QCON NEW YORK 2017

Conference: Jun 26-28, 2017
Workshops: Jun 29-30, 2017

Presentation: Modern iOS Application Security

Track: 
Security War Stories

Location:

  • Dumbo / Navy Yard

Duration

Duration: 
1:40pm - 2:30pm

Day of week:

  • Tuesday

Level:

  • Intermediate

Persona:

  • Developer
  • Mobile Developer

More talks on:

Key Takeaways

  • Learn about the commonly missed threats and how you can mitigate them when developing for iOS.
  • Understand how jailbreaks work and the risk they pose to your application
  • Gain a better understanding of the tools and techniques available to you to make more secure iOS applications.

Abstract

iOS applications have become an increasingly popular targets for hackers, reverse engineers, and software pirates. In this presentation, we discuss the current state of iOS attacks, review available security APIs, and reveal why they are not enough to defend against known threats. For high-risk applications, novel protections that go beyond those offered by Apple are required. As a solution, we discuss the design of the Mobile Application Security Toolkit (MAST) which ties together jailbreak detection, anti-debugging, and anti-reversing in LLVM to address these risks.

Interview

Question: 
What is your role today?
Answer: 
I am the CEO and co-founder of Trail of Bits. Trail of Bits is a cybersecurity research and development firm located in New York City. I founded the company four years ago and we have 23 engineers. We focus on low-level security, things like mobile security, embedded systems, compilers, programming languages, software exploits and that sort of thing. It is all software security.
Question: 
What is the genesis of this talk?
Answer: 
The talk is about iOS mobile security. Apple provides a lot of reassurances that the platform is secure and that leads people to think that they don’t have to do anything else extra in order to protect their applications. The talk is about what kind of risks there actually are on mobile phones, specifically on iOS phones, and how those risks have manifested over the last couple years. Who has exploited them and what that looks like. We will talk about what you can do as a developer to avoid those risks.
The talk is actually in two parts. The first half is what you can do and the second half is what you cannot. For the what you cannot part, that is where we bust out some research from Trail of Bits where we have managed to isolate and mitigate some jailbreak risks. Most people do not speak about jailbreaks, and that is because it is just too hard to do anything about them as a normal person. But we walk through a couple things that you can do and a couple of the pitfalls of implementing that strategy on your own.
Question: 
Can you give me an example of one of the things that people commonly don’t think about when addressing mobile security?
Answer: 
Yes, for example, I think a lot of people don’t understand how much data they leave around the Apple file system and how that data can be picked up either by forensics tools or other applications. One of the chief risks for iOS mobile applications are privacy risks where you are storing sensitive data in an area that is not protected. I will talk about some of the APIs you can use to control that information and limit it so that maybe it is available to your development team while they are debugging the application, but when you compile for production, it’s no longer there.
Question: 
Is this talk about a certain security tool?
Answer: 
No. There is a brief mention of a product far into the presentation, but in general, everything that I talk about are techniques and development practices that people can use today without purchasing or spending a dime to make their app more secure.
Question: 
Is the advice you provide applicable to any mobile device or is it specific to iOS?
Answer: 
The beginning of the presentation does talk about general mobile security risks. However, we only talk about mitigating them in iOS and that’s because there is so much content there. I can’t go over both Android and iOS in a 40-minute time slot.
Question: 
What are the key takeaways?
Answer: 
We provide three specific recommendations that all developers should implement for every iOS app that they write. These are without respect to any code that they have written, without respect to any special business logic that they have got going. Every single app should use HTTPS exclusively. Every single app should use the data protection API to encrypt files. And every single app should control the data that they create on the file system. Those are minimum requirements. Regardless of what you do, all three of those things are a good idea.
Then we use that to bridge into level two: jailbreaks. Jailbreaks destroy all security guarantees of the platform. Users jailbreak their own phones; up to millions of phones per year. Jailbreaks are deployed maliciously. Jailbreaks are available from teams like Pangu and can be easily repurposed for attacks or used to reverse engineer your application and APIs.
Many people think that it’s sufficient to just implement a couple of checks for jailbreaks, but those fall over in practice. So we talk about the risks and pitfalls of going that route on your own. For the immediate takeaways, every single app should have those three things and then the fourth takeaway is you really should do something about jailbreak detection and jailbreak risks. And if you want to do something about it, then you can speak to us.
Question: 
When you say you can speak to us privately, this isn’t a sales pitch?
Answer: 
When we talk about jailbreak detection we go through the things that any kind of application hardening would have to have. It would have to have jailbreak detection. It would have to have static reverse engineering protection. It would have to have dynamic reverse engineering protection. And all of that would have to be applied uniformly across the entire code base. We talk about how you would build that with LLVM and Xcode a little bit, then we talk about other apps that use some of these strategies, such as Snapchat. There are really good, actionable takeaways that you will have if you do this on your own.

Speaker: Dan Guido

Co-Founder & CEO @TrailOfBits

Dan Guido is the CEO and co-founder of Trail of Bits, a cybersecurity research and development firm headquartered in NYC. At Trail of Bits, he has led the R&D team to make novel advances in automated vulnerability finding and exploitation and helps firms apply these techniques in practice on their products. Dan frequently shares his thoughts on threat intelligence, software security, and mobile security on the company blog (https://blog.trailofbits.com). In his free time, Dan runs the Empire Hacking meetup group and moderates Reddit Netsec, the largest security forum on the internet.

Find Dan Guido at

Speaker page

https://www.trailofbits.com
@dguido
Co-Founder & CEO of Trail of Bits

Similar Talks

Learnings from a Culture First Startup
CTO @Buffer
Sunil Sadasivan
Securing Your Containers
Global Solutions Architect @Venafi
Carl Bourne
Architecting Your Application for Federation
Senior Development Evangelist @Okta
Joël Franusic
A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes
Sr. Principal Solution Architect @Sonatype
Curtis Yanko
Becoming an Outlier
Software Architect @VinSolutions, Author @pluralsight
Cory House
ESPN Next Generation APIs Powering Web, Mobile, TV
Senior Director of Distribution Platforms @ESPN
Manny Pelarinos
Learning about APIs through Hacking Bank Mobile Apps
Founder @Tellerapi
Stevie Graham
The Human Side of Microservices
Tech Lead @Yelp
John Billings
Lessons Learned on Uber's Journey into Microservices
Software Engineer @Uber
Emily Reinhold

Tracks

Monday, 13 June

Tuesday, 14 June

Wednesday, 15 June

See the Full Schedule

Conference for Professional Software Developers

Follow QCon

Contact

Menu

QCons around the World

Qcon