInsecureHTTPLoads
Some sites may be incompatible with ATS, and there’s way to add exceptions.
You can either set them for all application or specific domain.
AllowArbitraryLoads - disable all ATS features. Should trigger review and you have to testify.
AllowInsecureHTTPLoads - just enables HTTP, e.g. weather charts from state agency.
15. ATS EXCEPTIONS IN RELEASED BINARY
Even though apple says exception trigger additional review, loosening protection too much may get unnoticed.
Next slide: MITM
17. Here’s a hacker. a malicious person willing to tap into communication.
18. No, maybe that one. This is real pro - wears a mask, he knows that FBI may be watching thru the webcam.
19. So we have app communicating with backend and that is good.
20. Imagine malicious actor trying to intercept communication.
By setting up free wifi or hacking into network you are in.
21. FAKE
1. Certificate will do the job, right? It is issued by trusted organization, bound to server.
2. Attacker prepares forged cert, which (in normal conditions) has to be self-signed. The app will alert that something is wrong. We cannot trust that fake cert.
3. Not always, he may install CA Cert into device’s trust store under attack. That makes forged certificate trusted and app continues to work
23. FAKE
We can store the server certificate in the app bundle and compare with the one on the server when connection is established.
24. SSL CERTIFICATE PINNING
AGAINST CERTIFICATE
AGAINST PUBLIC KEY
It does not solve the weakness of the certificate authorities certificate signing process. But minimize the window of opportunity.
Against CERT: need to publish new version of app when new cert is available; old versions stop working. Overlap needed.
Against Public key: not affected by frequently rotating certificates (provided all are signed with the same key)
25. COMMUNICATION
PROCESS
Pinning may be tricky.
* Establish a process: system engineers need to notify mobile devs that certificate is about to expire.
* Reminder of certificate expiring soon.
* Key pinning - make sure key will not change.
26. PER-APP VPN
Additional layer of safety.
If transport security is still a concern, consider this.
It’s enterprise feature and requires additional MDM software.
iOS 9+
No development required.
27. DATA STORE SECURITY
Everything on device is encrypted. Apple built pretty sophisticated data protection based on cryptography and it is in software and hardware.
29. File Metadata
File Contents
File Key
Filesystem Key
Class Key
Passcode Key
Hardware Key
Hardware key based on UID.
Passcode provides entropy. Use Touch ID/Face ID to use better passcodes.
With iOS 8 all encryption keys are on device. Apple can’t extract data, they have no advantage.
80 ms every check.
6-alphanumeric - 5 years brute force.
36. KEYCHAIN
Keychain is a great place to store small amounts of sensitive data securely, like passwords, keys.
The API is low-level. And I mean low-level.
37. OSStatus SecItemAdd(CFDictionaryRef attributes,
CFTypeRef _Nullable *result);
OSStatus SecItemUpdate(CFDictionaryRef query,
CFDictionaryRef attributesToUpdate);
OSStatus SecItemDelete(CFDictionaryRef query);
OSStatus SecItemCopyMatching(CFDictionaryRef query,
CFTypeRef _Nullable *result);
The procedural API is very verbose and you want a wrapper. There are 153 of them.
The keychain is a database.
38. let dictionary = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrAccount as String: "user124",
kSecValueData as String: “P@ssW0rd",
kSecAttrService as String: “AwesomeApp”,
kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlocked
] as [String:Any]
The Keychain API is very verbose and flexible.
Almost all functions need passing a dictionary as a parameter, both for querying and for setting a value.
44. AUTHORIZATION CODE GRANT
The App
Authorization Server
Resource Server
Authorization request
Authorization Code
Call API with Access Token
Data response
Web Browser
Redirect to
Requests Access Token
Provides Access Token
Such session management is safer.
Elaborate but guarantees:
1. App does not know password, never sees the credentials.
2. User can trust, because they enter credentials on trusted website.
3. You can expire the token at any time no need to reset password
4. Control apps
45. USER CREDENTIALS GRANT
The App
Authorization Server
Resource Server
Sends Login + Password
Access Token
Call API with Access Token
Data response
For 1st party apps.
46. ACCESS TOKEN
HIJACKED
If the communication channel is compromised.
Or device keychain is compromised.
Or you were careless and did not use keychain.
47. REFRESH TOKENS
The App Authorization ServerResource Server
Makes API Call
Good!
Sends Refresh Token
Returns new Access and
Refresh tokens
Makes API Call
Oh. Token expired.
You can make hackers life harder by introducing refresh tokens.
49. CODE EXAMPLE
authenticationContext.evaluatePolicy(
.deviceOwnerAuthenticationWithBiometrics,
localizedReason: "Knock, knock",
reply: { [unowned self] (success, error) -> Void in
if (success) {
// Fingerprint recognized
// Go to view controller
self.navigateToAuthenticatedViewController()
} else {
// Check if there is an error
if let error = error {
let message = self.errorMessageForLAErrorCode(error.code)
self.showAlertViewAfterEvaluatingPolicyWithMessage(message)
}
}
})
54. Pro Tip:
USE CRYPTO TO PROTECT DATA
You can ask user to provide a password and use it as an encryption key.
55. CODE EXAMPLE 2
LA can work together with keychain, or in other words, access to keychain items can be controller by authentication.
56. CODE EXAMPLE 3
var error: NSError?
let access = SecAccessControlCreateWithFlags(NULL,
kSecAttrAccessibleWhenUnlocked,
kSecAccessControlUserPresence,
&error);
let dictionary = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrAccount as String: "user124",
kSecValueData as String: "P@aaW0rd",
kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlocked,
kSecAttrAccessControl: access
] as [String:Any]
You can specifically require biometrics or passcode, or just user presence.
62. HOW DO I GET THERE?
How do I make my app secure.
63. DEFINE A THREAT MODEL
Who is the adversary. There is no absolute security.
Any app could be compromised when faced an attacker with enough skills, funding and time.
69. MOBILE APPLICATION SECURITY VERIFICATION STANDARD
https://github.com/OWASP/owasp-masvs
REQUIREMENTS
Covers: Authentication, Data storage, Network communication, Code quality
70. MASVS LAYERS
The MASVS defines two strict security verification levels (L1 and L2), as well a set of reverse engineering resiliency requirements (MASVS-R)
L1 - General
L2 - The apps which deal with sensitive data