Mobile App Security is an issue which isn’t given much priority while your app is in the development stage, as a result of which hackers are able to target your iOS app.
This talk will feature the most common security mistake developers do, and how to fix them easily. It will also cover different security & privacy enhancements provided by Apple such as SecKey API, Differential Privacy, Cryptographic Libraries, et cetera in iOS 10 which will enable developers to ship secure applications in the Appstore
2. Securing iOS Mobile Apps
Mobile Security Talk
Introduction
Android vs iOS
Securing Your Mobile Apps
Secured Pasteboard
Application Snapshots
iOS Dataprotection API
Juice Jacking - Slurrp
Top 10 Mobile Security List
4 Myths About Mobile Security
Questions? Contact Me :)
2
About Me
Co-Founder and CTO at ,
a mobile security company that
helps developers and companies to
build secure mobile application. I
have presented many talks and
conducted workshops at
conferences like BlackHat, Defcon,
ToorCon, SysCan, ClubHack, NullCon,
OWASP AppSec, RSA Conference.
Subho Halder / CoFounder & CTO
3. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 3
Introduction
The Great Mobile Security Debate
!
"
#
x
$
ă
Ć
&
ą
r
5
8
1
ü
Ĉ
É
'
Ġ
Ä
c
h
l
[
j
Å
a
ä
n
‚
Z
:
è
s
o
@
û
ĥ
p
ö
y
Ç
9
é
e
W
e
B
ù
éë
0
01
Fragmented Applications
Multiple Applications for Multiple
Platform and Multiple Architectures
makes it difficult for App Developers
to keep-up with security concerns
03
Personal & Social Information
Mobile Devices holds your personal
and social information, and
applications has access to these
information
02
Fragmented Platforms
With multiple platforms and multiple
versions of Mobile Operating
System, the OEM faces challenges to
keep Security up-to-date
04
Businesses & Enterprise Data
With mobile getting adopted at
workplaces, sensitive information
are now accessible to applications
4. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 4
Android vs iOS
With the dominance of iOS and the rising popularity of Android devices in the mobile marketplace,
the security of these devices is a growing concern and focus for smartphone users.
IMAGE
0
20
40
60
80
0
25
50
75
100
Vulnerable Apps Malwares
Device Vulnerability Fragmentation
0
25
50
75
100
0
25
50
75
100
Vulnerable Apps Malwares
Device Vulnerabilities Fragmentation
Despite iOS being traditionally regarded as the safest
platform, there are a number of reasons why that
assumption may be becoming outdated. Firstly,
occurrences of ransomware, malware, rotten apps on
the iTunes store, and social engineering have been
coming into the news far more often in recent times.
The iOS Device Google’s Android platform has become a larger target
for mobile malware writers than Apple iOS. This could
be a result of Android’s popularity—with more than
1 million activations per day, Android smartphones
command a 59% market share worldwide.
The Android Device
5. The goal of this is to raise awareness about application security by
identifying some of the most critical risks facing organizations.
Securing Your Mobile Apps
6. Do you think Pasteboard can be used to steal information ?
Secured Pasteboard
7. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 7
Secured Pasteboard Vulnerabilities
Universal Clipboard changes for iOS 10 and macOS Sierra
With the changes to the UIPasteboard
iOS 10 API that introduce Universal
Clipboard, it also opens a slight security
vulnerability in that an end user could
copy a sensitive piece of data and
inadvertently make it available across all
their devices
Understanding the Clipboard Contents
As a developer, you can either:
1. Flag a piece of data as “local only” in
which it will not appear in the Universal
Clipboard across devices, and
2. Set an expiration date on a piece of data
such that it isn’t available after that date.
8. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 8
Secured Pasteboard Vulnerabilities
Flag a piece of data as “local only” in which it will not appear in the Universal Clipboard across devices
a In one line, you set the item in the UIPasteboard with an
option localOnly as true.
9. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 9
Secured Pasteboard Vulnerabilities
Set an expiration date on a piece of data such that it isn’t available after that date
a Again, in one line you get to pass an expiration date for when the
UIPasteboard item should expire. You can also use these together
10. If an application goes into background, can the data be hacked ?
Application Snapshot Vulnerability
11. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition
IMAGE
11
Application Snapshots
These screenshots can be accessed without jailbreaking
iOS caches a screenshot of the last
screen of the application and when you
click on it the application resumes. This
caching technique provides the user with
the impression that their application has
resumed immediately. This “feature” on
its own is not vulnerability, and does
exactly what it is supposed to do.
So when does a feature become a vulnerability?
As a developer, you can:
blank out or blur the screen before it is
minimized. This will prevent sensitive data
from being captured in a screenshot
These screenshots can be accessed without
jailbreaking using any free tool like ‘ifunbox’
12. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 12
Application Snapshots
blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot
a Need to write the code in Application life cycle methods, here we are
putting an imageView while the app animate to background
13. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 13
Application Snapshots
blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot
a Here is the code to remove the imageView when the
application comes to foreground
14. Have you ever used this to secure your data ?
iOS Dataprotection API:
NSDataWritingFileProtection
15. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 15
iOS Dataprotection API: NSFileProtection
Have you ever used this to secure your data ?
NSFileProtectionNone
NSDataWritingFileProtectionNone
The file is not protected and
can be read or written at any
time. This is the default
value.
iOS provides hardware-level encryption of files. Files marked for protection are encrypted using a per-device key, which is encrypted using the
user’s password or PIN. Ten seconds after the device is locked, the unencrypted per-device key is removed from memory. When the user unlocks the
device, the password or personal identification number (PIN) is used to decrypt the per-device key again, which is then used to decrypt the files.
NSFileProtectionComplete
NSDataWritingFileProtectionComplete
Any file with this setting is protected ten
seconds after the device is locked. Files with
this setting may not be available when your
program is running in the background. When
the device is unlocked, these files are
unprotected.
16. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 16
iOS Dataprotection API: NSFileProtection
Have you ever used this to secure your data ?
iOS provides hardware-level encryption of files. Files marked for protection are encrypted using a per-device key, which is encrypted using the
user’s password or PIN. Ten seconds after the device is locked, the unencrypted per-device key is removed from memory. When the user unlocks the
device, the password or personal identification number (PIN) is used to decrypt the per-device key again, which is then used to decrypt the files.
NSFileProtectionCompleteUnlessOpen
NSDataWritingFileProtectionCompleteUnlessOpen
Files with this setting are protected ten
seconds after the device is locked unless
they’re currently open. This allows your
program to continue accessing the file while
running in the background. When the file is
closed, it will be protected if the device is
locked.
NSFileProtectionCompleteUntilFirstUserAuthentication
NSDataWritingFileProtectionCompleteUntilFirstUserAuthentication
Files with this setting are protected only between the time
the device boots and the first time the user unlocks the
device. The files are unprotected from that point until the
device is rebooted. This allows your application to open
existing files while running in the background.
17. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 17
iOS Dataprotection API: NSFileProtection
Have you ever used this to secure your data ?
Sample usages with NSData
Sample usages with NSFileManager
18.
File protection is very easy, simple and
hardware-optimised, you should use this in
every project of yours, unless you have a
good reason to not to.
19. Juice jacking is a term used to describe a cyber attack where wherein a smart phone,
tablet or other computer device using a charging port that doubles as a
data connection, typically over USB.
Juice Jacking - Slurrp
20. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 20
Juice Jacking - Slurrp
A smart phone, tablet or other computer device using a charging port that doubles as a data connection, typically over USB.
Sample charging Kiosks in Public Places
Would you trust this Public USB Kiosk to
charge your iPhone?
21. The goal of this is to raise awareness about application security by identifying
some of the most critical risks facing organizations.
Top 10 Mobile Security List
22. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 22
Top 10 Mobile Security List
The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations.
Poor Authorization and Authentication
Poor or missing authentication schemes allow an adversary to anonymously execute functionality
within the mobile app or backend server used by the mobile app.
ç
Unintended Data Leakage
Unintended data leakage occurs when a developer inadvertently places sensitive information or
data in a location on the mobile device that is easily accessible by other apps on the device.
‚
Insufficient Transport Layer Protection
If the application is coded poorly, threat agents can use techniques to view this sensitive data.
Unfortunately, mobile applications frequently do not protect network traffic
0
Insecure Data Storage
Many developers assume that storing data on client-side will restrict other users from having
access to this data.
:
Weak Server Side Controls
Most security experts might argue that server-side security falls outside of the area of mobile
application security threats. Till last year, it was the second most important mobile security threat.
Z
05
04
03
02
80%
43%
01
64%
72%
19%
Source: https://blog.appknox.com/category/owasp-top-10-mobile/
23. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 23
Top 10 Mobile Security List
The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations.
06
07
08
09
10
Client side injection results in the execution of
malicious code on the client side which is the
mobile device, via the mobile app.
Client Side Injection
As the name suggests, this issue is because session
tokens are not handled in the best way.
Improper Session Handling
Broken Cryptography or insecure usage of
cryptography is mostly common in mobile apps
that leverage encryption.
Broken Cryptography
Developers generally use hidden fields and values
or any hidden functionality to distinguish higher
level users from lower level users.
Security Decisions Via Untrusted Inputs
A lack of binary protections within a mobile app
exposes the application and it’s owner to a large
variety of technical and business risks if the
underlying application is insecure or exposes
sensitive intellectual property.
Lack of Binary Protections
24. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 24
4 Myths About Mobile Security
“Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” – Gartner
ĉ Ą
7 Ĉ
Public app stores are safe because they
have security filters
Data encryption is not required for mobile
devices
PCs are more secure than mobile phones
Two-factor authentication can be neglected
for mobile security