SlideShare a Scribd company logo

Data transfer security for mobile apps

Stanfy, profile picture
Stanfy

The document presents an analysis of data transfer security for mobile applications, emphasizing the vulnerabilities during data transmission and the importance of protecting data in motion. It discusses various attack methods like eavesdropping and replay attacks, while offering practical security advice such as using HTTPS, SSL pinning, and employing robust encryption techniques. Additionally, it highlights the need for developers to be mindful of security risks and to utilize reliable libraries and tools in their applications.

Mobile
1 of 50
Downloaded 31 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Data transfer security for mobile apps what the fish doesn’t notice in the ocean? 🐟 #mddaylviv2015 @vixentael
There ain’t enough talks about security
Apple Security Guide Every program is a potential target. Your customers’ property and your reputation are at stake. https://developer.apple.com/library/mac/documentation/Security/ Conceptual/SecureCodingGuide/Introduction.html data transfer security for mobile apps #mddaylviv2015 @vixentael
3 kinds of data to protect Data in storage Data in memory Data in motion data transfer security for mobile apps #mddaylviv2015 @vixentael
Data in motion: what could possibly go wrong
Communication with server. Usually. data transfer security for mobile apps #mddaylviv2015 @vixentael
Imagine little fish... data transfer security for mobile apps #mddaylviv2015 @vixentael
...in the ocean of threats
active eavesdropping data leakage evil twin replay attack ...in the ocean of threats
* SSL experimenting with Android Top100 apps http://bit.ly/1NqpheM * Intercepting the App Store's Traffic on iOS http://bit.ly/1H3xMrs One proxy to rule ‘em all!
Attack reasons Many apps use HTTP* data transfer security for mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number
Attack reasons Many apps use HTTP* Some apps use HTTPS data transfer security for mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number
Attack reasons Many apps use HTTP* Some apps use HTTPS Few apps encrypt user’s data *iOS9 ATS will decrease this number data transfer security for mobile apps #mddaylviv2015 @vixentael
Why is this happening?
1. Security is hard. STACKOVERFLOW!
Let’s StackOverflow! http://stackoverflow.com/a/21826729 data transfer security for mobile apps #mddaylviv2015 @vixentael
Weird padding http://stackoverflow.com/a/21826729 data transfer security for mobile apps #mddaylviv2015 @vixentael
2. Software is buggy
Remove padding! http://stackoverflow.com/a/26147479 data transfer security for mobile apps #mddaylviv2015 @vixentael
Omg WTF is going on WTF http://stackoverflow.com/a/26147479 WTF WTF data transfer security for mobile apps #mddaylviv2015 @vixentael
3. Illusion of safety is still a illusion data transfer security for mobile apps #mddaylviv2015 @vixentael #define kUserPassword @“1111111”
Armoring your fish
Realize security risks data transfer security for mobile apps #mddaylviv2015 @vixentael
Amateurs Produce Amateur Cryptography Anyone can invent a security system that he himself cannot break — Schneier's Law https://www.schneier.com/blog/archives/ 2011/04/schneiers_law.html data transfer security for mobile apps #mddaylviv2015 @vixentael
Do not re-implement existing things data transfer security for mobile apps #mddaylviv2015 @vixentael
Security is a system, not a pluggable library
Build stout architecture data transfer security for mobile apps #mddaylviv2015 @vixentael
Build stout architecture cryptolib key management data transfer security for mobile apps #mddaylviv2015 @vixentael
Use great tools Themis https://github.com/cossacklabs/themis RNCryptor https://github.com/RNCryptor/RNCryptor MIHCrypto https://github.com/hohl/MIHCrypto OTRKit https://github.com/ChatSecure/OTRKit libsodium/NaCL https://github.com/mochtu/libsodium-ios scientific background trust big guys good track record data transfer security for mobile apps #mddaylviv2015 @vixentael
Data transfer security for mobile apps
Use SSL? Do it right! https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet ✤use long keys ✤remove backward compatibility ✤use good ciphers (EC vs RSA) ✤SSL pinning ✤use cheat sheet https://www.cossacklabs.com/avoid-ssl-for-your-next-app.htmlSSL has a lot of problems To survive you need to: data transfer security for mobile apps #mddaylviv2015 @vixentael
TLS/SSL in short data transfer security for mobile apps #mddaylviv2015 @vixentael
Where can it break? data transfer security for mobile apps #mddaylviv2015 @vixentael
SSL pinning data transfer security for mobile apps #mddaylviv2015 @vixentael
SSL pinning on iOS https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/ https://www.paypal-engineering.com/2015/10/14/key-pinning-in-mobile- applications/ - (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge: (NSURLAuthenticationChallenge *)challenge { SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; id<NSURLAuthenticationChallengeSender> sender = challenge.sender; SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0); NSData * remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate)); NSString * cerPath = [[NSBundle mainBundle] pathForResource:@"MyLocalCertificate" ofType:@"cer"]; NSData * localCertData = [NSData dataWithContentsOfFile:cerPath]; if ([remoteCertificateData isEqualToData:localCertData]) { NSURLCredential * credential = [NSURLCredential credentialForTrust:serverTrust]; [sender useCredential:credential forAuthenticationChallenge:challenge]; } else { [sender cancelAuthenticationChallenge:challenge]; } } data transfer security for mobile apps #mddaylviv2015 @vixentael
SSL pinning more easy :) Swift lib for HTTPS with SSL pinning https://github.com/johnlui/Pitaya/wiki let  certData  =  NSData(contentsOfFile:   NSBundle.mainBundle().pathForResource("lvwenhancom",  ofType:  "cer")!)!
 ...  ...
 .addSSLPinning(LocalCertData:  certData)  {  ()  -­‐>  Void  in
        print("Under  Man-­‐in-­‐the-­‐middle  attack!")
 } data transfer security for mobile apps #mddaylviv2015 @vixentael
How to achieve the solution
Let’s imagine chatting app simple API authentication meaningfull communication confidentiality thread data transfer security for mobile apps #mddaylviv2015 @vixentael
Securing app step by step 1. HTTPS everywhere 2. SSL pinning 3. Encrypt messages by persistent keys data transfer security for mobile apps #mddaylviv2015 @vixentael
Securing app step by step 1. HTTPS everywhere ----> SSL/TLS has lots of bugs and bad crypto 2. SSL pinning ----> is not a panacea 3. Encrypt messages by persistent keys ----> can be easily cracked data transfer security for mobile apps #mddaylviv2015 @vixentael
Data transfer security for mobile apps
Securing in a more proper way perfect forward secrecy use good ciphers data transfer security for mobile apps #mddaylviv2015 @vixentael
Using ephemeral key data transfer security for mobile apps #mddaylviv2015 @vixentael
How to achieve it easily https://github.com/cossacklabs/themis 1. establish session 2. encrypt message with SecureSession before sending 3. decrypt message after receive 4. encrypt history with SecureCell data transfer security for mobile apps #mddaylviv2015 @vixentael
How to achieve it easily https://github.com/cossacklabs/mobile- websocket-example data transfer security for mobile apps #mddaylviv2015 @vixentael
Security is hard, but if you’re smart, security is not so hard :)
The last slide @vixentael iOS developer at stanfy.com [creating awesome mobile and IoT apps]
To read ★ CryptoCat iOS app security audit https://nabla-c0d3.github.io/documents/iSEC_Cryptocat_iOS.pdf ★ Why you should avoid SSL for your next application https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html ★ OAuth1, OAuth2, OAuth...? http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html
To watch youtube ★ All tasks of Moxie Marlinspike https://www.youtube.com/watch?v=ibF36Yyeehw https://www.youtube.com/watch?v=8N4sb-SEpcg https://www.youtube.com/watch?v=tOMiAeRwpPA
To read more slides ★ Securing iOS apps https://speakerdeck.com/mbazaliy/securing-ios-applications ★ Users' data security in iOS applications https://speakerdeck.com/vixentael/users-data-security-in-ios-applications ★ Reversing 101 https://speakerdeck.com/0xc010d/reversing-101

More Related Content

PDF
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
 
PDF
Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: w...
Lviv Startup Club
 
PDF
Building & Hacking Modern iOS Apps
SecuRing
 
PDF
Testing iOS apps without jailbreak in 2018
SecuRing
 
PDF
Release Your Inner DevSecOp
James Wickett
 
PPTX
Lacework | Top 10 Cloud Security Threats
Lacework
 
PDF
Security in the FaaS Lane
James Wickett
 
PPTX
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Stefan Streichsbier
 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
 
Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: w...
Lviv Startup Club
 
Building & Hacking Modern iOS Apps
SecuRing
 
Testing iOS apps without jailbreak in 2018
SecuRing
 
Release Your Inner DevSecOp
James Wickett
 
Lacework | Top 10 Cloud Security Threats
Lacework
 
Security in the FaaS Lane
James Wickett
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Stefan Streichsbier
 

What's hot (20)

PDF
Secure Architecture and Programming 101
Mario-Leander Reimer
 
PPTX
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
PDF
Security in serverless world
Yan Cui
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
PDF
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
PDF
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
PDF
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
 
PDF
Ground Zero Training- Metasploit For Web
Nipun Jaswal
 
PPTX
Security as Code
Ed Bellis
 
PPTX
Practical DevSecOps Using Security Instrumentation
VMware Tanzu
 
PDF
Security in Serverless world
Yan Cui
 
PDF
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
Lacework
 
PDF
Spring Security 5.5 From Taxi to Takeoff
VMware Tanzu
 
PDF
OWASP AppSecEu 2016 Rome - Building secure cloud native apps
Andreas Falk
 
PDF
Secure Node Code (workshop, O'Reilly Security)
Guy Podjarny
 
PPT
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 
PDF
Rethinking Application Security for cloud-native era
Priyanka Aash
 
PPTX
DefCamp 2013 - Are we there yet?
DefCamp
 
PDF
Security Risks & Vulnerabilities in Skype
Kelum Senanayake
 
Secure Architecture and Programming 101
Mario-Leander Reimer
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Security in serverless world
Yan Cui
 
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
 
Ground Zero Training- Metasploit For Web
Nipun Jaswal
 
Security as Code
Ed Bellis
 
Practical DevSecOps Using Security Instrumentation
VMware Tanzu
 
Security in Serverless world
Yan Cui
 
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
Lacework
 
Spring Security 5.5 From Taxi to Takeoff
VMware Tanzu
 
OWASP AppSecEu 2016 Rome - Building secure cloud native apps
Andreas Falk
 
Secure Node Code (workshop, O'Reilly Security)
Guy Podjarny
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 
Rethinking Application Security for cloud-native era
Priyanka Aash
 
DefCamp 2013 - Are we there yet?
DefCamp
 
Security Risks & Vulnerabilities in Skype
Kelum Senanayake
 
Ad

Viewers also liked (16)

PDF
Data processing components architecture in mobile applications
Stanfy
 
PDF
Building Profanity Filters: clbuttic sh!t
Stanfy
 
PDF
Effective memory management
Yurii Kotov
 
PDF
Anton Minashkin Dagger 2 light
Michael Pustovit
 
PDF
Live with IOT (Borys Pratsiuk Technology Stream)
IT Arena
 
PPTX
Data binding в массы! (1.2)
Yurii Kotov
 
PDF
Borys Pratciuk Augmented reality romania
Michael Pustovit
 
PDF
Remote user research & usability methods to gather important insights fast
Anna Iurchenko
 
PDF
Users' Data Security in iOS Applications
Stanfy
 
PDF
Android Developer Days: Increasing performance of big arrays processing on An...
Stanfy
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PDF
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
CA API Management
 
PDF
AndroIDS: Mobile Security Reloaded
Jaime Sánchez
 
PDF
Symantec Mobile Security Whitepaper June 2011
Symantec
 
PDF
Mobile Security: The 5 Questions Modern Organizations Are Asking
Lookout
 
PDF
Mobile Security 101
Lookout
 
Data processing components architecture in mobile applications
Stanfy
 
Building Profanity Filters: clbuttic sh!t
Stanfy
 
Effective memory management
Yurii Kotov
 
Anton Minashkin Dagger 2 light
Michael Pustovit
 
Live with IOT (Borys Pratsiuk Technology Stream)
IT Arena
 
Data binding в массы! (1.2)
Yurii Kotov
 
Borys Pratciuk Augmented reality romania
Michael Pustovit
 
Remote user research & usability methods to gather important insights fast
Anna Iurchenko
 
Users' Data Security in iOS Applications
Stanfy
 
Android Developer Days: Increasing performance of big arrays processing on An...
Stanfy
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
CA API Management
 
AndroIDS: Mobile Security Reloaded
Jaime Sánchez
 
Symantec Mobile Security Whitepaper June 2011
Symantec
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Lookout
 
Mobile Security 101
Lookout
 
Ad

Similar to Data transfer security for mobile apps (20)

PDF
Secon_2017_Chemerkin_Yury_-_final_-_Clean.pdf
Yury Chemerkin
 
PDF
Безопасность данных мобильных приложений. Мифы и реальность.
Advanced monitoring
 
PDF
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
mdevtalk
 
PDF
DefCamp_2016_Chemerkin_Yury_--_publish.pdf
Yury Chemerkin
 
PDF
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
PDF
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
PPTX
Secure Your Mobile Apps
primomh
 
PDF
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
PDF
The Safest Way To Interact Online
pcsafe
 
PDF
The Four Horsemen of Mobile Security
Skycure
 
PDF
HackMiami_2017_Chemerkin_Yury_for_website.pdf
Yury Chemerkin
 
PDF
Mobile hacking, pentest, and malware
Ammar WK
 
PDF
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
APNIC
 
PDF
Is my app secure?
Cláudio André
 
PDF
Is My App Secure ?
Herman Duarte
 
PDF
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv
 
PDF
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
PDF
Continuous security
Kim van Wilgen
 
PDF
Sperasoft talks: Android Security Threats
Sperasoft
 
PDF
Mobile Day - App (In)security
Software Guru
 
Secon_2017_Chemerkin_Yury_-_final_-_Clean.pdf
Yury Chemerkin
 
Безопасность данных мобильных приложений. Мифы и реальность.
Advanced monitoring
 
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
mdevtalk
 
DefCamp_2016_Chemerkin_Yury_--_publish.pdf
Yury Chemerkin
 
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
Secure Your Mobile Apps
primomh
 
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
The Safest Way To Interact Online
pcsafe
 
The Four Horsemen of Mobile Security
Skycure
 
HackMiami_2017_Chemerkin_Yury_for_website.pdf
Yury Chemerkin
 
Mobile hacking, pentest, and malware
Ammar WK
 
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
APNIC
 
Is my app secure?
Cláudio André
 
Is My App Secure ?
Herman Duarte
 
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
Continuous security
Kim van Wilgen
 
Sperasoft talks: Android Security Threats
Sperasoft
 
Mobile Day - App (In)security
Software Guru
 

More from Stanfy (14)

PDF
Stanfy MadCode Meetup #11: Why do you need to switch from Obj-C to Swift, or ...
Stanfy
 
PDF
Stanfy MadCode Meetup #9: Functional Programming 101 with Swift
Stanfy
 
PDF
Optimistic Approach. How to show results instead spinners without breaking yo...
Stanfy
 
PDF
ComponenKit and React Native
Stanfy
 
PDF
UX Research in mobile
Stanfy
 
PDF
Remote user research & usability methods
Stanfy
 
PDF
Stanfy MadCode Meetup#6: Apple Watch. First Steps.
Stanfy
 
PDF
Stanfy MadCode Meetup: Анализ и модификация HTTP запросов для тестирования мо...
Stanfy
 
PDF
Stanfy's highlights of 2013
Stanfy
 
PDF
10 things to consider when choosing a mobile platform (iOS or Android)
Stanfy
 
PDF
Stanfy Publications: How to Conduct Quick Usability Tests for iOS & Android A...
Stanfy
 
PDF
Stanfy Publications: Mobile Applications UI/UX Prototyping Process
Stanfy
 
PDF
Stanfy Publications: Successful Cases of Mobile Technology in Medical Industry
Stanfy
 
PDF
Fitness In Mobile: A Case Study.
Stanfy
 
Stanfy MadCode Meetup #11: Why do you need to switch from Obj-C to Swift, or ...
Stanfy
 
Stanfy MadCode Meetup #9: Functional Programming 101 with Swift
Stanfy
 
Optimistic Approach. How to show results instead spinners without breaking yo...
Stanfy
 
ComponenKit and React Native
Stanfy
 
UX Research in mobile
Stanfy
 
Remote user research & usability methods
Stanfy
 
Stanfy MadCode Meetup#6: Apple Watch. First Steps.
Stanfy
 
Stanfy MadCode Meetup: Анализ и модификация HTTP запросов для тестирования мо...
Stanfy
 
Stanfy's highlights of 2013
Stanfy
 
10 things to consider when choosing a mobile platform (iOS or Android)
Stanfy
 
Stanfy Publications: How to Conduct Quick Usability Tests for iOS & Android A...
Stanfy
 
Stanfy Publications: Mobile Applications UI/UX Prototyping Process
Stanfy
 
Stanfy Publications: Successful Cases of Mobile Technology in Medical Industry
Stanfy
 
Fitness In Mobile: A Case Study.
Stanfy
 

Data transfer security for mobile apps

  • 1. Data transfer security for mobile apps what the fish doesn’t notice in the ocean? 🐟 #mddaylviv2015 @vixentael
  • 3. Apple Security Guide Every program is a potential target. Your customers’ property and your reputation are at stake. https://developer.apple.com/library/mac/documentation/Security/ Conceptual/SecureCodingGuide/Introduction.html data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 4. 3 kinds of data to protect Data in storage Data in memory Data in motion data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 5. Data in motion: what could possibly go wrong
  • 6. Communication with server. Usually. data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 7. Imagine little fish... data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 8. ...in the ocean of threats
  • 9. active eavesdropping data leakage evil twin replay attack ...in the ocean of threats
  • 10. * SSL experimenting with Android Top100 apps http://bit.ly/1NqpheM * Intercepting the App Store's Traffic on iOS http://bit.ly/1H3xMrs One proxy to rule ‘em all!
  • 11. Attack reasons Many apps use HTTP* data transfer security for mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number
  • 12. Attack reasons Many apps use HTTP* Some apps use HTTPS data transfer security for mobile apps #mddaylviv2015 @vixentael *iOS9 ATS will decrease this number
  • 13. Attack reasons Many apps use HTTP* Some apps use HTTPS Few apps encrypt user’s data *iOS9 ATS will decrease this number data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 15. 1. Security is hard. STACKOVERFLOW!
  • 18. 2. Software is buggy
  • 20. Omg WTF is going on WTF http://stackoverflow.com/a/26147479 WTF WTF data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 21. 3. Illusion of safety is still a illusion data transfer security for mobile apps #mddaylviv2015 @vixentael #define kUserPassword @“1111111”
  • 23. Realize security risks data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 24. Amateurs Produce Amateur Cryptography Anyone can invent a security system that he himself cannot break — Schneier's Law https://www.schneier.com/blog/archives/ 2011/04/schneiers_law.html data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 25. Do not re-implement existing things data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 26. Security is a system, not a pluggable library
  • 27. Build stout architecture data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 28. Build stout architecture cryptolib key management data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 29. Use great tools Themis https://github.com/cossacklabs/themis RNCryptor https://github.com/RNCryptor/RNCryptor MIHCrypto https://github.com/hohl/MIHCrypto OTRKit https://github.com/ChatSecure/OTRKit libsodium/NaCL https://github.com/mochtu/libsodium-ios scientific background trust big guys good track record data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 31. Use SSL? Do it right! https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet ✤use long keys ✤remove backward compatibility ✤use good ciphers (EC vs RSA) ✤SSL pinning ✤use cheat sheet https://www.cossacklabs.com/avoid-ssl-for-your-next-app.htmlSSL has a lot of problems To survive you need to: data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 32. TLS/SSL in short data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 33. Where can it break? data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 34. SSL pinning data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 35. SSL pinning on iOS https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/ https://www.paypal-engineering.com/2015/10/14/key-pinning-in-mobile- applications/ - (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge: (NSURLAuthenticationChallenge *)challenge { SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; id<NSURLAuthenticationChallengeSender> sender = challenge.sender; SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0); NSData * remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate)); NSString * cerPath = [[NSBundle mainBundle] pathForResource:@"MyLocalCertificate" ofType:@"cer"]; NSData * localCertData = [NSData dataWithContentsOfFile:cerPath]; if ([remoteCertificateData isEqualToData:localCertData]) { NSURLCredential * credential = [NSURLCredential credentialForTrust:serverTrust]; [sender useCredential:credential forAuthenticationChallenge:challenge]; } else { [sender cancelAuthenticationChallenge:challenge]; } } data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 36. SSL pinning more easy :) Swift lib for HTTPS with SSL pinning https://github.com/johnlui/Pitaya/wiki let  certData  =  NSData(contentsOfFile:   NSBundle.mainBundle().pathForResource("lvwenhancom",  ofType:  "cer")!)!
 ...  ...
 .addSSLPinning(LocalCertData:  certData)  {  ()  -­‐>  Void  in
        print("Under  Man-­‐in-­‐the-­‐middle  attack!")
 } data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 37. How to achieve the solution
  • 38. Let’s imagine chatting app simple API authentication meaningfull communication confidentiality thread data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 39. Securing app step by step 1. HTTPS everywhere 2. SSL pinning 3. Encrypt messages by persistent keys data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 40. Securing app step by step 1. HTTPS everywhere ----> SSL/TLS has lots of bugs and bad crypto 2. SSL pinning ----> is not a panacea 3. Encrypt messages by persistent keys ----> can be easily cracked data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 42. Securing in a more proper way perfect forward secrecy use good ciphers data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 43. Using ephemeral key data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 44. How to achieve it easily https://github.com/cossacklabs/themis 1. establish session 2. encrypt message with SecureSession before sending 3. decrypt message after receive 4. encrypt history with SecureCell data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 45. How to achieve it easily https://github.com/cossacklabs/mobile- websocket-example data transfer security for mobile apps #mddaylviv2015 @vixentael
  • 46. Security is hard, but if you’re smart, security is not so hard :)
  • 47. The last slide @vixentael iOS developer at stanfy.com [creating awesome mobile and IoT apps]
  • 48. To read ★ CryptoCat iOS app security audit https://nabla-c0d3.github.io/documents/iSEC_Cryptocat_iOS.pdf ★ Why you should avoid SSL for your next application https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html ★ OAuth1, OAuth2, OAuth...? http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html
  • 49. To watch youtube ★ All tasks of Moxie Marlinspike https://www.youtube.com/watch?v=ibF36Yyeehw https://www.youtube.com/watch?v=8N4sb-SEpcg https://www.youtube.com/watch?v=tOMiAeRwpPA
  • 50. To read more slides ★ Securing iOS apps https://speakerdeck.com/mbazaliy/securing-ios-applications ★ Users' data security in iOS applications https://speakerdeck.com/vixentael/users-data-security-in-ios-applications ★ Reversing 101 https://speakerdeck.com/0xc010d/reversing-101