data transfer security for mobile apps
TRANSCRIPT
Data transfer security for mobile apps
what the fish doesn’t notice in the ocean? 🐟
#mddaylviv2015 @vixentael
There ain’t enough talks about security
Apple Security GuideEvery program is a potential target.
Your customers’ property and your reputation
are at stake.
https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html
data transfer security for mobile apps #mddaylviv2015 @vixentael
3 kinds of data to protect
Data in storage
Data in memory
Data in motion
data transfer security for mobile apps #mddaylviv2015 @vixentael
Data in motion: what could possibly go wrong
Communication with server. Usually.
data transfer security for mobile apps #mddaylviv2015 @vixentael
Imagine little fish...
data transfer security for mobile apps #mddaylviv2015 @vixentael
...in the ocean of threats
active eavesdropping
data leakage
evil twin
replay attack
...in the ocean of threats
* SSL experimenting with Android Top100 apps http://bit.ly/1NqpheM
* Intercepting the App Store's Traffic on iOS http://bit.ly/1H3xMrs
One proxy to rule ‘em all!
Attack reasonsMany apps use HTTP*
data transfer security for mobile apps #mddaylviv2015 @vixentael
*iOS9 ATS will decrease this number
Attack reasonsMany apps use HTTP*
Some apps use HTTPS
data transfer security for mobile apps #mddaylviv2015 @vixentael
*iOS9 ATS will decrease this number
Attack reasonsMany apps use HTTP*
Some apps use HTTPS
Few apps encrypt user’s data
*iOS9 ATS will decrease this number
data transfer security for mobile apps #mddaylviv2015 @vixentael
Why is this happening?
1. Security is hard.
STACKOVERFLOW!
Let’s StackOverflow!http://stackoverflow.com/a/21826729
data transfer security for mobile apps #mddaylviv2015 @vixentael
Weird paddinghttp://stackoverflow.com/a/21826729
data transfer security for mobile apps #mddaylviv2015 @vixentael
2. Software is buggy
Remove padding!
http://stackoverflow.com/a/26147479
data transfer security for mobile apps #mddaylviv2015 @vixentael
Omg WTF is going on
WTFhttp://stackoverflow.com/a/26147479
WTF WTF
data transfer security for mobile apps #mddaylviv2015 @vixentael
3. Illusion of safety is still a illusion
data transfer security for mobile apps #mddaylviv2015 @vixentael
#define kUserPassword @“1111111”
Armoring your fish
Realize security risks
data transfer security for mobile apps #mddaylviv2015 @vixentael
Amateurs Produce Amateur Cryptography
Anyone can invent a security system
that he himself cannot break
— Schneier's Lawhttps://www.schneier.com/blog/archives/
2011/04/schneiers_law.html
data transfer security for mobile apps #mddaylviv2015 @vixentael
Do not re-implement existing things
data transfer security for mobile apps #mddaylviv2015 @vixentael
Security is a system, not a pluggable library
Build stout architecture
data transfer security for mobile apps #mddaylviv2015 @vixentael
Build stout architecture
cryptolib
key management
data transfer security for mobile apps #mddaylviv2015 @vixentael
Use great tools
Themis https://github.com/cossacklabs/themis
RNCryptor https://github.com/RNCryptor/RNCryptor
MIHCrypto https://github.com/hohl/MIHCrypto
OTRKit https://github.com/ChatSecure/OTRKit
libsodium/NaCL https://github.com/mochtu/libsodium-ios
scientific background trust big guys good track record
data transfer security for mobile apps #mddaylviv2015 @vixentael
Use SSL? Do it right!
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
✤use long keys
✤remove backward compatibility
✤use good ciphers (EC vs RSA)
✤SSL pinning✤use cheat sheet
https://www.cossacklabs.com/avoid-ssl-for-your-next-app.htmlSSL has a lot of problems
To survive you need to:
data transfer security for mobile apps #mddaylviv2015 @vixentael
TLS/SSL in short
data transfer security for mobile apps #mddaylviv2015 @vixentael
Where can it break?
data transfer security for mobile apps #mddaylviv2015 @vixentael
SSL pinning
data transfer security for mobile apps #mddaylviv2015 @vixentael
SSL pinning on iOS
https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/ https://www.paypal-engineering.com/2015/10/14/key-pinning-in-mobile-
applications/
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; id<NSURLAuthenticationChallengeSender> sender = challenge.sender; SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0); NSData * remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate)); NSString * cerPath = [[NSBundle mainBundle] pathForResource:@"MyLocalCertificate" ofType:@"cer"]; NSData * localCertData = [NSData dataWithContentsOfFile:cerPath]; if ([remoteCertificateData isEqualToData:localCertData]) { NSURLCredential * credential = [NSURLCredential credentialForTrust:serverTrust]; [sender useCredential:credential forAuthenticationChallenge:challenge]; } else { [sender cancelAuthenticationChallenge:challenge]; } }
data transfer security for mobile apps #mddaylviv2015 @vixentael
SSL pinning more easy :)Swift lib for HTTPS with SSL pinning https://github.com/johnlui/Pitaya/wiki
let certData = NSData(contentsOfFile:
NSBundle.mainBundle().pathForResource("lvwenhancom", ofType: "cer")!)!... ....addSSLPinning(LocalCertData: certData) { () -‐> Void in print("Under Man-‐in-‐the-‐middle attack!")}
data transfer security for mobile apps #mddaylviv2015 @vixentael
How to achieve the solution
Let’s imagine chatting app
simple API
authentication meaningfull communication
confidentiality thread
data transfer security for mobile apps #mddaylviv2015 @vixentael
Securing app step by step1. HTTPS everywhere
2. SSL pinning
3. Encrypt messages by persistent keys
data transfer security for mobile apps #mddaylviv2015 @vixentael
Securing app step by step1. HTTPS everywhere
----> SSL/TLS has lots of bugs and bad crypto
2. SSL pinning
----> is not a panacea
3. Encrypt messages by persistent keys
----> can be easily cracked
data transfer security for mobile apps #mddaylviv2015 @vixentael
Securing in a more proper way
perfect forward secrecy
use good ciphers
data transfer security for mobile apps #mddaylviv2015 @vixentael
Using ephemeral key
data transfer security for mobile apps #mddaylviv2015 @vixentael
How to achieve it easilyhttps://github.com/cossacklabs/themis
1. establish session
2. encrypt message with SecureSession before sending
3. decrypt message after receive
4. encrypt history with SecureCell
data transfer security for mobile apps #mddaylviv2015 @vixentael
How to achieve it easily
https://github.com/cossacklabs/mobile-websocket-example
data transfer security for mobile apps #mddaylviv2015 @vixentael
Security is hard, but if you’re smart, security is not so hard :)
The last slide
@vixentael iOS developer
at stanfy.com [creating awesome mobile
and IoT apps]
To read★ CryptoCat iOS app security audit
https://nabla-c0d3.github.io/documents/iSEC_Cryptocat_iOS.pdf
★ Why you should avoid SSL for your next application
https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html
★ OAuth1, OAuth2, OAuth...?
http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html
To watch youtube★ All tasks of Moxie Marlinspike
https://www.youtube.com/watch?v=ibF36Yyeehw
https://www.youtube.com/watch?v=8N4sb-SEpcg
https://www.youtube.com/watch?v=tOMiAeRwpPA
To read more slides★ Securing iOS apps
https://speakerdeck.com/mbazaliy/securing-ios-applications
★ Users' data security in iOS applications
https://speakerdeck.com/vixentael/users-data-security-in-ios-applications
★ Reversing 101
https://speakerdeck.com/0xc010d/reversing-101