secure data storage on ios with sqlcipher · 2020. 1. 17. · owasp 2 top 10 mobile risks, release...
TRANSCRIPT
![Page 1: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Secure Data Storage on iOS with SQLCipher
15.11.2012
Dr. Markus Maria MiedanerSyracom Consulting AG
Dr. Yiannis PavlosoglouUSB AG
[email protected]@owasp.org
![Page 2: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/2.jpg)
2OWASP
Top 10 Mobile Risks, Release Candidate v1.0
Insecure Data Storage Weak Server Side Controls Insufficient Transport Layer Protection Client Side Injection Poor Authorization and Authentication Improper Session Handling Security Decisions Via Untrusted Inputs Side Channel Data Leakage Broken Cryptography Sensitive Information Disclosure
![Page 3: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/3.jpg)
3OWASP
Previous work on this topic
„Most apps are less secure than the security provided by the operating system.“http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf
2012 Elcomsoft analyzed 14 iOS password managing apps.
Only one employed an encrypted database. © smarterplanet.tumblr.com
![Page 4: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/4.jpg)
4
Introduction to iOS Security
![Page 5: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/5.jpg)
5OWASP
What does iOS offer to protect your data?
A sandbox for each app
Encrypted FilesystemTwo Keys:
DeviceKey (derived from UID-Key) PasscodeKey (derived from user pass code)
Policies and Mobile Device Management Systems
Code signing and ASLR
© macworld.com.au
![Page 6: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/6.jpg)
6OWASP
File protection on iOS
ProtectionClasses:NSFileProtectionNone
NSFileProtectionCompleteUnlessOpen
NSFileProtectionCompleteUntilFirstUserAuthentication
NSProtectionComplete
© archivepeterborough.co.uk
© midwestdocumentshredding.com
![Page 7: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/7.jpg)
7OWASP
Code Example for storing data in a file
NSDictionary *protectionComplete = [NSDictionary dictionaryWithObject:NSFileProtectionComplete forKey: NSFileProtectionKey];
[[[NSFileManager] defaultManager] setAttribute:protectionComplete ofItemPath:filePath error:nil];
![Page 8: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/8.jpg)
8OWASP
KeyChainItems – ProtectionClasses
KsecAttrAccessibleWhenUnlocked
kSecAttrAccessibleAfterFirstUnlock
kSecAttrAccessibleAlways
kSecAttrAccessibleWhenUnlockThisDeviceOnly kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleThisDeviceOnly
![Page 9: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/9.jpg)
9OWASP
Example Code for storing in KeyChain
NSMutableDictionary *query = [NSMutableDictionary dictionaryWithObjectsAndKeys:
(id)kSecClassGenericPassword, (id)kSecClass,
@“MyItem“, (id)kSecAttrGeneric,
username, (id) kSecAttrAccount, password, (id) kSecValueData, [[NSBundle mainBundle] bundleIdentifier], (id) kSecAttrService,
@““, (id) kSecAttrLabel, @““, (id) kSecAttrDescription,
(id) kSecAttrAccessibleWhenUnlocked, (id) kSecAttrAccessible, nil];
OSStatus result = SecItemAdd((CFDictionaryRef) query, NULL);
![Page 10: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/10.jpg)
10OWASP
BruteForce against PassCodes on iPhone4
Length of Passcode Complexity Time
4 Numeric 18 Minutes
4 Alphanumeric 19 Days
6 Alphanumeric 196 Years
8 Alphanumeric 755.000 Years
8 Alphanumeric (Complex) 27 Mil. Years© iOS-Hacker Handbook, 2012, Charly Miller et al.
© se
ul-le-cine
ma
.blo
gspot.com
![Page 11: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/11.jpg)
11OWASP
How to get the file/data off the device
iTunes Backup
iPhoneBackupExtractor
Jailbroken iPhoneUntethered jailbreakTethered jailbreak
Attacks against the app
© iphonebackupextractor.com
![Page 12: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/12.jpg)
12
SQLCipher – Database Security
![Page 13: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/13.jpg)
13OWASP
What are we actually talking about?
© sqlcipher.net
![Page 14: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/14.jpg)
14OWASP
SQLCipher - Architecture
Each DB has a 16 byte salt
Works on „pages“ of 1024 bytes
Each page has its own IVEach page has an
HMAC_SHA1 signaturePages are AES-256
encryptedTransparent for the
application layer
SQL-Cipher
Application
DB-File
![Page 15: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/15.jpg)
15OWASP
SQLCipher – Code Example
![Page 16: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/16.jpg)
16OWASP
Setting the scene – ready to attack
© smbnow.com
![Page 17: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/17.jpg)
17OWASP
Attacking an encrypted database file
File generator based on sqlite -init init.txt
Decrypting the fileDirectly and checking for magic number
hard to do :)
Using sqlCipher-cli works – hurray!
© feelpositive.wordpress.com
![Page 18: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/18.jpg)
18OWASP
DEMO
© jaybot7.com
![Page 19: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/19.jpg)
19OWASP
Brute forcing an encrypted DB
HardwareMacBook: 2 Ghz Intel, 2GB RAM
Numeric (0-9) 6.8 minutes
Alphabetic (a-zA-Z) 128 hours
Alphanumeric (a-zA-Z0-9+*$%&/()[]-_.:,;) 27 days
4 Characters
Numeric (0-9) 73 days
Alphabetic (a-zA-Z) 107,462 years
Alphanumeric (a-zA-Z0-9+*$%&/()[]-_.:,;) 2,754,150 years
8 Characters
![Page 20: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/20.jpg)
20OWASP
Brute forcing an encrypted database (seconds)
numeric alphabetic alphanumeric1.00E+00
1.00E+02
1.00E+04
1.00E+06
1.00E+08
1.00E+10
1.00E+12
1.00E+14
1.00E+16
4 Chars
6 Chars
8 Chars
![Page 21: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/21.jpg)
21OWASP
Summary
Mobile OS-Security often harder
Don't rely solely on OS-Security features
Use strong cryptography whenever possible
© http://jholverstott.files.wordpress.com/
![Page 22: Secure Data Storage on iOS with SQLCipher · 2020. 1. 17. · OWASP 2 Top 10 Mobile Risks, Release Candidate v1.0 Insecure Data Storage Weak Server Side Controls Insufficient Transport](https://reader035.vdocuments.mx/reader035/viewer/2022081411/60aa0921de2e554fc20418cf/html5/thumbnails/22.jpg)
22OWASP© allthingsd.com