App Security and Securing Apps

Andreas SchranzhoferCTO Scalable Capital

@Schranzhofer

Scalable Capital

● FinTech Start-Up (Robo Advisor)

○ risk managed individual ETF portfolios

○ automatic rebalancing according to risk measure

○ regulated financial institution in Germany (BaFin) and the UK (FCA)

○ Real Institutional Class Wealth Management

● Security is of highest priority

○ losing trust is easy, gaining it back

■ almost impossible

○ financial data is always sensitive

● Security is a function of

○ actual

○ perceived

○ all parts of the system (backend, frontend, apps, processes)

Overview

● Secure? What does that mean?

● Secure Communication

● Data Safety

● Is my App secure

● How to get there

Secure Apps

security metrics?

sensitive data safety

unauthorized accessimpersonation

doesn’t crash

permissions vetting

permissions vettingencryption

communication

Is my app safe?

Secure Apps contd.

● all of them …○ and many more

● combination of vulnerabilities ○ single vulnerability considered uncritical

Security is not a feature one can add, it is a process, executed relentlessly

Scope

● Secure Communication○ Network Communication

○ Interprocess Communication (IPC)

● Data Safety○ How to store data

○ How to not leak data

● Tools and Processes

Scope

● Secure Communication○ Network Communication

○ Interprocess Communication (IPC)

● Data Safety○ How to store data

○ How to not leak data

● Tools and Processes

Network Communication -- ATS

● ATS (Application Transport Security) enabled by default in > iOS 9● TLS 1.2 enforced in > iOS 9● by default RightThing ™

And then you startediting/(abusing) Info.plist

HTTPSATS

enabled

<key>NSAppTransportSecurity</key> <dict> <key>NSAllowArbitraryLoads</key> <true/> <key>NSExceptionDomains</key> <dict> <key>mydev.domain</key> <dict> <key>NSExceptionAllowsInsecureHTTPLoads</key> <true/> <key>NSIncludesSubdomains</key> <true/> <key>NSRequiresCertificateTransparency</key> <false/> <key>NSThirdPartyExceptionAl…</key> <false/> </dict> </dict> </dict>

Network Communication -- ATSHTTPS

ATS enabled

localhost:443yourdomain:443

● avoid disabling security settings○ it will make it to the App Store eventually (or be rejected)

● redirect secure traffic with tunneling● reverse proxy setup to listen to traffic● Tools: stunnel, BurpSuite, Charles Proxy

Network Communication - SSL Pinning

● Specifically define which certificates to trust (to pin too)○ in addition to just verifying their validity with a Certificate Authority (CA)

● Why?○ vast number of CA’s ○ security breaches, so that signing keys were compromised○ make sure reverse proxying won’t be possible (company networks, attacks)○ you have sensitive data

● How does it work:○ specify certificate / list of certificates to trust○ using Wrappers (iSEC Partners, AFNetworking)

HTTPSATS

enabled

HTTPClient.defaultSSLPinningMode=AFSSLPinningModePublicKey;

Network Communication - SSL Pinning

1. Certificates to pin too need to be known

a. AFSSLPinningModeNone

b. AFSSLPinningModePublicKey

c. AFSSLPinningModeCertificate

2. Certificates expire

a. new app with new certificate (timely, review process, updates etc.)

b. handle certificate expiration in the app

c. pin to PublicKey (Certificate Signing Request CSR)

Network Communication - HTTP Basic Auth

● Where to store the credentials?○ Certainly not: in source, in shared preferences○ Keychain: yes

● NSURLCredentialStorage (NSURLSession & NSURLConnection)

● Automatically stored in keychain and useable for challenges

NSURLCredential credential = [NSURLCredential credentialWithUser:username password:password persistence:NSURLCredentialPersistenceForSession];

NSURLProtectionSpace *protectionSpace = [[NSURLProtectionSpace alloc] initWit…];[[NSURLCredentialStorage sharedCredentialStorage] setCredential:credential …];

[[challenge sender] useCredential:cred forAuthenticationChallenge:challenge];

Other Topics

● CFStream

● NSStream

● Multipeer Connectivity

● various Networking APIs (AFNetworking, etc.)

Interprocess Communication - URL Scheme

● myapp://someview?param1=secret&param2=anothersecret

● Anyone can register for myapp://

● LIFO: last in, first out

○ Last app to register for myapp:// will be triggered

● URL Scheme Hijacking, XARA

Unauthorized Cross-App Resource Access on MAC OS X and iOS

1. Another app register for the same URL Scheme

2. Get called for ‘your’ url scheme, processes data

3. Fakes an interface to ask for credentials etc.

Interprocess Communication - Universal Links

● Introduced in iOS9, to mitigate URL Scheme Hijacking

● App Entitlement ‘Associated Domains’

● Webserver needs to serve file:

○ apple-app-site-association

○ Signed (private key to

SSL certificate)

● application:continueUserActivity:restorationHandler

Other Topics

● Shared Credentials

● UIActivity

● Extensions

● Webapps

● Pasteboards

Scope

● Secure Communication○ Network Communication

○ Interprocess Communication (IPC)

● Data Safety○ How to store data

○ How to not leak data

● Tools and Processes

Data Safety

● Keychain

○ Small snippets of data

● Data Protection API

○ Files

○ Passcode used for protection

● Database (CoreData, Realm.io, others)

Keychain

● Encrypted using the HardwareKey● Add/Update/CopyMatching and Delete

● Use Keychain Wrappers○ Lockbox○ A0SimpleKeychain

SecAttrAccessibleWhenUnlocked;SecAttrAccessibleAfterFirstUnlock;SecAttrAccessibleAlways;SecAttrAccessibleWhenPasscodeSetThisDeviceOnly SecAttrAccessibleWhenUnlockedThisDeviceOnly;SecAttrAccessibleAfterFirstUnlockThisDeviceOnly;SecAttrAccessibleAlwaysThisDeviceOnly;

Encryption Key Hierarchy

● FileKey generate per file and stored in the files metadata

● ClassKey key for a particular Data Protection Class

● FileSystemKey global key to encrypt the whole file system

● HardwareKey UID Key, accessible only to hardware AES engine encrypts ClassKey and FileSystemKey

● PasscodeKey used to encrypt ClassKey

Needs to be available for classes to be specifiable

Data Protection API

● to be able to protect files● different classes:

○ protection is achieved by removing related keys● DataProtectionClass Entitlement● applies to NSFileManager, NSData, SQLite, CoreData

○ not to plists, caches etc.

NSFileProtectionComplete Safest, use it if you can

NSFileProtectionCompleteUnlessOpen Open files can be written when device got looked. New files can be written. Files with this permission cannot be accessed when device is locked, unless they were open before.

NSFileProtectionCompleteUntilFirstUserAuthentication Like complete, after first user auth the file is always available. Default

NSFileProtectionNone

Data Protection API + background tasks

● Foreground only: done. Works transparently

● Background:

○ two delegate methods to implement

● Limitations:

○ What is and what isn’t protected

○ When is it protected

■ Using tools like iExplorer, files will be readable at times

applicationProtectedDataWillBecomeUnavailable:

applicationProtectedDataDidBecomeAvailable:

Data Leakage

● Logging

○ Using NSLog results in logs being stored in a data store

○ Disable NSLog in release builds

○ Log with breakpoint actions instead

● HTTP Caches

○ Stored in <appID>/Library/Caches/mydomain.com/Cache.db

○ removeAllCachedResponses → only from memory, not disk

○ Going thermonuclear

NSString *cacheDir = [NSSearchPathForDirectoriesInDomain(NSCacheDirectory, NSUserDomainMask, YES) objectAtIndex:0];

[[NSFileManager defaultManager] removeItemAtPath:cacheDir error:nil];

Data Leakage contd.

● Snapshots

○ applicationWillEnterBackground

○ Screen Sanitation:

[self.splash setImage:[UIImage imageNamed:@”myimage.png”]];[[application keyWindow] addSubview:splash];

Other Topics

● Pasteboards

● User Preferences

● Key logging / Auto Correction

● State Preservation

● Encrypted SQL Store (SQLCipher, Realm.io)

Is my App secure?

● OWASP Mobile Top 10

https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

● Internal / External Testing M1 - Improper Platform Usage

M2 - Insecure Data Storage

M3 - Insecure Communication

M4 - Insecure Authentication

M5 - Insufficient Cryptography

M6 - Insecure Authorization

M7 - Client Code Quality

M8 - Code Tampering

M9 - Reverse Engineering

M10 - Extraneous Functionality

Against a sufficiently skilled, funded and motivated attacker, all apps are vulnerable

Design a secure organization

1. Adhere to publicly available design guidelinesa. NIST Computer Security Resource Centerb. Open Web Application Security Project (OWASP)c. Payment Card Industry Data Security Standard (PCI DSS)

2. Stay informed and inform othersa. Subscribe to security mailing lists,follow security researchers on Twitterb. Establish guidelines for secure codingc. Regularly train all employees on information security

3. Test your systems regularlya. Hack yourself or pay someone else to hack youb. unit testing security features is really worth itc. Improve your own response by running drills

4. Software Development Processa. Peer Reviews (pull requests)b. Education / Training on new features, platforms, attacks

Resources

● Tools○ iExplorer, iOS Console○ CharlesProxy, BurpSuite○ sTunnel, oTool, FileJuicer

● Sources / further reading○ Apple iOS Security Guide:

https://www.apple.com/business/docs/iOS_Security_Guide.pdf○ OWASP Mobile Apps Checklist

https://drive.google.com/open?id=0BxOPagp1jPHWYmg3Y3BfLVhMcmc○ iSEC Partners Github Repo

https://github.com/iSECPartners○ iOS Application Security -- David Thiel, no starch press○ Internet-Security aus Software-Sicht -- Walter Kriha and Roland Schmitz, Springer

Questions ?

Andreas Schranzhofer