Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Data transfer security for mobile apps

1,896 views

Published on

Prepared by Anastasiia, iOS Engineer at Stanfy for speaking at Mobile Dev Day 2015 in Lviv, Ukraine.

* Wise fish knows there ain’t enough talks about security
* Communication with server: security, reliability, ease of use, choose two
* Applied cryptography: should you manually configure CommonCrypto or …?
* Network security is piranha in risk and ruff in implementation
* Practical example: protecting network transport without breaking app

Published in: Mobile
  • Be the first to comment

  • Be the first to like this

Data transfer security for mobile apps

  1. 1. Data transfer security for mobile apps what the fish doesn’t notice in the ocean? 🐟 #mddaylviv2015 @vixentael
  2. 2. There ain’t enough talks about security
  3. 3. Apple Security Guide Every program is a potential target. Your customers’ property and your reputation are at stake. https://developer.apple.com/library/mac/documentation/Security/ Conceptual/SecureCodingGuide/Introduction.html data transfer security for mobile apps #mddaylviv2015 @vixentael
  4. 4. 3 kinds of data to protect Data in storage Data in memory Data in motion data transfer security for mobile apps #mddaylviv2015 @vixentael
  5. 5. Data in motion: what could possibly go wrong
  6. 6. Communication with server. Usually. data transfer security for mobile apps #mddaylviv2015 @vixentael
  7. 7. Imagine little fish... data transfer security for mobile apps #mddaylviv2015 @vixentael
  8. 8. ...in the ocean of threats
  9. 9. active eavesdropping data leakage evil twin replay attack ...in the ocean of threats
  10. 10. * SSL experimenting with Android Top100 apps http://bit.ly/1NqpheM * Intercepting the App Store's Traffic on iOS http://bit.ly/1H3xMrs One proxy to rule ‘em all!
  11. 11. Attack reasons Many apps use HTTP* data transfer security for mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number
  12. 12. Attack reasons Many apps use HTTP* Some apps use HTTPS data transfer security for mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number
  13. 13. Attack reasons Many apps use HTTP* Some apps use HTTPS Few apps encrypt user’s data *iOS9 ATS will decrease this number data transfer security for mobile apps #mddaylviv2015 @vixentael
  14. 14. Why is this happening?
  15. 15. 1. Security is hard. STACKOVERFLOW!
  16. 16. Let’s StackOverflow! http://stackoverflow.com/a/21826729 data transfer security for mobile apps #mddaylviv2015 @vixentael
  17. 17. Weird padding http://stackoverflow.com/a/21826729 data transfer security for mobile apps #mddaylviv2015 @vixentael
  18. 18. 2. Software is buggy
  19. 19. Remove padding! http://stackoverflow.com/a/26147479 data transfer security for mobile apps #mddaylviv2015 @vixentael
  20. 20. Omg WTF is going on WTF http://stackoverflow.com/a/26147479 WTF WTF data transfer security for mobile apps #mddaylviv2015 @vixentael
  21. 21. 3. Illusion of safety is still a illusion data transfer security for mobile apps #mddaylviv2015 @vixentael #define kUserPassword @“1111111”
  22. 22. Armoring your fish
  23. 23. Realize security risks data transfer security for mobile apps #mddaylviv2015 @vixentael
  24. 24. Amateurs Produce Amateur Cryptography Anyone can invent a security system that he himself cannot break — Schneier's Law https://www.schneier.com/blog/archives/ 2011/04/schneiers_law.html data transfer security for mobile apps #mddaylviv2015 @vixentael
  25. 25. Do not re-implement existing things data transfer security for mobile apps #mddaylviv2015 @vixentael
  26. 26. Security is a system, not a pluggable library
  27. 27. Build stout architecture data transfer security for mobile apps #mddaylviv2015 @vixentael
  28. 28. Build stout architecture cryptolib key management data transfer security for mobile apps #mddaylviv2015 @vixentael
  29. 29. Use great tools Themis https://github.com/cossacklabs/themis RNCryptor https://github.com/RNCryptor/RNCryptor MIHCrypto https://github.com/hohl/MIHCrypto OTRKit https://github.com/ChatSecure/OTRKit libsodium/NaCL https://github.com/mochtu/libsodium-ios scientific background trust big guys good track record data transfer security for mobile apps #mddaylviv2015 @vixentael
  30. 30. Use SSL? Do it right! https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet ✤use long keys ✤remove backward compatibility ✤use good ciphers (EC vs RSA) ✤SSL pinning ✤use cheat sheet https://www.cossacklabs.com/avoid-ssl-for-your-next-app.htmlSSL has a lot of problems To survive you need to: data transfer security for mobile apps #mddaylviv2015 @vixentael
  31. 31. TLS/SSL in short data transfer security for mobile apps #mddaylviv2015 @vixentael
  32. 32. Where can it break? data transfer security for mobile apps #mddaylviv2015 @vixentael
  33. 33. SSL pinning data transfer security for mobile apps #mddaylviv2015 @vixentael
  34. 34. SSL pinning on iOS https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/ https://www.paypal-engineering.com/2015/10/14/key-pinning-in-mobile- applications/ - (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge: (NSURLAuthenticationChallenge *)challenge { SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; id<NSURLAuthenticationChallengeSender> sender = challenge.sender; SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0); NSData * remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate)); NSString * cerPath = [[NSBundle mainBundle] pathForResource:@"MyLocalCertificate" ofType:@"cer"]; NSData * localCertData = [NSData dataWithContentsOfFile:cerPath]; if ([remoteCertificateData isEqualToData:localCertData]) { NSURLCredential * credential = [NSURLCredential credentialForTrust:serverTrust]; [sender useCredential:credential forAuthenticationChallenge:challenge]; } else { [sender cancelAuthenticationChallenge:challenge]; } } data transfer security for mobile apps #mddaylviv2015 @vixentael
  35. 35. SSL pinning more easy :) Swift lib for HTTPS with SSL pinning https://github.com/johnlui/Pitaya/wiki let  certData  =  NSData(contentsOfFile:   NSBundle.mainBundle().pathForResource("lvwenhancom",  ofType:  "cer")!)!
 ...  ...
 .addSSLPinning(LocalCertData:  certData)  {  ()  -­‐>  Void  in
        print("Under  Man-­‐in-­‐the-­‐middle  attack!")
 } data transfer security for mobile apps #mddaylviv2015 @vixentael
  36. 36. How to achieve the solution
  37. 37. Let’s imagine chatting app simple API authentication meaningfull communication confidentiality thread data transfer security for mobile apps #mddaylviv2015 @vixentael
  38. 38. Securing app step by step 1. HTTPS everywhere 2. SSL pinning 3. Encrypt messages by persistent keys data transfer security for mobile apps #mddaylviv2015 @vixentael
  39. 39. Securing app step by step 1. HTTPS everywhere ----> SSL/TLS has lots of bugs and bad crypto 2. SSL pinning ----> is not a panacea 3. Encrypt messages by persistent keys ----> can be easily cracked data transfer security for mobile apps #mddaylviv2015 @vixentael
  40. 40. Securing in a more proper way perfect forward secrecy use good ciphers data transfer security for mobile apps #mddaylviv2015 @vixentael
  41. 41. Using ephemeral key data transfer security for mobile apps #mddaylviv2015 @vixentael
  42. 42. How to achieve it easily https://github.com/cossacklabs/themis 1. establish session 2. encrypt message with SecureSession before sending 3. decrypt message after receive 4. encrypt history with SecureCell data transfer security for mobile apps #mddaylviv2015 @vixentael
  43. 43. How to achieve it easily https://github.com/cossacklabs/mobile- websocket-example data transfer security for mobile apps #mddaylviv2015 @vixentael
  44. 44. Security is hard, but if you’re smart, security is not so hard :)
  45. 45. The last slide @vixentael iOS developer at stanfy.com [creating awesome mobile and IoT apps]
  46. 46. To read ★ CryptoCat iOS app security audit https://nabla-c0d3.github.io/documents/iSEC_Cryptocat_iOS.pdf ★ Why you should avoid SSL for your next application https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html ★ OAuth1, OAuth2, OAuth...? http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html
  47. 47. To watch youtube ★ All tasks of Moxie Marlinspike https://www.youtube.com/watch?v=ibF36Yyeehw https://www.youtube.com/watch?v=8N4sb-SEpcg https://www.youtube.com/watch?v=tOMiAeRwpPA
  48. 48. To read more slides ★ Securing iOS apps https://speakerdeck.com/mbazaliy/securing-ios-applications ★ Users' data security in iOS applications https://speakerdeck.com/vixentael/users-data-security-in-ios-applications ★ Reversing 101 https://speakerdeck.com/0xc010d/reversing-101

×