Post on 11-Jun-2015
description
iOS Security Essentials Krutin Karia
Developer/Ethical Hacker
Mobile Threats
iOS hacked?
iOS Sandboxing
iOS Top Risks
! Local Data Storage
! Data Leakage
! Authorization & Authentication
! Crypto (Broken)
! Injections (SQL, XSS)
! Transport Layer Protection
Insecure Data Storage
! /tmp, /var/tmp, /Library/Caches
! NSUserDefaults, Plist
! CoreData, Plain text files, xml, json
! SQLite
USE Keychain for sensitive data & use standard Crypto
Data Leakage
! Backgrounding ! /Users/Applications/{UDID}/Library/Caches/Sanpshots/
! URL Schemes
! Application Cache
! Browser Cache
! Application Logs
! App Strings
try this:: otool –arch armv7 –v –s __TEXT myapp
Data Leakage
! use applicationDidEnterBackground to obscure snapshots
! Careful with use of URLSchemes, NSFile, writeToFile, NSLog
! Do not store sensitive information in code, do not hardcode access tokens (Like AWS secret keys, API auth tokens)
Authorization & Authentication
! Check api manual for best use cases
! Avoid local authentication
! Do not cache credentials
! If you gotta wanna must do it, Crypto
! No Authorization using openUrl, handleOpenURL
Crypto
! Never ever write your own Crypto
! Base64, MD5, and even SHA1 belong to dinosaur family
! Use Apple provided Standard Libraries
Injections (SQL, XSS)
! sanitize, scrutinize, encode, validate inputs
! Not just on App, on the server side as well
! Use prepared SQL statements
Transport Layer protection
! setAllowsAnyHTTPSCertificate
! NSURL, writeToUrl, NSURLConnection, CFStream, NSStreamin
! Do not redirect to http using didFailWithError
Fail safe on SSL error – Implement the connection: didFailWithError: delegate
Xcode and Static Analysis
Xcode and Static Analysis
Custom Static Analysis
! Clang Static Analyzer
! https://github.com/facebook/facebook-clang-plugins
! http://clang-analyzer.llvm.org/xcode.html
! I am writing a few plugins will share on github soon
Bible
! https://developer.apple.com/library/ios/documentation/Security/Conceptual/SecureCodingGuide/SecurityDevelopmentChecklists/SecurityDevelopmentChecklists.html
Questions?
Krutin Karia
Intuit
krutin@gmail.com
References::
iOS hackers handbook, OWASP Mobile Top 10, Apple Docs