Creando aplicaciones más seguras para iPhone/iPad

Norberto Ortigoza

Tuesday, July 9, 13

iOS

Creating Secure Applications

Norberto OrtigozaiOS/OS X Instructor

Tuesday, July 9, 13

iOS

Creating Secure Applications

Norberto OrtigozaiOS/OS X Instructor

Tuesday, July 9, 13

Why are you here?

Avoid the consequences of security issues

Realize that security is complicated

Determine optimal ways to prevent security issues

Tuesday, July 9, 13

Content

• Hacking Tools

• iOS Security Technologies

• Myths about Security

• Common Mistakes

Tuesday, July 9, 13

Hacking Tools

Tuesday, July 9, 13

Hacking Tools

• ps, nice, lsof, tcpdump, ifcon!g, route, netstat and sysctl

Tuesday, July 9, 13

Hacking Tools

• ps, nice, lsof, tcpdump, ifcon!g, route, netstat and sysctl

• otool, nm, gdb/lldb, class-dump, apple developer tools, Cycript

Tuesday, July 9, 13

Hacking Tools

• ps, nice, lsof, tcpdump, ifcon!g, route, netstat and sysctl

• otool, nm, gdb/lldb, class-dump, apple developer tools, Cycript

• iphone-dataprotection

Tuesday, July 9, 13

iOS Security Technologies

Tuesday, July 9, 13

Sandboxing

Tuesday, July 9, 13

Keychain

Tuesday, July 9, 13

Data Protection

Tuesday, July 9, 13

CommonCrypto

3DES

Key derivation functions (KDFs) SHA

AES

Tuesday, July 9, 13

Myths

Tuesday, July 9, 13

Certi!cations mean a device is secure and can be trusted (FIPS 140-2)

Myth #1

Tuesday, July 9, 13

Depending on a central set of manufacturer’s security mechanisms improves the overall security

Myth #2

Tuesday, July 9, 13

The iOS File system encryption prevents data on the device from being stolen

Myth #3

Tuesday, July 9, 13

If an application implements encryption securely, data cannot be recovered from the device

Myth #4

Tuesday, July 9, 13

Remote wipe and data erasure features will protect your data in the event of a theft

Myth #5

Tuesday, July 9, 13

Applications can securely manage access control and enforce process rules

Myth #6

Tuesday, July 9, 13

Case Study

Tuesday, July 9, 13

Case Study

@interface DTPinLockController : XXUnknownSuperclass <UITextFieldDelegate> { int mode; NSArray *pins; UITextField *hiddenTextField; BOOL first; NSString *pin; unsigned numberOfDigits;}

@property(retain, nonatomic) NSString* pin;@property(retain, nonatomic) unsigned numberOfDigits;- (void)pinLockControllerDidFinishUnloking;

@end

Tuesday, July 9, 13

Common Mistakes

Tuesday, July 9, 13

Storing the key with the lock

Mistake #1

Tuesday, July 9, 13

Unencrypted Application Data

Mistake #2

Tuesday, July 9, 13

Failure to use one-way hashes for passwords

Mistake #3

Tuesday, July 9, 13

Relying on logic checks, instead of enforcing security with encryption

Mistake #4

Tuesday, July 9, 13

Relying on Application-level policy enforcement

Mistake #5

Tuesday, July 9, 13

Failing to marry data encryption keys to a user passphrase

Mistake #6

Tuesday, July 9, 13

Case Study

Tuesday, July 9, 13

Case Study@interface SharedConfiguration { NSMutableDictionary* applicationData; NSMutableDictionary* currentTransaction; NSMutableArray *transactionsList; NSString *merchant;}...

data = [SharedConfiguration sharedConfiguration];data.applicationData.AccountInformation;{ securityQuestion: “What is the name of the city you were born in?”, securityAnswer: “New York City”, rpnumber: “12345”, terminalID: “1234”, gpsLatitude: “40.XXXXXXXXX”, gpsLongitude: “80.XXXXXXXXX”, merchantID: “1234567890123”, merchantUserName: “username”, merchantPassword: “password”, applicationPassword: “49283”}

Tuesday, July 9, 13

Summary

• Password strength

• Use Master passwords

• Random password generators

• Hash functions

• Server validation

• Hacking tools

Tuesday, July 9, 13

Q&A

Tuesday, July 9, 13

Contact Information

Norberto Ortigozanorberto.ortigoza@gmail.comhttp://www.hiphoox.comTwitter: @hiphoox

CocoaHeads Grouphttp://www.cocoaheads.org/mx/MexicoCity/index.htmlTwitter: @cocoaheadsmx

Tuesday, July 9, 13

BooksHacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It

Mac OS X and iOS Internals: To the Apple's Core

Apple Coding Guidehttps://developer.apple.com/library/ios/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html

iPhone-dataprotectionhttp://code.google.com/p/iphone-dataprotection

References

Tuesday, July 9, 13