iOS security essentials

Post on 11-Jun-2015

417 views 0 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

iOS Developers need a kickstart on best practices for secure coding. Not many tools available for static analysis.. this might be a good start. I presented this as part of iOS developer meetup at Bangalore in Sep 2014

Transcript of iOS security essentials

iOS Security Essentials Krutin Karia

Developer/Ethical Hacker

Mobile Threats

iOS hacked?

iOS Sandboxing

iOS Top Risks

!   Local Data Storage

!   Data Leakage

!   Authorization & Authentication

!   Crypto (Broken)

!   Injections (SQL, XSS)

!   Transport Layer Protection

Insecure Data Storage

!   /tmp, /var/tmp, /Library/Caches

! NSUserDefaults, Plist

! CoreData, Plain text files, xml, json

!   SQLite

USE Keychain for sensitive data & use standard Crypto

Data Leakage

! Backgrounding !   /Users/Applications/{UDID}/Library/Caches/Sanpshots/

!   URL Schemes

!   Application Cache

!   Browser Cache

!   Application Logs

!   App Strings

try this:: otool –arch armv7 –v –s __TEXT myapp

Data Leakage

!   use applicationDidEnterBackground to obscure snapshots

!   Careful with use of URLSchemes, NSFile, writeToFile, NSLog

!   Do not store sensitive information in code, do not hardcode access tokens (Like AWS secret keys, API auth tokens)

Authorization & Authentication

!   Check api manual for best use cases

!   Avoid local authentication

!   Do not cache credentials

!   If you gotta wanna must do it, Crypto

!   No Authorization using openUrl, handleOpenURL

Crypto

!   Never ever write your own Crypto

!   Base64, MD5, and even SHA1 belong to dinosaur family

!   Use Apple provided Standard Libraries

Injections (SQL, XSS)

!   sanitize, scrutinize, encode, validate inputs

!   Not just on App, on the server side as well

!   Use prepared SQL statements

Transport Layer protection

! setAllowsAnyHTTPSCertificate

!   NSURL, writeToUrl, NSURLConnection, CFStream, NSStreamin

!   Do not redirect to http using didFailWithError

Fail safe on SSL error – Implement the connection: didFailWithError: delegate

Xcode and Static Analysis

Xcode and Static Analysis

Custom Static Analysis

!   Clang Static Analyzer

! https://github.com/facebook/facebook-clang-plugins

! http://clang-analyzer.llvm.org/xcode.html

!   I am writing a few plugins will share on github soon

Bible

! https://developer.apple.com/library/ios/documentation/Security/Conceptual/SecureCodingGuide/SecurityDevelopmentChecklists/SecurityDevelopmentChecklists.html

Questions?

Krutin Karia

Intuit

krutin@gmail.com

References::

iOS hackers handbook, OWASP Mobile Top 10, Apple Docs

Top related

iOS and Swift Syllabus Essentials
 Documents
Security Essentials Workbook
 Documents
Security Essentials
 Technology
IOS Essentials 3-0alpha - Internet Societyws.edu.isoc.org/data/2004/604610702427ef01785c49/ios-ess-30a-6up.pdf · IOS Essentials 3.0 Cisco ISP Workshops IOS Essentials Essential Features
 Documents
Computer Security Essentials
 Documents
iOS Security
 Technology
iOS 9 Game Development Essentials - Sample Chapter
 Technology
Windows 7 Security Essentials
 Documents
IOS Essentials 3-0alpha€¦ · IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 2 Background • Presentation based on content from the Cisco ISP Essentials book
 Documents
SAP Security SAP Security Essentials
 Documents
iPhone iOS 4 Development Essentials - Xcode 4 Edition · iPhone iOS 4 Development Essentials – Xcode 4 Edition 3 iPhone iOS 4 Development Essentials – Xcode 4 Edition (Revision
 Documents
705 How iOS Security Really Works 04 FINAL - Apple Inc.€¦ · Every single iOS security feature is designed to thwart a real security threat. iOS Security Pillars. iOS Platform
 Documents
IOS Essentials 2-9
 Documents
Cisco IOS Essentials
 Documents
Network Security Essentials
 Documents
VMware Server 2.0 Essentials - eBookFrenzy.comiPad iOS 4 App Development Essentials 2 iPad iOS 4 Development Essentials Xcode 4 Edition
 Documents
WordPress Security Essentials
 Internet
30.- Antivirus Security Essentials
 Documents
Cisco IOS Security Configuration Guide - MIK IOS security... · Contents iv Cisco IOS Security Configuration Guide Authentication, Authorization, and Accounting (AAA) SC-2 Security
 Documents
Android Security Essentials Presentation
 Technology

Copyright © 2022 FDOCUMENTS