Upgrading approaches to the secure

mobile architectures

#appbuilders16 @vixentael

OR

Everything will be

BROKEN!

#appbuilders16 @vixentael

Everything will be

BROKEN,so what should we do?

#appbuilders16 @vixentael

Intro: this is a picture

This is a picture: virgin sight

networkbackend logic

the appserver

environment

#appbuilders16 @vixentael

UI/UX

deliver fast!

GTD!

swift

boring crap, waste of life 😂

🍭 maaaagic!

magic..

MVP!

#appbuilders16 @vixentael

This is a picture: mobile focus

source of trust

risk we control

sandboxdragons

lots of risk even if app is good

easy to f*ck up

#appbuilders16 @vixentael

This is a picture: security vision

#appbuilders16 @vixentael

This is a picture: the reality

FBI

CIA

NSA

hackers

QA engineers

the brains!

#appbuilders16 @vixentael

This is a picture: our control

The problem

The problembad cryptography

insecure API’s

plaintext traffic

data leakage

denial of serviceremote jailbreak over bluetooth

stolen credentialsman-in-the-middle

OpennessSpeed

Ignorance

The problem

#appbuilders16 @vixentael

How bad is it? Like thisControlNissanLEAFviavulnerableAPIs

http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html

#appbuilders16 @vixentael

http://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/

http://samy.pl/defcon2015/

hackingcarsusingOnStarapptolocate,unlockandremote

startvehicles

what could possibly go wrong? 🤔

iMessage

RecoveryofPlaintextiMessageDatausingJavascripthttp://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/

GraballyouriMessaHachmentsviakeyenumeraIonhttp://blog.cryptographyengineering.com/2016/03/attack-of-

week-apple-imessage.html

#appbuilders16 @vixentael

This is how bad it is!

#appbuilders16 @vixentael

iOS vulnerabilities by yearsrawdatafromcvedetails.com

0

100

200

300

400

2007 2008 2009 2010 2011 2012 2013 2014 2015

1 9 27 32 37

11290

120

384

This is how bad it is!

http://blog.mindedsecurity.com/2015/03/ssl-mitm-attack-in-afnetworking-251-do.html

>1500vulnerableappsviaflawedAFNetworking

<10%popularappsuseSSLpinning

#appbuilders16 @vixentael

iOS vulnerabilities by yearsrawdatafromcvedetails.com

0

100

200

300

400

2007 2008 2009 2010 2011 2012 2013 2014 2015

1 9 27 32 37

11290

120

384

SO WHAT?

Why does this even happen?

Our mindset is wrong a bit

“It works” !=

“It’s secure”

Mobile’s limited abilities require specific server behaviorMobile is not

traditional client-server

Design-driven development is frequently a security

disaster

#appbuilders16 @vixentael

Mobile is an odd thin client

#appbuilders16 @vixentael

–CanserverreallyaddressyoubyIPaddress?–CanserverexpectRFCbehaviorofyourIPstack?–Canserverandclientsharecodeandcomponentswithpropertrust?–IsIPC/RPCbehaviorreciprocalbetweenclientandserver?–Isclientandserverequalintheircapacityfortechnicaldecisions?

Mobile considers itself in a proper client-server relationship, but:

Mobile is an odd thin client

#appbuilders16 @vixentael

–CanserverreallyaddressyoubyIPaddress?–CanserverexpectRFCbehaviorofyourIPstack?–Canserverandclientsharecodeandcomponentswithpropertrust?–IsIPC/RPCbehaviorreciprocalbetweenclientandserver?–Isclientandserverequalintheircapacityfortechnicaldecisions?

Mobile considers itself in a proper client-server relationship, but:

NOPE ;)

Mobile security is hard and yet undeveloped

#appbuilders16 @vixentael

Sophisticated problems security-wise

No well established techniques

Very blurred risk models

What exactly are we risking?

IdentityDataControl

What we risk?

#appbuilders16 @vixentael

Data

#appbuilders16 @vixentael

personal data

health data

conversations

certificates

passwords

contacts

users’ data

Identity

#appbuilders16 @vixentael

identification (credentials)

attacker

access allowed!

application

Control

#appbuilders16 @vixentael

Remember those cars, right?

What should we do?

Understand the strong sides

#appbuilders16 @vixentael

limitedecosystemlow collateral risk 📉

thingsuserhasandyoucantrust

authentication/trust 🔒

isquitegooddata safety 🛡

almostnetworkpassive

narrowed threat scope 🔍

💪 💪

Trust no one. But yourself

#appbuilders16 @vixentael

trust server less

explicit trust

involve users💔👫☁🌪

Echelonization

#appbuilders16 @vixentael

if the system has one perimeter,

it will fail!

Echelonization

#appbuilders16 @vixentael

authenticate manually verify credentials use many factors

..add more layers of defense!

Compartmentalization

#appbuilders16 @vixentael

limit the access to information to those who need to know it

in order to perform certain tasks

storesecuretransmit

display

SO WHAT?

Practice time!techniques for your

architectures

Do all classic things

#appbuilders16 @vixentael

https://speakerdeck.com/vixentael/avoiding-damage-shame-and-regrets-data-protection-for-mobile-client-server-architectures

Protect transport well, authenticate server, pin certificates

Authenticate everythingEncrypt everything in motion and at rest

Protect keys well

Then escalate with novel techniques

read my previous slides

End-to-end encryption 101

#appbuilders16 @vixentael

users own all keys server can’t see anything important transport keys are ephemeral app state does not rely on server state ☁🤓 👸🔒

🔒

End-to-end encryption 101+1

#appbuilders16 @vixentaelhttps://cossacklabs.com/choose-your-ios-crypto.htmllarge + text

Multi-factor authentication

#appbuilders16 @vixentael

things you have things you know things you arephonedevice

simcardIDdocs

private/publickey

passwordaddress

answertoquesIon

biometricsofallkinds

Multi-factor authentication

#appbuilders16 @vixentael

things you have things you know things you arephonedevice

simcardIDdocs

private/publickey

passwordaddress

answertoquesIon

biometricsofallkinds

2+ = MFA

&& &&

Zero-knowledge: problemno trust :(

#appbuilders16 @vixentael

Zero-knowledge: proof!trust :)

#appbuilders16 @vixentaelhttps://cossacklabs.com/introducing_secure_comparator.htmlwanna know more?

Is this it?

Combining things: secure app v.1

SSL

storage encryption

storage encryption

data leakageMiTM weak SSL

#appbuilders16 @vixentael

Combining things: secure app v.2end-to-end encryption

#appbuilders16 @vixentael

storage encryption

storage encryption

🗝🗝

🗝

🗝 🗝

weak authblind trust

ephemeral keys

protected transport

Combining things: secure app v.3

#appbuilders16 @vixentael

end-to-end encryptionstorage

encryptionstorage

encryption

ephemeral keys

protected transport

MFA

🗝🗝

🗝

ZKP

It is simple, isn’t it?

Key points

#appbuilders16 @vixentael

1. read these slides again, tapping on links 2. read ‘Additional reading’ 3. read my previous presentations 4. analyze your current system 5. implement the techniques 6. ??? 7. profit!

…feel free to contact me

Thank you for listening

@vixentael iOSdeveloperatstanfy.com

iOScontributoratThemis/cossacklabs.com

Additional reading

https://medium.com/stanfy-engineering-practices/data-protection-for-mobile-client-server-architectures-6e6dcabd871a

Data Protection For Mobile Client-Server Architectures

http://mashable.com/2016/04/16/apple-security-explained/How Apple Security works

https://www.cossacklabs.com/avoid-ssl-for-your-next-app.htmlWhy you should avoid ssl for your next application

https://cossacklabs.com/choose-your-ios-crypto.htmlCrypto in iOS: choose your destiny

https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_SheetOWASP: iOS application security testing cheat sheet