ios security 101 ish
play

iOS Security 101 -ish Vadim Drobinin | @valzevul About me 1. Why? - PowerPoint PPT Presentation

Nov 06, 2023 •29 likes •579 views

iOS Security 101 -ish Vadim Drobinin | @valzevul About me 1. Why? iOS Security 101-ish / @valzevul 3 The average time spend on smartphones and tablets is 4h 33 mins a day BankMyCell iOS Security 101-ish / @valzevul 4 In 2018,

  1. iOS Security 101 -ish Vadim Drobinin | @valzevul

  2. About me

  3. 1. Why? iOS Security 101-ish / @valzevul 3

  4. “The average time spend on smartphones and tablets is 4h 33 mins a day” BankMyCell iOS Security 101-ish / @valzevul 4

  5. “In 2018, 52.2% of all website traffic worldwide was generated through mobile phones.” Statista iOS Security 101-ish / @valzevul 5

  6. Never trust frontends iOS Security 101-ish / @valzevul 6

  7. 2. What? iOS Security 101-ish / @valzevul 7

  8. What’s not safe? » Usernames and passwords » Location data » Facial data » Advertising data » Address book entries » Payment information » Other personal information iOS Security 101-ish / @valzevul 8

  9. OWASP * * The Open Web Application Security Project, https://owasp.org/

  10. Essential parts » Device » Local storage » Interaction with the mobile platform » APIs » Communication with trusted endpoints » Authentication and Authorisation » Prevention » Anti-Reversing iOS Security 101-ish / @valzevul 10

  11. Platform Overview » iOS is based on Darwin, which kernel is XNU ("X is Not Unix") » Sideload via Xcode is possible since iOS 9 » Secure boot, hardware-backed Keychain, file system encryption, update rollouts » iOS apps are isolated from each other via Apple's iOS sandbox (“Seatbelt”) iOS Security 101-ish / @valzevul 11

  12. “Seatbelt” » OSX 10.5 “Leopard”, 2007 » Not mandatory » Not many developers did this » OSX 10.7 “Lion”, 2011 » com.apple.security.app-sandbox entitlement » Added automatically when signed via App Store » iOS: » /var/mobile/Containers and /var/Containers iOS Security 101-ish / @valzevul 12

  13. Setting up a Testing Environment » Frida https://www.frida.re » Objection https://github.com/sensepost/objection » Wireshark https://www.wireshark.org/download.html » Keychain-dumper https://github.com/ptoomey3/Keychain-Dumper/ » Needle https://github.com/mwrlabs/needle iOS Security 101-ish / @valzevul 13

  14. As little sensitive data as possible should be saved in permanent local storage. iOS Security 101-ish / @valzevul 14

  15. Data Protection API iOS Security 101-ish / @valzevul 15

  16. Data Storage on iOS iOS Security 101-ish / @valzevul 16

  17. Protection Classes: » Complete Protection (NSFileProtectionComplete) » Protected Unless Open (NSFileProtectionCompleteUnlessOpen) » Protected Until First User Authentication (NSFileProtectionCompleteUntilFirstUserAuthenticat ion) » No Protection (NSFileProtectionNone) iOS Security 101-ish / @valzevul 17

  18. The Keychain » Only one Keychain is available to all apps » Access control among apps via kSecAttrAccessGroup » Access for items: kSecAttrAccessibleAlways kSecAttrAccessibleAlwaysThisDeviceOnly kSecAttrAccessibleAfterFirstUnlock kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly iOS Security 101-ish / @valzevul 18

  19. Keychain Access Control flags kSecAccessControlDevicePasscode kSecAccessControlTouch IDAny kSecAccessControlTouch IDCurrentSet kSecAccessControlUserPresence iOS Security 101-ish / @valzevul 19

  20. How to work with the Keychain func devicePasscodeEnabled() -> Bool { return LAContext().canEvaluatePolicy(.deviceOwnerAuthentication, error: nil) } let userDefaults = UserDefaults.standard if userDefaults.bool(forKey: "hasRunBefore") == false { // Remove Keychain items here userDefaults.set(true, forKey: "hasRunBefore") userDefaults.synchronize() // Forces the app to update UserDefaults } func logout() { // Logout the user here wipeKeychain() } iOS Security 101-ish / @valzevul 20

  21. What might go wrong? » Make sure nothing sensitive (password, keys, tokens, other PII, etc) is stored in NSUserDefaults or via NSData, writeToFile, NSFileManager, CoreData, databases, etc without encryption. » If the encryption is used, make sure the secret key is stored in the Keychain with secure settings, ideally […]WhenPasscodeSetThisDeviceOnly. iOS Security 101-ish / @valzevul 21

  22. Be careful with Firebase » 47% of iOS apps that connect to a Firebase database are vulnerable 1 » Get PROJECT_ID from GoogleService-Info.plist » Check https://<firebaseProjectName>.firebaseio.com/.json » Firebase Scanner https://github.com/shivsahni/FireBaseScanner 1 Appthority Mobile Threat Team, Jan 2018 iOS Security 101-ish / @valzevul 22

  23. Be careful with Realm // Open the encrypted Realm file where getKey() // is a method to obtain a key from the Keychain or a server let config = Realm.Configuration(encryptionKey: getKey()) do { let realm = try Realm(configuration: config) // Use the Realm as normal } catch let error as NSError { // If the encryption key is wrong, // `error` will say that it's an invalid database fatalError("Error opening realm: \(error)") } iOS Security 101-ish / @valzevul 23

  24. Dynamic Analysis via iMazing » Trigger the functionality that stores potentially sensitive data. » Connect the iOS device and launch iMazing. » Select the app and do "Extract App" » Navigate to the output directory and locate $APPNAME.imazing. Rename it $APPNAME.zip. » Unpack the zip file. » To get Keychain items on a non-JB device, use objection iOS Security 101-ish / @valzevul 24

  25. Other locations of sensitive data » Keyboard cache textObject.autocorrectionType = .no textObject.secureTextEntry = true » Logs » Backups » Auto-generated (overlay) screenshots » Memory iOS Security 101-ish / @valzevul 25

  26. Local Authentication on iOS During local authentication, an app authenticates the user against credentials stored locally on the device. » LocalAuthentication.framework high-level API for TouchID/FaceID, » Security.framework low-level API for Keychain Services iOS Security 101-ish / @valzevul 26

  27. It’s secure, right? iOS Security 101-ish / @valzevul 27

  28. It’s secure, right? Nope . iOS Security 101-ish / @valzevul 28

  29. iOS Security 101-ish / @valzevul 29

  30. Local Authentication » deviceOwnerAuthentication » deviceOwnerAuthenticationWithBiometrics LAContext().evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "…") { success, evaluationError in if success { // Now you can trust the user } } » See Don't touch me that way 2 for a bypassing auth demo 2 https://www.youtube.com/watch?v=XhXIHVGCFFM by David Lidner et al iOS Security 101-ish / @valzevul 30

  31. iOS Network API App Transport Security (ATS): » NSURLConnection, NSURLSession and CFURL » Public hostnames (not IP addresses, unqualified domain names or TLD of .local) » No HTTP connections » Transport Layer Security (TLS) version >=1.2. » Some more requirements to keys exchange iOS Security 101-ish / @valzevul 31

  32. How to protect? » ATS should be configured according to best practices by Apple and only be deactivated under certain circumstances. » Don’t forget about SSL pinning; never hardcode the password though. iOS Security 101-ish / @valzevul 32

  33. How to protect? » If the application opens third party web sites in web views, NSAllowsArbitraryLoadsInWebContent can be used to disable ATS restrictions for the content loaded in web views. » If the app connects to a defined number of domains under your control, configure the servers to support the ATS requirements and opt-in for the ATS requirements within the app. iOS Security 101-ish / @valzevul 33

  34. How to protect <key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <true/> <key>NSExceptionDomains</key> <dict> <key>example.com</key> <dict> <key>NSIncludesSubdomains</key> <true/> <key>NSExceptionMinimumTLSVersion</key> <string>TLSv1.2</string> <key>NSExceptionAllowsInsecureHTTPLoads</key> <false/> <key>NSExceptionRequiresForwardSecrecy</key> <true/> </dict> </dict> </dict> iOS Security 101-ish / @valzevul 34

  35. iOS Platform APIs » All apps run under non-privileged mobile user » Each app has a unique home directory and is sandboxed » Access to protected resources or data (capabilities) is possible, but it's strictly controlled via special permissions (entitlements). iOS Security 101-ish / @valzevul 35

  36. Don’t ask for more permissions than you actually need at that very moment. iOS Security 101-ish / @valzevul 36

  37. What might go wrong? 3 » Camera access » record users at any time the app is in the foreground » run real-time face recognition to detect facial features or expressions » upload the pictures/videos it takes immediately » Photos » Track all users’ movements based on their photos’ meta » Track all their devices » Use facial recognition to find out who the user hangs out with 3 Felix Krause, https://krausefx.com/privacy iOS Security 101-ish / @valzevul 37

  38. What might go wrong? » MitM-attack to change the 3d-party framework » Fake iCloud password alerts » Inject anything into web views (if the app doesn’t use SFSafariViewController) » Screenshot typing password in app’s secured fields iOS Security 101-ish / @valzevul 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann &amp; Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Mobile Security Presenter: Yinzhi Cao Lehigh University Some contents are borrowed from the

Mobile Security Presenter: Yinzhi Cao Lehigh University Some contents are borrowed from the

CSE343/443 Lehigh University Fall 2015 Mobile Security Presenter: Yinzhi Cao Lehigh University Some contents are borrowed from the following sources. http://siis.cse.psu.edu/slides/android-sec-tutorial.pdf

469 views • 45 slides
Measuring Relations between Concepts in Conceptual Spaces Lucas Bechberger and Kai-Uwe

Measuring Relations between Concepts in Conceptual Spaces Lucas Bechberger and Kai-Uwe

Measuring Relations between Concepts in Conceptual Spaces Lucas Bechberger and Kai-Uwe Khnberger https://www.lucas-bechberger.de The Different Layers of Representation x :apple ( x ) red ( x ) Symbolic Layer Formal Logics Geometric

463 views • 9 slides
About EPIC Apple, the FBI, and the Crypto Debate Marc Rotenberg Stanford Law School Palo Alto,

About EPIC Apple, the FBI, and the Crypto Debate Marc Rotenberg Stanford Law School Palo Alto,

About EPIC Apple, the FBI, and the Crypto Debate Marc Rotenberg Stanford Law School Palo Alto, CA February 25, 2016 epic.org 1 2 Recent EPIC Activities EPIC Supreme Court amicus brief - Spokeo v. Robbins , No. 13-1339 (standing

325 views • 4 slides
Unsupervised neural network based feature extraction using weak top-down constraints Herman Kamper

Unsupervised neural network based feature extraction using weak top-down constraints Herman Kamper

Unsupervised neural network based feature extraction using weak top-down constraints Herman Kamper 1 , 2 , Micha Elsner 3 , Aren Jansen 4 , Sharon Goldwater 2 1 CSTR and 2 ILCC, School of Informatics, University of Edinburgh, UK 3 Department of

751 views • 60 slides
Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New!

Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New!

Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New! Join our Slack ucyber.slack.com SIGN IN! Feel free to get involved with one of our committees: Content, Finance, Public Affairs, Outreach,

560 views • 26 slides
From Communicating Machines to Graphical Choreographies Julien Lange based on joint works with L.

From Communicating Machines to Graphical Choreographies Julien Lange based on joint works with L.

From Communicating Machines to Graphical Choreographies Julien Lange based on joint works with L. Bocchi, E. Tuosto, and N. Yoshida May 2015 L. Bocchi, J. Lange, E. Tuosto, N. Yoshida From Communicating Machines to Graphical Choreographies

933 views • 75 slides
Transition from Card to Mobile IDs Clemson University SEC Integrated Access Management Summit

Transition from Card to Mobile IDs Clemson University SEC Integrated Access Management Summit

Transition from Card to Mobile IDs Clemson University SEC Integrated Access Management Summit April 27, 2020 Steve Robbins, Director Clemson University at a Glance Founded in 1889, Clemson is dedicated to teaching research and

361 views • 14 slides
Pentesting iPhone &amp; iPad Apps Hack In Paris 2011 June 17 Who are we? Flora Bottaccio

Pentesting iPhone &amp; iPad Apps Hack In Paris 2011 June 17 Who are we? Flora Bottaccio

Pentesting iPhone &amp; iPad Apps Hack In Paris 2011 June 17 Who are we? Flora Bottaccio Security Analyst at ADVTOOLS Sebastien Andrivet Director, co-founder of ADVTOOLS ADVTOOLS Swiss company founded in 2002 in Geneva

727 views • 39 slides

More recommend