After my offensive presentation "Testing iOS Apps without Jailbreak in 2018" it is time to focus also on building not just breaking. This talk will cover the most important milestones in reaching secure iOS/macOS apps. I'm going to show you how to develop modern & secure iOS/macOS apps using new security features presented at the latest Apple's Worldwide Developers Conference. Hackers will be satisfied as well, since I'm going to cover also pen tester's perspective. What's more - I will share with you details of multiple vulnerabilities (*including not disclosed previously*) that I found during security assessments and my research of Apple's applications.
4. www.securing.plwww.securing.pl
AGENDA
1. iOS platform myths and reality
2. securityProblemsInMASVSCategories.forEach { problem in
2.1 Discuss problem
2.2 Show solution
2.3 Present new Apple WWDC feature
}
3. My new library – iOS Security Suite 🚀
4. Short and long term things to implement in your code
@_r3ggi wojciech.regula@securing.pl
14. www.securing.plwww.securing.pl
MYTH – SWIFT
AUTOOBFUSCATES
ITSELF
- _$ Swift Symbol
- Length and module name
- Length and class name
- C function of class (method)
- Length and method name
- Parameters and return type
www.securing.plwww.securing.pl
MYTH – SWIFT
AUTOOBFUSCATES
ITSELF
- _$ Swift Symbol
- Length and module name
- Length and class name
- C function of class (method)
- Length and method name
- Parameters and return type
@_r3ggi wojciech.regula@securing.pl
16. www.securing.plwww.securing.pl
MYTH – SWIFT METHODS CANNOT
BE DYNAMICALLY CHANGED
-They can, using for example Frida
-You just need to hook the symbol
@_r3ggi wojciech.regula@securing.pl
20. www.securing.plwww.securing.pl
AUTOMATED SMS CODES INPUT
(WWDC 2018)
-Controversial feature since
other app may have access
to the one time password
-Low risk but there is
possibility to do social
engineering
@_r3ggi wojciech.regula@securing.pl
23. www.securing.plwww.securing.pl
ON-DEVICE DATA STORAGE
-Most common issue is storing sensitive data on the
device that should not be there:
• API Keys
• SSH Keys
• Cloud credentials
• Test env credentials
@_r3ggi wojciech.regula@securing.pl
24. www.securing.plwww.securing.pl
ON-DEVICE DATA STORAGE
-Sensitive data may be insecurely stored in:
•Info.plist
•User defaults
•Regular files
•Hardcoded into the binary
•Even in Keychain (as they shouldn’t be
stored client-side)
@_r3ggi wojciech.regula@securing.pl
60. www.securing.plwww.securing.pl
IOS SECURITY SUITE V1.0 LIBRARY
-What it detects:
• Jailbreaks with new
indicators
• Attached debuggers
• Tampering tools (e.g. Frida)
• If your app is run in
emulator
@_r3ggi wojciech.regula@securing.pl