upgrading approaches to the secure mobile architectures
TRANSCRIPT
Upgrading approaches to the secure
mobile architectures
#appbuilders16 @vixentael
OR
Everything will be
BROKEN!
#appbuilders16 @vixentael
Everything will be
BROKEN,so what should we do?
#appbuilders16 @vixentael
Intro: this is a picture
This is a picture: virgin sight
networkbackend logic
the appserver
environment
#appbuilders16 @vixentael
UI/UX
deliver fast!
GTD!
swift
boring crap, waste of life 😂
🍭 maaaagic!
magic..
MVP!
#appbuilders16 @vixentael
This is a picture: mobile focus
source of trust
risk we control
sandboxdragons
lots of risk even if app is good
easy to f*ck up
#appbuilders16 @vixentael
This is a picture: security vision
#appbuilders16 @vixentael
This is a picture: the reality
FBI
CIA
NSA
hackers
QA engineers
the brains!
#appbuilders16 @vixentael
This is a picture: our control
The problem
The problembad cryptography
insecure API’s
plaintext traffic
data leakage
denial of serviceremote jailbreak over bluetooth
stolen credentialsman-in-the-middle
OpennessSpeed
Ignorance
The problem
#appbuilders16 @vixentael
How bad is it? Like thisControlNissanLEAFviavulnerableAPIs
http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
#appbuilders16 @vixentael
http://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/
http://samy.pl/defcon2015/
hackingcarsusingOnStarapptolocate,unlockandremote
startvehicles
what could possibly go wrong? 🤔
iMessage
RecoveryofPlaintextiMessageDatausingJavascripthttp://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/
GraballyouriMessaHachmentsviakeyenumeraIonhttp://blog.cryptographyengineering.com/2016/03/attack-of-
week-apple-imessage.html
#appbuilders16 @vixentael
This is how bad it is!
#appbuilders16 @vixentael
iOS vulnerabilities by yearsrawdatafromcvedetails.com
0
100
200
300
400
2007 2008 2009 2010 2011 2012 2013 2014 2015
1 9 27 32 37
11290
120
384
This is how bad it is!
http://blog.mindedsecurity.com/2015/03/ssl-mitm-attack-in-afnetworking-251-do.html
>1500vulnerableappsviaflawedAFNetworking
<10%popularappsuseSSLpinning
#appbuilders16 @vixentael
iOS vulnerabilities by yearsrawdatafromcvedetails.com
0
100
200
300
400
2007 2008 2009 2010 2011 2012 2013 2014 2015
1 9 27 32 37
11290
120
384
SO WHAT?
Why does this even happen?
Our mindset is wrong a bit
“It works” !=
“It’s secure”
Mobile’s limited abilities require specific server behaviorMobile is not
traditional client-server
Design-driven development is frequently a security
disaster
#appbuilders16 @vixentael
Mobile is an odd thin client
#appbuilders16 @vixentael
–CanserverreallyaddressyoubyIPaddress?–CanserverexpectRFCbehaviorofyourIPstack?–Canserverandclientsharecodeandcomponentswithpropertrust?–IsIPC/RPCbehaviorreciprocalbetweenclientandserver?–Isclientandserverequalintheircapacityfortechnicaldecisions?
Mobile considers itself in a proper client-server relationship, but:
Mobile is an odd thin client
#appbuilders16 @vixentael
–CanserverreallyaddressyoubyIPaddress?–CanserverexpectRFCbehaviorofyourIPstack?–Canserverandclientsharecodeandcomponentswithpropertrust?–IsIPC/RPCbehaviorreciprocalbetweenclientandserver?–Isclientandserverequalintheircapacityfortechnicaldecisions?
Mobile considers itself in a proper client-server relationship, but:
NOPE ;)
Mobile security is hard and yet undeveloped
#appbuilders16 @vixentael
Sophisticated problems security-wise
No well established techniques
Very blurred risk models
What exactly are we risking?
IdentityDataControl
What we risk?
#appbuilders16 @vixentael
Data
#appbuilders16 @vixentael
personal data
health data
conversations
certificates
passwords
contacts
users’ data
Identity
#appbuilders16 @vixentael
identification (credentials)
attacker
access allowed!
application
Control
#appbuilders16 @vixentael
Remember those cars, right?
What should we do?
Understand the strong sides
#appbuilders16 @vixentael
limitedecosystemlow collateral risk 📉
thingsuserhasandyoucantrust
authentication/trust 🔒
isquitegooddata safety 🛡
almostnetworkpassive
narrowed threat scope 🔍
💪 💪
Trust no one. But yourself
#appbuilders16 @vixentael
trust server less
explicit trust
involve users💔👫☁🌪
Echelonization
#appbuilders16 @vixentael
if the system has one perimeter,
it will fail!
Echelonization
#appbuilders16 @vixentael
authenticate manually verify credentials use many factors
..add more layers of defense!
Compartmentalization
#appbuilders16 @vixentael
limit the access to information to those who need to know it
in order to perform certain tasks
storesecuretransmit
display
SO WHAT?
Practice time!techniques for your
architectures
Do all classic things
#appbuilders16 @vixentael
https://speakerdeck.com/vixentael/avoiding-damage-shame-and-regrets-data-protection-for-mobile-client-server-architectures
Protect transport well, authenticate server, pin certificates
Authenticate everythingEncrypt everything in motion and at rest
Protect keys well
Then escalate with novel techniques
read my previous slides
End-to-end encryption 101
#appbuilders16 @vixentael
users own all keys server can’t see anything important transport keys are ephemeral app state does not rely on server state ☁🤓 👸🔒
🔒
End-to-end encryption 101+1
#appbuilders16 @vixentaelhttps://cossacklabs.com/choose-your-ios-crypto.htmllarge + text
Multi-factor authentication
#appbuilders16 @vixentael
things you have things you know things you arephonedevice
simcardIDdocs
private/publickey
passwordaddress
answertoquesIon
biometricsofallkinds
Multi-factor authentication
#appbuilders16 @vixentael
things you have things you know things you arephonedevice
simcardIDdocs
private/publickey
passwordaddress
answertoquesIon
biometricsofallkinds
2+ = MFA
&& &&
Zero-knowledge: problemno trust :(
#appbuilders16 @vixentael
Zero-knowledge: proof!trust :)
#appbuilders16 @vixentaelhttps://cossacklabs.com/introducing_secure_comparator.htmlwanna know more?
Is this it?
Combining things: secure app v.1
SSL
storage encryption
storage encryption
data leakageMiTM weak SSL
#appbuilders16 @vixentael
Combining things: secure app v.2end-to-end encryption
#appbuilders16 @vixentael
storage encryption
storage encryption
🗝🗝
🗝
🗝 🗝
weak authblind trust
ephemeral keys
protected transport
Combining things: secure app v.3
#appbuilders16 @vixentael
end-to-end encryptionstorage
encryptionstorage
encryption
ephemeral keys
protected transport
MFA
🗝🗝
🗝
ZKP
It is simple, isn’t it?
Key points
#appbuilders16 @vixentael
1. read these slides again, tapping on links 2. read ‘Additional reading’ 3. read my previous presentations 4. analyze your current system 5. implement the techniques 6. ??? 7. profit!
…feel free to contact me
Thank you for listening
@vixentael iOSdeveloperatstanfy.com
iOScontributoratThemis/cossacklabs.com
Additional reading
https://medium.com/stanfy-engineering-practices/data-protection-for-mobile-client-server-architectures-6e6dcabd871a
Data Protection For Mobile Client-Server Architectures
http://mashable.com/2016/04/16/apple-security-explained/How Apple Security works
https://www.cossacklabs.com/avoid-ssl-for-your-next-app.htmlWhy you should avoid ssl for your next application
https://cossacklabs.com/choose-your-ios-crypto.htmlCrypto in iOS: choose your destiny
https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_SheetOWASP: iOS application security testing cheat sheet