IT Modernization Doesn’t Mean You Leave Your Legacy Apps Behind
Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the...
-
Upload
lviv-startup-club -
Category
Business
-
view
278 -
download
1
Transcript of Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the...
![Page 1: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/1.jpg)
Data transfer security for mobile apps
what the fish doesn’t notice in the ocean? 🐟
#mddaylviv2015 @vixentael
![Page 2: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/2.jpg)
There ain’t enough talks about security
![Page 3: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/3.jpg)
Apple Security GuideEvery program is a potential target.
Your customers’ property and your reputation
are at stake.
https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 4: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/4.jpg)
3 kinds of data to protect
Data in storage
Data in memory
Data in motion
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 5: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/5.jpg)
Data in motion: what could possibly go wrong
![Page 6: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/6.jpg)
Communication with server. Usually.
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 7: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/7.jpg)
Imagine little fish...
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 8: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/8.jpg)
...in the ocean of threats
![Page 9: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/9.jpg)
active eavesdropping
data leakage
evil twin
replay attack
...in the ocean of threats
![Page 10: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/10.jpg)
* SSL experimenting with Android Top100 apps http://bit.ly/1NqpheM
* Intercepting the App Store's Traffic on iOS http://bit.ly/1H3xMrs
One proxy to rule ‘em all!
![Page 11: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/11.jpg)
Attack reasonsMany apps use HTTP*
data transfer security for mobile apps #mddaylviv2015 @vixentael
*iOS9 ATS will decrease this number
![Page 12: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/12.jpg)
Attack reasonsMany apps use HTTP*
Some apps use HTTPS
data transfer security for mobile apps #mddaylviv2015 @vixentael
*iOS9 ATS will decrease this number
![Page 13: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/13.jpg)
Attack reasonsMany apps use HTTP*
Some apps use HTTPS
Few apps encrypt user’s data
*iOS9 ATS will decrease this number
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 14: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/14.jpg)
Why is this happening?
![Page 15: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/15.jpg)
1. Security is hard.
STACKOVERFLOW!
![Page 16: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/16.jpg)
Let’s StackOverflow!http://stackoverflow.com/a/21826729
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 17: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/17.jpg)
Weird paddinghttp://stackoverflow.com/a/21826729
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 18: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/18.jpg)
2. Software is buggy
![Page 19: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/19.jpg)
Remove padding!
http://stackoverflow.com/a/26147479
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 20: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/20.jpg)
Omg WTF is going on
WTFhttp://stackoverflow.com/a/26147479
WTF WTF
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 21: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/21.jpg)
3. Illusion of safety is still a illusion
data transfer security for mobile apps #mddaylviv2015 @vixentael
#define kUserPassword @“1111111”
![Page 22: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/22.jpg)
Armoring your fish
![Page 23: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/23.jpg)
Realize security risks
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 24: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/24.jpg)
Amateurs Produce Amateur Cryptography
Anyone can invent a security system
that he himself cannot break
— Schneier's Lawhttps://www.schneier.com/blog/archives/
2011/04/schneiers_law.html
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 25: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/25.jpg)
Do not re-implement existing things
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 26: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/26.jpg)
Security is a system, not a pluggable library
![Page 27: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/27.jpg)
Build stout architecture
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 28: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/28.jpg)
Build stout architecture
cryptolib
key management
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 29: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/29.jpg)
Use great tools
Themis https://github.com/cossacklabs/themis
RNCryptor https://github.com/RNCryptor/RNCryptor
MIHCrypto https://github.com/hohl/MIHCrypto
OTRKit https://github.com/ChatSecure/OTRKit
libsodium/NaCL https://github.com/mochtu/libsodium-ios
scientific background trust big guys good track record
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 30: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/30.jpg)
![Page 31: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/31.jpg)
Use SSL? Do it right!
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
✤use long keys
✤remove backward compatibility
✤use good ciphers (EC vs RSA)
✤SSL pinning✤use cheat sheet
https://www.cossacklabs.com/avoid-ssl-for-your-next-app.htmlSSL has a lot of problems
To survive you need to:
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 32: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/32.jpg)
TLS/SSL in short
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 33: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/33.jpg)
Where can it break?
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 34: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/34.jpg)
SSL pinning
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 35: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/35.jpg)
SSL pinning on iOS
https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/ https://www.paypal-engineering.com/2015/10/14/key-pinning-in-mobile-
applications/
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; id<NSURLAuthenticationChallengeSender> sender = challenge.sender; SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0); NSData * remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate)); NSString * cerPath = [[NSBundle mainBundle] pathForResource:@"MyLocalCertificate" ofType:@"cer"]; NSData * localCertData = [NSData dataWithContentsOfFile:cerPath]; if ([remoteCertificateData isEqualToData:localCertData]) { NSURLCredential * credential = [NSURLCredential credentialForTrust:serverTrust]; [sender useCredential:credential forAuthenticationChallenge:challenge]; } else { [sender cancelAuthenticationChallenge:challenge]; } }
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 36: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/36.jpg)
SSL pinning more easy :)Swift lib for HTTPS with SSL pinning https://github.com/johnlui/Pitaya/wiki
let certData = NSData(contentsOfFile:
NSBundle.mainBundle().pathForResource("lvwenhancom", ofType: "cer")!)!... ....addSSLPinning(LocalCertData: certData) { () -‐> Void in print("Under Man-‐in-‐the-‐middle attack!")}
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 37: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/37.jpg)
How to achieve the solution
![Page 38: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/38.jpg)
Let’s imagine chatting app
simple API
authentication meaningfull communication
confidentiality thread
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 39: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/39.jpg)
Securing app step by step1. HTTPS everywhere
2. SSL pinning
3. Encrypt messages by persistent keys
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 40: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/40.jpg)
Securing app step by step1. HTTPS everywhere
----> SSL/TLS has lots of bugs and bad crypto
2. SSL pinning
----> is not a panacea
3. Encrypt messages by persistent keys
----> can be easily cracked
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 41: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/41.jpg)
![Page 42: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/42.jpg)
Securing in a more proper way
perfect forward secrecy
use good ciphers
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 43: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/43.jpg)
Using ephemeral key
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 44: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/44.jpg)
How to achieve it easilyhttps://github.com/cossacklabs/themis
1. establish session
2. encrypt message with SecureSession before sending
3. decrypt message after receive
4. encrypt history with SecureCell
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 45: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/45.jpg)
How to achieve it easily
https://github.com/cossacklabs/mobile-websocket-example
data transfer security for mobile apps #mddaylviv2015 @vixentael
![Page 46: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/46.jpg)
Security is hard, but if you’re smart, security is not so hard :)
![Page 47: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/47.jpg)
The last slide
@vixentael iOS developer
at stanfy.com [creating awesome mobile
and IoT apps]
![Page 48: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/48.jpg)
To read★ CryptoCat iOS app security audit
https://nabla-c0d3.github.io/documents/iSEC_Cryptocat_iOS.pdf
★ Why you should avoid SSL for your next application
https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html
★ OAuth1, OAuth2, OAuth...?
http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html
![Page 49: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/49.jpg)
To watch youtube★ All tasks of Moxie Marlinspike
https://www.youtube.com/watch?v=ibF36Yyeehw
https://www.youtube.com/watch?v=8N4sb-SEpcg
https://www.youtube.com/watch?v=tOMiAeRwpPA
![Page 50: Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: what the fish doesn’t notice in the ocean?"](https://reader031.fdocuments.us/reader031/viewer/2022030307/58ebf09b1a28abf24c8b45d1/html5/thumbnails/50.jpg)
To read more slides★ Securing iOS apps
https://speakerdeck.com/mbazaliy/securing-ios-applications
★ Users' data security in iOS applications
https://speakerdeck.com/vixentael/users-data-security-in-ios-applications
★ Reversing 101
https://speakerdeck.com/0xc010d/reversing-101