Users' Data Security in iOS Applications

U S E R S ’ D ATA S E C U R I T Y
I N I O S A P P L I C A T I O N S
Odessa Innovation Week, WebCamp 2015

W H AT I S U S E R D ATA
User data is being generated during interactions
with user

I T I S A D E V E L O P E R ’ S
R E S P O N S I B I L I T Y T O P R O T E C T
S E N S I T I V E D ATA

U S E R D ATA S TAT E S
• Runtime data
• Stored data
• Transmitted data

W H AT C O U L D P O S S I B LY G O W R O N G ?
• Runtime data
• Stored data
C O U L D B E
S T O L E N ,
M O D I F I E D O R D E L E T E D

W H AT S H O U L D W E D O ?
• Runtime data
• Stored data
encrypt storage
encrypt transport
use secure design

R U N T I M E D ATA

U I PA S T E B O A R D
• general Pasteboard is open for everyone
[[UIPasteboard generalPasteboard] setValue:@"1234 5689 3455 6604"
forPasteboardType:@"card"];
• custom Pasteboards are open for current app and
apps with same team ID
UIPasteboard * pasteboard = [UIPasteboard pasteboardWithName:@"my.app"
create:YES]; 
pasteboard.persistent = YES;
 
[pasteboard setValue:@"1234 5689 3455 6604”forPasteboardType:@"card"];

U I PA S T E B O A R D
• prevent copying sensitive data
@implementation UITextView (DisableCopyPaste) 
 
 
- (BOOL)canPerformAction:(SEL)action withSender:(id)sender {
 
[UIMenuController sharedMenuController].menuVisible = NO; 
return NO; 
} 
 
@end

S N A P S H O T T I N G & S C R E E N S H O T T I N G
- (void)applicationWillResignActive:(UIApplication *)application {
 
UIImageView * imageView = [[UIImageView alloc]initWithFrame:
[self.window frame]]; 
[imageView setImage:[UIImage imageNamed:@"mySplash"]]; 
[self.window addSubview:imageView];
 
}
• hide any sensitive data before snapshotting
• or set your picture as snapshot
- (void)applicationWillResignActive:(UIApplication *)application {
 
self.window.rootViewController.view.cardLabel.hidden = YES; 
}

PA S S W O R D - P R O T E C T I O N
• ask password on app launching (if it’s really
needed)
• ask password on entering ‘sensitive’ areas
• ask password to confirm some actions
• ask password on configuration screen

T O U C H I D
iOS8+
LocalAuthentication Framework
use as alternative to your
application’s password

T O U C H I D
#import <LocalAuthentication/LocalAuthentication.h>
LAContext * myContext = [LAContext new]; 
NSError * authError = nil; 
NSString * myLocalizedReasonString = @"Authenticate using your
finger"; 
 
 
if ([myContext canEvaluatePolicy:LAPolicyDevice
OwnerAuthenticationWithBiometrics error:&authError]) { 
 
... 
} else { 
NSLog(@"Authentication error %@", authError);
}

T O U C H I D
[myContext evaluatePolicy:
LAPolicyDeviceOwnerAuthenticationWithBiometrics 
localizedReason:myLocalizedReasonString 
reply:^(BOOL success, NSError * error) {
 
if (success) { 
NSLog(@"User is authenticated successfully”); 
} else { 
NSLog(@"Authentication failed with error %@", error);
} 
}]; 

T O U C H I D
switch (error.code) {
 
case LAErrorAuthenticationFailed: 
NSLog(@"Authentication Failed"); 
break; 
 
case LAErrorUserCancel: 
NSLog(@"User pressed Cancel button"); 
break; 
 
case LAErrorUserFallback: 
NSLog(@"User pressed "Enter Password""); 
[self showPassword]; 
break; 
 
default: 
NSLog(@"Touch ID is not configured"); 
[self showPassword]; 
break; 
}

S T O R E D D ATA

D O N O T S T O R E
• passwords
• keys
• any financial data
• logs!

P L A I N T E X T K E Y S A R E B A D
[Parse setApplicationId:@"GpvoqI7Ut29H...2JL1dyceOv0hV1"  
clientKey:@“sv8wcfIf0neo...y2m9YIwu0OxQr”];
static NSString *kMyAPIKey = @"mySecretApiKey";

strings MyApp.app/MyApp > myapp.txt

GpvoqI7Ut29...2JL1dyceOv0hV1
sv8wcfIf0neo...y2m9YIwu0OxQr
application did finish launching
window
T@"UIWindow",&,N
T@"UIWindow",&,N,V_window
[Parse setApplicationId:@"GpvoqI7Ut29H...2JL1dyceOv0hV1"  
clientKey:@“sv8wcfIf0neo...y2m9YIwu0OxQr”];

AV O I D P L A I N T E X T K E Y S
• store like hex strings
unsigned char myApiKey[] = { 0xAB, 0xAA, 0xBE, 0xDE, 0xEF };
• obfuscate 
NSString * key = [NSString stringWithFormat:@"%@%@%@%@", @"my",
@"secret", @"Api", @“Key"];
 
NSString * key = [NSString stringWithFormat:@"%3$@%2$@%1$@%4$@",
@"Api", @"secret", @"my", @"Key"];
NSString * format = [[[@"x3$yx2$z%1$yx4$@" 
stringByReplacingOccurrencesOfString:@"x" withString:@"%"] 
stringByReplacingOccurrencesOfString:@"y" withString:@"@"] 
stringByReplacingOccurrencesOfString:@"z" withString:@"@"]; 
NSString * key = [NSString stringWithFormat:format, @"Api",
@"secret", @"my", @"Key"];
"mySecretApiKey"

U S E E N C RY P T E D K E Y S
1. take key in plain text
NSData * encryptedData = [RNEncryptor encryptData:kMyAPIKey 
withSettings:kRNCryptorAES256Settings 
password:[self calculatePassword] 
error:&error];
 
NSString * resultString = [[NSString alloc] initWithData:encryptedData
encoding:NSUTF8StringEncoding];
2. encrypt it

3. hardcode encrypted key
static NSString *kMyAPIKeyEncrypted =
@“789fae43c3e66113e48cebfafeef6806542c0c9062b78b686f515acb0
9b2c0a6";
NSData *decryptedData = [RNDecryptor decryptData:encryptedData 
withPassword:[self calculatePassword] 
error:&error];
NSString * resultString = [[NSString alloc] initWithData:encryptedData
encoding:NSUTF8StringEncoding];
4. decrypt it before using

5. use generated password, not static string
- (NSString * )calculatePassword { 
CGFloat result = (CGFloat) (1.0/23.0); 
return [NSString stringWithFormat:@"%.10f", result]; 
}
@“0.0434782609” this password is calculated each time;
is not stored as string

W H E R E T O S T O R E S E N S I T I V E D ATA ?
• NSUserDefaults
• plist
• files
• database
• keychain

• NSUserDefaults
• plist
• files
• database
• keychain
U S E K E Y C H A I N

• NSUserDefaults
• plist
• files
• database
• keychain
O R U S E E N C RY P T I O N !

E N C RY P T A L L D ATA
C O M M O N C RY P T O
F R A M E W O R K

#import <CommonCrypto/CommonCryptor.h>
- (NSData *)AES256EncryptWithKey:(NSString*)key { 
char keyPtr[kCCKeySizeAES256 + 1]; // room for terminator (unused) 
bzero(keyPtr, sizeof(keyPtr)); // fill with zeroes (for padding) 
 
[key getCString:keyPtr maxLength:sizeof(keyPtr) encoding:NSUTF8StringEncoding]; 
 
NSUInteger dataLength = [self length]; 
 
size_t bufferSize = dataLength + kCCBlockSizeAES128; 
void* buffer = malloc(bufferSize); 
 
size_t numBytesEncrypted = 0; 
CCCryptorStatus cryptStatus = CCCrypt(kCCEncrypt, kCCAlgorithmAES128,
kCCOptionPKCS7Padding, 
keyPtr, kCCKeySizeAES256, 
NULL 
[self bytes], dataLength, /* input */ 
buffer, bufferSize, /* output */ 
&numBytesEncrypted); 
 
if (cryptStatus == kCCSuccess) { 
//the returned NSData takes ownership of the buffer and will free it on deallocation 
return [NSData dataWithBytesNoCopy:buffer length:numBytesEncrypted]; 
} 
 
free(buffer); 
return nil; 
}
C O M M O N C RY P T O

#import <RNCryptor/RNCryptor.h> 
 
NSData *data = [@"Data" dataUsingEncoding:NSUTF8StringEncoding]; 
NSError *error; 
NSData *encryptedData = [RNEncryptor encryptData:data 
withSettings:kRNCryptorAES256Settings 
password:aPassword 
error:&error];
 
NSData *decryptedData = [RNDecryptor decryptData:encryptedData 
withPassword:aPassword 
error:&error];
https://github.com/RNCryptor/RNCryptor
U S E W R A P P E R S

 
#import "scell_seal.h"
NSData *data = [@"Data" dataUsingEncoding:NSUTF8StringEncoding];
TSCellSeal * cellSeal = [[TSCellSeal alloc] initWithKey:masterKeyData]; 
NSData * encryptedMessage = [cellSeal wrapData:data
context:nil
error:&error]; 
 
NSData * decryptedMessage = [cellSeal unwrapData:encryptedMessage 
context:nil 
error:&error];
https://github.com/cossacklabs/themis
U S E C O O L
L I B R A R I E S

E N C RY P T D ATA B A S E
SQLCipher (+FMDB)
https://github.com/sqlcipher/sqlcipher
CoreData
https://github.com/project-imas/encrypted-core-
data

F I L E S P R O T E C T I O N
allows to encrypt NSFiles

* NSFileProtectionNone
* NSFileProtectionComplete
Cannot be accessed while device locked.
* NSFileProtectionCompleteUnlessOpen
Opens only when device is unlocked; can be accessed
whenever
* NSFileProtectionCompleteUntilFirstUserAuthentication
Opens only after device is booted; can be accessed
whenever.

NSFileManager * fileManager = [NSFileManager defaultManager];
 
NSDictionary * attributes = @{ NSFileProtectionKey :
NSFileProtectionComplete }; 
 
[fileManager createFileAtPath:path 
contents:data 
attributes:attributes]; 
 
 
[fileManager setAttributes:attributes 
ofItemAtPath:path 
error:&errorFolderProtect];

[SSKeychain setPassword:password  
forService:@"com.my.app"  
account:@"MyAppUserPasswordKey"];
S E C U R E K E Y C H A I N
https://github.com/soffes/sskeychain
S E C U R I T Y F R A M E W O R K O R U S E W R A P P E R S

D I S A B L E D E B U G G I N G Y O U R A P P S
typedef int (*ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr, int _data);
 
#if !defined(PT_DENY_ATTACH) 
#define PT_DENY_ATTACH 31 
#endif 
 
void disable_gdb() { 
void* handle = dlopen(0, RTLD_GLOBAL | RTLD_NOW); 
ptrace_ptr_t ptrace_ptr = dlsym(handle, "ptrace"); 
ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0); 
dlclose(handle); 
} 
int main(int argc, char * argv[]) {  
#if !(DEBUG) // Don't interfere with Xcode debugging sessions. 
disable_gdb(); 
#endif 
 
@autoreleasepool {  
return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate
class])); 
} 
} https://www.theiphonewiki.com/wiki/Bugging_Debuggers

T R A N S M I T T E D D ATA

S E N D I N G P L A I N T E X T D ATA
• plain text could be easily stolen or modified
• sending passwords as plain text is bad idea

S E N D I N G P L A I N T E X T D ATA
• plain text could be easily stolen or modified
• sending passwords as plain text is bad idea
U S E H T T P S !

U S I N G H T T P S
HTTPs protects only POST requests
(do not use GET*)
* https://blog.httpwatch.com/2009/02/20/how-
secure-are-query-strings-over-https/

U S I N G H T T P S : B A D P R A C T I C E S
• allowing self-signed certificates
- (void)connection:(NSURLConnection *)connection
didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
 
[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge]; 
}
 
[AFSecurityPolicy setAllowInvalidCertificates:YES]; 
[AFSecurityPolicy setValidatesDomainName:NO];
• allowing invalid certificates

• allowing self-signed certificates
- (void)connection:(NSURLConnection *)connection
didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
 
[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge]; 
}
 
[AFSecurityPolicy setAllowInvalidCertificates:YES]; 
[AFSecurityPolicy setValidatesDomainName:NO];
• allowing invalid certificates
A F N E T W O R K I N G B U G S 2 . 5 . 1 - 2 . 5 . 2

H T T P S
O N I O S 9 H T T P I S T U R N E D O F F !
(as required by App Transport Security)

H T T P S
O N I O S 9 H T T P I S T U R N E D O F F !
you should disable ATS to use HTTP
(as required by App Transport Security)

H T T P S D O E S N ’ T M E A N T O U S E P L A I N
T E X T

H T T P S D O E S N ’ T M E A N T O U S E P L A I N
T E X T
anyone can generate fake SSL certificate
and your app will trust him
MitM attacks lead to stolen or modified data

H T T P S I S N O T S O S E C U R E
A L L D ATA S H O U L D B E E N C RY P T E D
For messaging you should use special crypto,
not just encrypting data like for storage.

E N C RY P T I N G C O M M U N I C AT I O N
Communication is sequence of messages

When sequence get’s recorded, it is easier to crack
the key based on captured data

Your keys should be ephemeral, your exchange should
be sequence aware, authenticated and content-
validating

Your keys should be ephemeral, your exchange should
be sequence aware, authenticated and content-
validating
E N D T O E N D
P E R F E C T F O R WA R D S E C R E C Y
P R O N E T O T I M I N G AT TA C K S
AUTHENTICATE
M
ESSAGES
U S E K E Y A G R E E M E N T P R O T O C O L

Themis (Secure Message / Secure Session)
(https://github.com/cossacklabs/themis)
OTRKit (https://github.com/ChatSecure/OTRKit)
libsodium / NaCL (https://github.com/mochtu/
libsodium-ios)
T H E R E ’ S A L I B F O R T H AT !

M O R E T O R E A D
• The Mobile Application Hacker's Handbook
• https://books.google.com.ua/books?
id=UgVhBgAAQBAJ
• Secure Developing on iOS
• https://www.isecpartners.com/media/11221/
secure_development_on_ios.pdf

M O R E T O R E A D
• Security Coding Guide
• https://developer.apple.com/library/ios/
documentation/Security/Conceptual/
SecureCodingGuide/Introduction.html#//
apple_ref/doc/uid/TP40002477-SW1

M O R E T O R E A D
• Designing Secure User Interfaces
• https://developer.apple.com/library/ios/
documentation/Security/Conceptual/
SecureCodingGuide/Articles/
AppInterfaces.html#//apple_ref/doc/uid/
TP40002862-SW1

M O R E T O R E A D
• https://www.theiphonewiki.com/wiki/
Bugging_Debuggers
• http://www.splinter.com.au/2014/09/16/storing-
secret-keys/
• http://priyaaank.tumblr.com/post/81172916565/
validating-ssl-certificates-in-mobile-apps
• https://www.venafi.com/blog/post/ssl-
vulnerabilities-in-your-mobile-apps-what-could-
possibly-go-wrong

L A S T S L I D E
@vixentael
Anastasi,
iOS dev @ Stanfy

Users' Data Security in iOS Applications

More Related Content

What's hot

Viewers also liked

Similar to Users' Data Security in iOS Applications

More from Stanfy

Users' Data Security in iOS Applications