building user-centric security model in ios apps
TRANSCRIPT
Building user-centric security model
in iOS apps
#eatdog @vixentael
#eatdog @vixentael
Why we should think more about security?
Users trust Apple platform Users trust us
Why we should think more about security?
#eatdog @vixentael
Security talks focus on details,
instead of telling the base principles
#eatdog @vixentael
#eatdog @vixentael
abstract app in a vacuum
#eatdog @vixentael
security is set of ultimatum rules
security
abstract app in a vacuum
#eatdog @vixentael
security is set of ultimatum rules
abstract app in a vacuum
real apps,
real
ecosystems
#eatdog @vixentael
App FlowApp
FeaturesCode
User Problem
Risk Threat Model
Secure Methods
Secure Implemen-
tations
Libs/ Code
App FlowApp
FeaturesCode
User Problem
#eatdog @vixentael
It is secure
#eatdog @vixentael
It is secure against certain threat model and adversary
It is secure
#eatdog @vixentael
https://twitter.com/mubix/status/745403991475904513#eatdog @vixentael
Risk Model & Threat Model create demands
for security
#eatdog @vixentael
Real world risks
Data leak/ data tampering
Reputation risks
Legal responsibility
Financial damage
#eatdog @vixentael
Risk impactData is used/sold by someone
Data is tampered and you’re operating on adversary’s plan
Identity/auth is used elsewhere
DL DT
data leakage
data tampering
identity theft
Risk preventiondata leakage
data tampering
identity theft
confidentiality (secrecy)
integrity
authentication#eatdog @vixentael
- Encryption w/ secret or PKC - Limit access
- Signed encryption - Protected transport with trust
and integrity
- Authenticated encryption - Action authentication
Risk prevention (for us)confidentiality
(secrecy)
integrity
authentication#eatdog @vixentael
Encryption is letting only those who know the secret to access the data,
no matter how they alter the code or the system
(read Kerckhoffs's desideratum)
#eatdog @vixentael
Trust model is whose secrets you trust
in a security system
#eatdog @vixentael
Everything is broken
#eatdog @vixentael
Trust no one, but the user
Risks
Trust model
Threat model
Methods and instruments
#eatdog @vixentael
Now let’s apply this to the real app
#eatdog @vixentael
secret dataparanoia
pa55w0rd
#eatdog @vixentael
trust
What user has?
for saving your important docs during trips
Let’s make an app!
Take pictures of important documents
App functionality
Store them on serverLets user see them
#eatdog @vixentael
Architecture and flow
#eatdog @vixentael
user app network server storage
#eatdog @vixentael
T2 T3passive MitM active MitM
T1/T4 data loss/tampering
Threats we can handle
More complicated..
#eatdog @vixentael
T2 T3passive MitM active MitM
T1/T4 data loss/tampering
T5verbal key leak
T6phishing / social
engineering
T7rubber-hose
cryptanalysis
T8
satellite imaging
of sensitive input
T9 EM emissions
T10sandbox escaping
T11misconfiguration
T12random generator
abuseT13
random generator abuse
T14EM emissions and
physical side channel
T15
physical access
T16
malicious dependency
T17 misconfigured access
T18 unattended backups
T19 storing keys with data
T20 weak cipher
random generator abuse
T21
#eatdog @vixentael
Back to threats we can handle
T2 T3passive MitM active MitM
T1/T4 data loss/tampering
#eatdog @vixentael
Threats: T1/T4attacker steals stored data or tampers it
attacker steals stored data or tampers it
Threats: T1/T4
Secret Key Crypto
Protection
Symmetric crypto for storing data. If user has no secret, he can’t read or change
data.#eatdog @vixentael
#eatdog @vixentael
Threats: T2attacker captures network traffic (passive MitM)
Threats: T2attacker captures network traffic (passive MitM)
Public Key Cryptography, ephemeral keys
Protection
Asymmetric crypto for sending data. Ephemeral keys to avoid decrypting accumulated traffic if
keys are leaked/cracked.#eatdog @vixentael
#eatdog @vixentael
Threats: T3attacker redirects traffic and pretends to be remote
party (active MitM)
Threats: T3attacker redirects traffic and pretends to be remote
party (active MitM)
Public Key Cryptography, certificate pinning
Protection
Asymmetric crypto for sending data. Check server certificate to make sure it matches
with pinned one.#eatdog @vixentael
Protection methods
T2 T3passive MitM active MitM
T1/T4 data loss/tampering
Secret Key
Crypto
PKC + ephem.
keys
PKC + cert.
pinning
#eatdog @vixentael
Public Key Crypto
Perfect Forward Secrecy
Secret Key Crypto
Authenticated Encryption
Certificate Pinning
Trust model
Trust the user only#eatdog @vixentael
Relationship model
plain data
symmetric encryption
PKC + eph. keys
symmetric encryption
PKC + eph. keys
ZKP ZKP#eatdog @vixentael
…what if trapdoor function fails?…what if key exchange is flawed?…what if we suspect that server is fraudulent?
#eatdog @vixentael
add more paranoia!
…what if trapdoor function fails?…what if key exchange is flawed?
add more paranoia!
…what if we suspect that server is fraudulent?
Zero Knowledge Prooffor the rescue!
#eatdog @vixentael
ZKP is comparing shared secret without transmitting it
does not require the key exchange, does not leak password
https://www.cossacklabs.com/zero-knowledge-protocols-without-magic.html
#eatdog @vixentael
So, data model:Secret key (SK) = KDF(user password)
#eatdog @vixentael
Secret key (SK) = KDF(user password)
Sensitive Data (SD) — passport photoMetadata (M1) — timestamp+CRC of photoMetadata (M2) — name of photo (user inputs)
#eatdog @vixentael
So, data model:
Secret key (SK) = KDF(user password)
Sensitive Data (SD) — passport photoMetadata (M1) — timestamp+CRC of photoMetadata (M2) — name of photo (user inputs)
Mobile Key Pair (MKP) — private+public keys gen. inside app.
Server Key Pair (SKP) — private+public keys gen. on server. App pins Server Public Key.
#eatdog @vixentael
So, data model:
Pwd
Key + Data model
#eatdog @vixentael
SDM1
M2 MKP SKP
SK
Pwd
MKP SKP
SK symmetric encryption
PKC + eph. keys
PKC + eph. keysRand
KDF()
Rand
User-centric trust
#eatdog @vixentael
App Flows
#eatdog @vixentael
Crypto primitives*Symmetric crypto SCell
Asymmetric crypto based on ephemeral keys
SSession
SComparator ZKP implementation
#eatdog @vixentael
*based on Themis crypto libhttps://github.com/cossacklabs/themis
2. Store EncData, M1, M2 in Local Store 3. Drop SD, SK from memory
prepare data
#eatdog @vixentael
1. Encrypt photo EncData = SCell_wrap(SD, SK, Context=M2)
Send photo to server
2. Store EncData, M1, M2 in Local Store 3. Drop SD, SK from memory
prepare data
transfer data
#eatdog @vixentael
4. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 5. Send EncData, M1, M2 via Session
1. Encrypt photo EncData = SCell_wrap(SD, SK, Context=M2)
Send photo to server
Send photo to server1. Encrypt photo EncData = SCell_wrap(SD, SK, Context=M2)
6. Receive OK 7. Terminate Session 8. Mark EncData in Local Store as Synced
2. Store EncData, M1, M2 in Local Store 3. Drop SD, SK from memory
4. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 5. Send EncData, M1, M2 via Session
prepare data
transfer data
terminate session
Send photo to server1. Encrypt photo EncData = SCell_wrap(SD, SK, Context=M2)
6. Receive OK 7. Terminate Session 8. Mark EncData in Local Store as Synced
2. Store EncData, M1, M2 in Local Store 3. Drop SD, SK from memory
4. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP)) 5. Send EncData, M1, M2 via Session
prepare data
transfer data
terminate session
1. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP))2. Request EncData proof via ZKP: 2.1 Send M1 2.2 Request Server to prove he has M2 by performing SComparator(M2)
initialize connection
#eatdog @vixentael
Read photo from server
1. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP))
3. Receive EncData
2. Request EncData proof via ZKP: 2.1 Send M1 2.2 Request Server to prove he has M2 by performing SComparator(M2)
initialize connection
transfer data
#eatdog @vixentael
Read photo from server
Read photo from server1. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP))
3. Receive EncData
2. Request EncData proof via ZKP: 2.1 Send M1 2.2 Request Server to prove he has M2 by performing SComparator(M2)
4. Request password from user 5. Decrypt data: SD = SCell_unwrap(EncData, SK, Context=M2)
initialize connection
transfer data
decrypt data
Read photo from server1. Connect to Server: Session = SSession(Priv(MKP), Pub(SKP))
3. Receive EncData
2. Request EncData proof via ZKP: 2.1 Send M1 2.2 Request Server to prove he has M2 by performing SComparator(M2)
4. Request password from user 5. Decrypt data: SD = SCell_unwrap(EncData, SK, Context=M2)
initialize connection
transfer data
decrypt data
Code samples
Generate keys
#eatdog @vixentael
// Generating EC keys guard let keyGeneratorEC: TSKeyGen = TSKeyGen(algorithm: .EC) else { print("Error occurred while initializing object keyGeneratorEC”) return }
let privateKeyEC: NSData = keyGeneratorEC.privateKey let publicKeyEC: NSData = keyGeneratorEC.publicKey
https://github.com/cossacklabs/themis/wiki/Swift-Howto
Symmetric encryption
#eatdog @vixentael
let masterKeyData: NSData = self.generateMasterKey() guard let cellSeal: TSCellSeal = TSCellSeal(key: masterKeyData) else { print("Error occurred while initializing object cellSeal", #function) return } let message: String = "All your base are belong to us!" let context: String = "For great justice"
var encryptedMessage: NSData = NSData() do { // context is optional parameter and may be ignored encryptedMessage = try cellSeal.wrapData(message.dataUsingEncoding(NSUTF8StringEncoding), context: context.dataUsingEncoding(NSUTF8StringEncoding)) print("encryptedMessages = \(encryptedMessage)") } catch let error as NSError { print("Error occurred while encrypting \(error)", #function) return }
https://github.com/cossacklabs/themis/wiki/Swift-Howto
Symmetric decryption
#eatdog @vixentael
let masterKeyData: NSData = self.generateMasterKey() guard let cellSeal: TSCellSeal = TSCellSeal(key: masterKeyData) else { print("Error occurred while initializing object cellSeal", #function) return } let message: String = "All your base are belong to us!" let context: String = "For great justice"
do { let decryptedMessage: NSData = try cellSeal.unwrapData(encryptedMessage, context: context.dataUsingEncoding(NSUTF8StringEncoding)) let resultString: String = String(data: decryptedMessage, encoding: NSUTF8StringEncoding)! print("decryptedMessage = \(resultString)") } catch let error as NSError { print("Error occurred while decrypting \(error)", #function) return }
https://github.com/cossacklabs/themis/wiki/Swift-Howto
Initialize Session
#eatdog @vixentael
guard let clientIdData: NSData = kClientId.dataUsingEncoding(NSUTF8StringEncoding), let clientPrivateKey: NSData = NSData(base64EncodedString: kClientPrivateKey, options: .IgnoreUnknownCharacters) else { print("Error occurred during base64 encoding", #function) return }
self.transport = Transport() self.transport?.setupKeys(kServerId, serverPublicKey: kServerPublicKey) self.session = TSSession(userId: clientIdData, privateKey: clientPrivateKey, callbacks: self.transport)
https://github.com/cossacklabs/themis/wiki/Swift-Howto
Encrypt/Decrypt Session messages
#eatdog @vixentael
var encryptedMessage: NSData do { guard let wrappedMessage: NSData = try self.session?.wrapData(message.dataUsingEncoding(NSUTF8StringEncoding)) else { print("Error occurred during wrapping message ", #function) return } encryptedMessage = wrappedMessage } catch let error as NSError { print("Error occurred while wrapping message \(error)", #function) completion(data: nil, error: error) return }
//... do { guard let decryptedMessage: NSData = try self.session?.unwrapData(data), let resultString: String = String(data: decryptedMessage, encoding: NSUTF8StringEncoding) else { throw NSError(domain: "com.example", code: -3, userInfo: nil) } completion(data: resultString, error: nil) } catch let error as NSError { print("Error occurred while decrypting message \(error)", #function) completion(data: nil, error: error) return } https://github.com/cossacklabs/themis/wiki/Swift-Howto
accumulate encrypted data
accumulate metadata DoS
Possible attacks
#eatdog @vixentael
Make it tough even more
one password per photo
Enforce app security
user inputs password every time on photo access
#eatdog @vixentael
#eatdog @vixentael
Repeated auth
D1
D2
Dn...
Received items
request ZKP(M1i)
select any Di, where Di = (EncData, M1, M2)
prove M2i
transfer Dn+1compare M2i, on success
Synced items
D1
D2
Dn...
#eatdog @vixentael
Repeated auth
Use ZKP to prove that Server has M2 from any previous
transfer
Best active MitM + hack server:
#eatdog @vixentael
The worst scenario attacks
Attacker seizes SKP from Server and pretends to be normal server by DNS spoofing or routing redirection.
Results:Accumulates useless M1, M2 and lousy EncData.
Active MitM without hacking the server:
#eatdog @vixentael
The worst scenario attacks
Attacker does not have SKP.
Results:SecureSession initialization fails. App doesn’t start transfer data to server at all.
Denial of Service:
#eatdog @vixentael
The worst scenario attacks
Attacker flood server with requests / tons of data.
Results:Server may be flooded. Monitor all the things!
Finalizing…
* hardware support (AES)
Crypto is very expensive!!11
https://www.cossacklabs.com/benchmarking-secure-comparator.html
* scripted language and questionable frameworks affect performance as much as running the expensive math, if not more
* endorse crypto everywhere to make it more cheap :)
#eatdog @vixentael
(it is not)
Apple enforces good security practices
iOS 10use HTTPS everywhere!
https://developer.apple.com/videos/play/wwdc2016/706/
http://useyourloaf.com/blog/privacy-settings-in-ios-10/
add purpose strings for accessing private data
https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/
read more about Apple security care in Additional reading section
#eatdog @vixentael
drop TLS < 1.2
https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf
Apple enforces good security practices
Security is a system, not a set of methods
You may need to re-read this slides when you will plan your next app
User-centric trust is simple to implement, yet almost impossible to hack
#eatdog @vixentael
Key points!
@vixentael
Lead Developer at stanfy.com
iOS contributor at Themis/
cossacklabs.com
The last slide
My other security talks
https://medium.com/@vixentael/upgrading-approaches-to-the-secure-mobile-architectures-7a8fcb10d28a#.ffbsjwqx6
Upgrading Approaches to the Secure Mobile Architectures
https://medium.com/stanfy-engineering-practices/data-protection-for-mobile-client-server-architectures-6e6dcabd871a
Data Protection For Mobile Client-Server Architectures
https://speakerdeck.com/vixentael/users-data-security-in-ios-applications
Users' data security in iOS applications
#eatdog @vixentael
Additional reading by Apple
https://developer.apple.com/videos/play/wwdc2016/705/
How iOS Security Really Works
https://developer.apple.com/videos/play/wwdc2016/706/
What's New in Security
https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf
Behind the Scenes with iOS Security
https://developer.apple.com/videos/play/wwdc2016/709/
Engineering Privacy for Your Users
#eatdog @vixentael
Additional reading by smarties
https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/
Getting Ready for ATS Enforcement in 2017
http://useyourloaf.com/blog/privacy-settings-in-ios-10/
Privacy Settings in iOS 10
https://www.cossacklabs.com/zero-knowledge-protocols-without-magic.html
Zero Knowledge Protocols Without Magic
#eatdog @vixentael
https://speakerdeck.com/mbazaliy/a-journey-through-exploit-mitigation-techniques-on-ios
A Journey Through Exploit Mitigation Techniques on iOS