Creando aplicaciones más seguras para iPhone/iPad
Norberto Ortigoza
Tuesday, July 9, 13
iOS
Creating Secure Applications
Norberto OrtigozaiOS/OS X Instructor
Tuesday, July 9, 13
iOS
Creating Secure Applications
Norberto OrtigozaiOS/OS X Instructor
Tuesday, July 9, 13
Why are you here?
Avoid the consequences of security issues
Realize that security is complicated
Determine optimal ways to prevent security issues
Tuesday, July 9, 13
Content
• Hacking Tools
• iOS Security Technologies
• Myths about Security
• Common Mistakes
Tuesday, July 9, 13
Hacking Tools
Tuesday, July 9, 13
Hacking Tools
• ps, nice, lsof, tcpdump, ifcon!g, route, netstat and sysctl
Tuesday, July 9, 13
Hacking Tools
• ps, nice, lsof, tcpdump, ifcon!g, route, netstat and sysctl
• otool, nm, gdb/lldb, class-dump, apple developer tools, Cycript
Tuesday, July 9, 13
Hacking Tools
• ps, nice, lsof, tcpdump, ifcon!g, route, netstat and sysctl
• otool, nm, gdb/lldb, class-dump, apple developer tools, Cycript
• iphone-dataprotection
Tuesday, July 9, 13
iOS Security Technologies
Tuesday, July 9, 13
Sandboxing
Tuesday, July 9, 13
Keychain
Tuesday, July 9, 13
Data Protection
Tuesday, July 9, 13
CommonCrypto
3DES
Key derivation functions (KDFs) SHA
AES
Tuesday, July 9, 13
Myths
Tuesday, July 9, 13
Certi!cations mean a device is secure and can be trusted (FIPS 140-2)
Myth #1
Tuesday, July 9, 13
Depending on a central set of manufacturer’s security mechanisms improves the overall security
Myth #2
Tuesday, July 9, 13
The iOS File system encryption prevents data on the device from being stolen
Myth #3
Tuesday, July 9, 13
If an application implements encryption securely, data cannot be recovered from the device
Myth #4
Tuesday, July 9, 13
Remote wipe and data erasure features will protect your data in the event of a theft
Myth #5
Tuesday, July 9, 13
Applications can securely manage access control and enforce process rules
Myth #6
Tuesday, July 9, 13
Case Study
Tuesday, July 9, 13
Case Study
@interface DTPinLockController : XXUnknownSuperclass <UITextFieldDelegate> { int mode; NSArray *pins; UITextField *hiddenTextField; BOOL first; NSString *pin; unsigned numberOfDigits;}
@property(retain, nonatomic) NSString* pin;@property(retain, nonatomic) unsigned numberOfDigits;- (void)pinLockControllerDidFinishUnloking;
@end
Tuesday, July 9, 13
Common Mistakes
Tuesday, July 9, 13
Storing the key with the lock
Mistake #1
Tuesday, July 9, 13
Unencrypted Application Data
Mistake #2
Tuesday, July 9, 13
Failure to use one-way hashes for passwords
Mistake #3
Tuesday, July 9, 13
Relying on logic checks, instead of enforcing security with encryption
Mistake #4
Tuesday, July 9, 13
Relying on Application-level policy enforcement
Mistake #5
Tuesday, July 9, 13
Failing to marry data encryption keys to a user passphrase
Mistake #6
Tuesday, July 9, 13
Case Study
Tuesday, July 9, 13
Case Study@interface SharedConfiguration { NSMutableDictionary* applicationData; NSMutableDictionary* currentTransaction; NSMutableArray *transactionsList; NSString *merchant;}...
data = [SharedConfiguration sharedConfiguration];data.applicationData.AccountInformation;{ securityQuestion: “What is the name of the city you were born in?”, securityAnswer: “New York City”, rpnumber: “12345”, terminalID: “1234”, gpsLatitude: “40.XXXXXXXXX”, gpsLongitude: “80.XXXXXXXXX”, merchantID: “1234567890123”, merchantUserName: “username”, merchantPassword: “password”, applicationPassword: “49283”}
Tuesday, July 9, 13
Summary
• Password strength
• Use Master passwords
• Random password generators
• Hash functions
• Server validation
• Hacking tools
Tuesday, July 9, 13
Q&A
Tuesday, July 9, 13
Contact Information
Norberto [email protected]://www.hiphoox.comTwitter: @hiphoox
CocoaHeads Grouphttp://www.cocoaheads.org/mx/MexicoCity/index.htmlTwitter: @cocoaheadsmx
Tuesday, July 9, 13
BooksHacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It
Mac OS X and iOS Internals: To the Apple's Core
Apple Coding Guidehttps://developer.apple.com/library/ios/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html
iPhone-dataprotectionhttp://code.google.com/p/iphone-dataprotection
References
Tuesday, July 9, 13
