SlideShare ist ein Scribd-Unternehmen logo

eXtend Security on Xcode

Rakuten Group, Inc.
Rakuten Group, Inc.

In order to assist developers to develop a secure iOS app in a rapid development process, we propose our own security features implemented on top of Xcode IDE. "The mobile industry is now booming. According to Apple, the number of iOS apps in App Store reached to 900,000 as of June 2013. In this highly competitive market, mobile app developers are required to develop a high-value, high-quality and high-performance app and with a short time-to-market. Implementing security into earlier phases of such rapid pace agile development life cycle can be considered as one of the key success factors for organizations. We believe that by adding an automated security measure into Xcode IDE itself is essential and can help facilitate secure agile development cycles for iOS developers. Therefore, we are implementing our own security features on top of Xcode. During coding phase, the developers will be able to automatically spot general security issues of iOS apps and thus prevent them from creating those issues. This can also help security testers to conduct white-box security testing in a shorter amount of time. We will also share difficulties and problems we faced and how we overcome them during our research. 迅速な開発プロセスにおいてセキュアなiOSアプリを開発するデベロッパーを支援するために、XcodeのIDE上にセキュリティ機能を実装することを提案する。モバイル業界は急成長している。Appleによると、2013年6月の時点でAppStoreにあるiOSアプリは90万を超えた。この急激な競争市場において、モバイル・アプリ開発者は短納期でありながら、価値があり、質が高く、ハイパフォーマンスなアプリの開発が求められている。企業の成功要因の一つとして、このような急ピッチなアジャイル開発ライフサイクルにおいてセキュリティ機能を開発初期に実装することは重要と考えられる。 Xcode自体に自動化されたセキュリティ対策機能は必要不可欠であり、機能追加することによって、iOS開発者は安全なアジャイル開発サイクルを促進できると考えている。そこで、Xcode上にセキュリティ機能を実装した。コーディング中には、開発者はiOSの一般的なセキュリティ問題に自然に気が付き、問題を避けたアプリ開発を可能にする。セキュリティテスターにとっては、短期間で行われるホワイトボックスのセキュリティテストを手助けしてくれる。これまで直面した問題と問題に対してどのようにして乗り越えかを本発表で共有する。 OWASP AppSec APAC 2014にて3/20に発表。 http://appsecapac.org/2014/ 発表者: Tokuji Akamine (赤嶺 徳治) Raymund Pedraita

Technologie
1 von 31
Downloaden Sie, um offline zu lesen
eXtend Security on Xcode Vol.01 Mar/26/2014 Tokuji Akamine Raymund Pedraita DU, Rakuten, Inc. http://www.rakuten.co.jp/
About Us • Who we are – Tokuji Akamine @tokujia • Lead Security Engineer, Rakuten Inc. – Raymund Dante Pedraita (redwud) • Senior Security Engineer, Rakuten Inc.
Statistics : iOS Apps • More than 1 million apps on the AppStore • Users spent $ 10 billion for paid apps • 3 billion apps were downloaded • Almost half of all smartphone owners were concerned about privacy • 90% of iOS mobile apps show security vulnerabilities References: http://www.apple.com/pr/library/2014/01/07App-Store-Sales-Top-10-Billion-in-2013.html http://www.mobilesecurity.com/articles/656-smartphone-users-reveal-mobile-privacy-fears http://www.zdnet.com/hp-research-finds-vulnerabilities-in-9-of-10-mobile-apps- 7000023324/
Statistics : iOS Apps • According to the IOActive’s research, many banking apps have security issues – 40% of the audited apps did not validate the authenticity of SSL certificates presented. – Many of the apps (90%) contained several non-SSL links – 50% of the apps are vulnerable to JavaScript injections via insecure UIWebView implementations. Reference: http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html
So, what can we use? • Security Awareness and Education – OWASP Top 10 Mobile Risks – iGoat, DVIA • Secure Development – OWASP Top 10 Mobile Controls – iOS Developer Cheat Sheet – iMAS • Security Testing – iOS Application Security Testing Cheat Sheet – Anything else? Reference: OWASP Mobile Security Project
Security Testing Tools for iOS Apps • Free Tools – Dynamic Analysis Tools, Pen-testing frameworks: iAuditor, iNalyzer, snoop-it, Introspy-iOS • Commercial Tools – Static Security Analysis Tools & Service: Veracode, Cxsuite, Fortify, AppScan Source and maybe more …
Motivations • No free security source code analysis tools • A lot of manual work for security testing • Can't fully depend on grep and scripts. • Security coding guideline doesn’t work well by itself • Introduce an early detection tool
Xcode Plug-in • We extend security on Xcode with our plug-in – Centralize developer-friendly security features on the IDE – Provide a solution to avoid making vulnerabilities – Detect vulnerabilities at earlier phases of development – Cut down the cost of manual security testing
Intro of Xcode plug-in development • Choose “Bundle” as a template and “Cocoa” as a Framework • Configure build settings (XCGCReady, XCPluginHasUI, XC4Compatible, Deployment Location, Wrapper Extension, etc.) • Create a Class • Build • Relaunch Xcode
Xcode plug-in development continues … • Internal Frameworks – IDEKit, IDEFoundation /Applications/Xcode.app/Contents/Frameworks/ – DVTKit, DVTFoundation /Applications/Xcode.app/Contents/SharedFrameworks/ – IDESourceEditor, IDEQuickHelp, Xcode3UI, etc. /Applications/Xcode.app/Contents/PlugIns/ – DevToolsCore, etc. /Applications/Xcode.app/Contents/OtherFrameworks/ – WebKit, etc. /Applications/Xcode.app/Developer/Platforms/MacOSX.platform/D eveloper/SDKs/MacOSX[ver].sdk/System/Library/Frameworks/
Xcode plug-in development continues … • Obtain internal class information with class- dump to look for useful Class, Methods, Properties @interface IDESourceCodeEditor : IDEEditor <NSTextViewDelegate, NSMenuDelegate, NSPopoverDelegate, …> … + (id)keyPathsForValuesAffectingIsWorkspaceBuilding; + (void)revertStateWithDictionary:(id)arg1 withSourceTextView:(id)arg2 withEditorDocument:(id)arg3; + (void)commitStateToDictionary:(id)arg1 withSourceTextView:(id)arg2; + (long long)version; + (void)configureStateSavingObjectPersistenceByName:(id)arg1; @property(retain) IDESingleFileProcessingToolbarController *singleFileProcessingToolbarController; // … @property(retain) IDEAnalyzerResultsExplorer *analyzerResultsExplorer; // … @property(retain, nonatomic) DVTSourceExpression *mouseOverExpression; // … @property(retain) IDESourceCodeEditorContainerView *containerView; // … @property(retain) DVTSourceTextView *textView; // … …
Available Xcode Plug-ins • XVim • Injection • BBUncrustifyPlugin • Xcode Fixins • XcodeColors • OMColorSense • KSImageNamed-Xcode • XcodeExplorer etc.
XSecurity • XSecurity – Quick Security Help with built-in Security Guidelines – Real-time Vulnerability Notifications – Static Analysis with Clang Static Analyzer
Feature 1: Quick Security Help • Quick Help – Display concise reference documentation without taking focus away from the file you’re editing.
Feature 1: Quick Security Help • Quick Security Help – Add security guidelines in reference documentation. – Added to both Quick Help Inspector and the Quick Help Window – Can automatically display and hide the inspector area.
Feature 1: Quick Security Help Quick Help Window Quick Help Inspector
Feature 2: Real-time Vulnerability Notifications • Real-time Vulnerability Notifications – Show the vulnerability as it is being created. – Instant bug know-how to developers. – Early prevention.
Feature 2: Real-time Vulnerability Notifications • Detection Triggers – When the source is modified. – When switching between source files. • Methodology – Research parts of Xcode, how it works. – Categorize vulnerabilities according to characteristics. – Heavy use of RegEx
Feature 2: Real-time Vulnerability Notifications
Feature 3: Clang Static Security Analyzer • Clang – A compiler front-end for C family languages – It uses LLVM as its back end – Creates an abstract syntax tree (AST) of the code – LLVM Community (Mainly professionals from Apple, Google, ARM, Intel, etc.)
Feature 3: Clang Static Security Analyzer • Clang Static Analyzer – A source code analysis tool that can find bugs in C, C++ and Objective-C programs. – Can run from CLI and within Xcode – 100% open source and part of Clang project • Alternative static code analysis tool: OCLint
Feature 3: Clang Static Security Analyzer • It boils down to checkers – Static analyzer engine can do path-sensitive exploration of the program. – Checkers implement the logic for bug detection – And, construct bug reports. – Well-documented http://clang-analyzer.llvm.org/checker_dev_manual.html
Feature 3: Clang Static Security Analyzer • Analyzer in action
Feature 3: Clang Static Security Analyzer • CI with Security Checkers
Detectable Vulnerabilities Category Vulnerability Real-time Checker Insecure Data Storage Insecure Keychain Storage ● ● Insecure NSUserDefaults Usage ● ● Unencrypted Data in plist File ● Insecure Permanent Credential Storage ● ● Insufficient Transport Layer Security Ignores Certificate Validation Errors ● ● Security Decisions Via Untrusted Inputs Abusing URL Schemes ● ● Side Channel Data Leakage Leaking Web Caches ● Leaking Logs ● ● Leaking Pasteboard ● Client Side Injection SQL Injection (SQLite) ●
XSecurity Project • XSecurity Project https://github.com/XSecurity/ @prj_xsecurity
Future Plans • We aim to… – Make configurations flexible or customizable guideline in Quick Security Help – Have an option to select rules – Improve reporting functionalities – Develop more rules for real-time vulnerability notifications and checkers
Next vulnerabilities Category Vulnerability Insufficient Transport Layer Security Data Transport Over Unencrypted Channel Query String for Sensitive Data Certificate Unpinning Sensitive Information Disclosure Hard Coded Sensitive Information Query String for Sensitive Data Broken Cryptography Use Vulnerable Encryption Algorithms Poor Authorization & Authentication Invalid Usage of Persistent Identifier Insecure OAuth implementation Client Side Injection Cross Site Scripting
Questions?
Thank you
References • References – OWASP Mobile Security Project – Mac Developer Library – The LLVM project – OCLint – Clang Scan-Build Jenkins Plugin

Empfohlen

See the Future, See the Stars Rakuten Institute of Technology
See the Future, See the Stars Rakuten Institute of TechnologySee the Future, See the Stars Rakuten Institute of Technology
See the Future, See the Stars Rakuten Institute of TechnologyRakuten Group, Inc.
 
[RakutenTechConf2013] [C4-1] Text detection in product images
[RakutenTechConf2013] [C4-1] Text detection in product images[RakutenTechConf2013] [C4-1] Text detection in product images
[RakutenTechConf2013] [C4-1] Text detection in product imagesRakuten Group, Inc.
 
Text Detection From Image
Text Detection From ImageText Detection From Image
Text Detection From ImageArun Patel
 
コードレビュー改善のためにJenkinsとIntelliJ IDEAのプラグインを自作してみた話
コードレビュー改善のためにJenkinsとIntelliJ IDEAのプラグインを自作してみた話コードレビュー改善のためにJenkinsとIntelliJ IDEAのプラグインを自作してみた話
コードレビュー改善のためにJenkinsとIntelliJ IDEAのプラグインを自作してみた話Rakuten Group, Inc.
 
楽天における安全な秘匿情報管理への道のり
楽天における安全な秘匿情報管理への道のり楽天における安全な秘匿情報管理への道のり
楽天における安全な秘匿情報管理への道のりRakuten Group, Inc.
 
What Makes Software Green?
What Makes Software Green?What Makes Software Green?
What Makes Software Green?Rakuten Group, Inc.
 
Simple and Effective Knowledge-Driven Query Expansion for QA-Based Product At...
Simple and Effective Knowledge-Driven Query Expansion for QA-Based Product At...Simple and Effective Knowledge-Driven Query Expansion for QA-Based Product At...
Simple and Effective Knowledge-Driven Query Expansion for QA-Based Product At...Rakuten Group, Inc.
 
DataSkillCultureを浸透させる楽天の取り組み
DataSkillCultureを浸透させる楽天の取り組みDataSkillCultureを浸透させる楽天の取り組み
DataSkillCultureを浸透させる楽天の取り組みRakuten Group, Inc.
 

Empfohlen

See the Future, See the Stars Rakuten Institute of Technology
See the Future, See the Stars Rakuten Institute of TechnologySee the Future, See the Stars Rakuten Institute of Technology
See the Future, See the Stars Rakuten Institute of TechnologyRakuten Group, Inc.
 
[RakutenTechConf2013] [C4-1] Text detection in product images
[RakutenTechConf2013] [C4-1] Text detection in product images[RakutenTechConf2013] [C4-1] Text detection in product images
[RakutenTechConf2013] [C4-1] Text detection in product imagesRakuten Group, Inc.
 
Text Detection From Image
Text Detection From ImageText Detection From Image
Text Detection From ImageArun Patel
 
コードレビュー改善のためにJenkinsとIntelliJ IDEAのプラグインを自作してみた話
コードレビュー改善のためにJenkinsとIntelliJ IDEAのプラグインを自作してみた話コードレビュー改善のためにJenkinsとIntelliJ IDEAのプラグインを自作してみた話
コードレビュー改善のためにJenkinsとIntelliJ IDEAのプラグインを自作してみた話Rakuten Group, Inc.
 
楽天における安全な秘匿情報管理への道のり
楽天における安全な秘匿情報管理への道のり楽天における安全な秘匿情報管理への道のり
楽天における安全な秘匿情報管理への道のりRakuten Group, Inc.
 
What Makes Software Green?
What Makes Software Green?What Makes Software Green?
What Makes Software Green?Rakuten Group, Inc.
 
Simple and Effective Knowledge-Driven Query Expansion for QA-Based Product At...
Simple and Effective Knowledge-Driven Query Expansion for QA-Based Product At...Simple and Effective Knowledge-Driven Query Expansion for QA-Based Product At...
Simple and Effective Knowledge-Driven Query Expansion for QA-Based Product At...Rakuten Group, Inc.
 
DataSkillCultureを浸透させる楽天の取り組み
DataSkillCultureを浸透させる楽天の取り組みDataSkillCultureを浸透させる楽天の取り組み
DataSkillCultureを浸透させる楽天の取り組みRakuten Group, Inc.
 
大規模なリアルタイム監視の導入と展開
大規模なリアルタイム監視の導入と展開大規模なリアルタイム監視の導入と展開
大規模なリアルタイム監視の導入と展開Rakuten Group, Inc.
 
楽天における大規模データベースの運用
楽天における大規模データベースの運用楽天における大規模データベースの運用
楽天における大規模データベースの運用Rakuten Group, Inc.
 
楽天サービスを支えるネットワークインフラストラクチャー
楽天サービスを支えるネットワークインフラストラクチャー楽天サービスを支えるネットワークインフラストラクチャー
楽天サービスを支えるネットワークインフラストラクチャーRakuten Group, Inc.
 
楽天の規模とクラウドプラットフォーム統括部の役割
楽天の規模とクラウドプラットフォーム統括部の役割楽天の規模とクラウドプラットフォーム統括部の役割
楽天の規模とクラウドプラットフォーム統括部の役割Rakuten Group, Inc.
 
Rakuten Services and Infrastructure Team.pdf
Rakuten Services and Infrastructure Team.pdfRakuten Services and Infrastructure Team.pdf
Rakuten Services and Infrastructure Team.pdfRakuten Group, Inc.
 
The Data Platform Administration Handling the 100 PB.pdf
The Data Platform Administration Handling the 100 PB.pdfThe Data Platform Administration Handling the 100 PB.pdf
The Data Platform Administration Handling the 100 PB.pdfRakuten Group, Inc.
 
Supporting Internal Customers as Technical Account Managers.pdf
Supporting Internal Customers as Technical Account Managers.pdfSupporting Internal Customers as Technical Account Managers.pdf
Supporting Internal Customers as Technical Account Managers.pdfRakuten Group, Inc.
 
Making Cloud Native CI_CD Services.pdf
Making Cloud Native CI_CD Services.pdfMaking Cloud Native CI_CD Services.pdf
Making Cloud Native CI_CD Services.pdfRakuten Group, Inc.
 
How We Defined Our Own Cloud.pdf
How We Defined Our Own Cloud.pdfHow We Defined Our Own Cloud.pdf
How We Defined Our Own Cloud.pdfRakuten Group, Inc.
 
Travel & Leisure Platform Department's tech info
Travel & Leisure Platform Department's tech infoTravel & Leisure Platform Department's tech info
Travel & Leisure Platform Department's tech infoRakuten Group, Inc.
 
Travel & Leisure Platform Department's tech info
Travel & Leisure Platform Department's tech infoTravel & Leisure Platform Department's tech info
Travel & Leisure Platform Department's tech infoRakuten Group, Inc.
 
OWASPTop10_Introduction
OWASPTop10_IntroductionOWASPTop10_Introduction
OWASPTop10_IntroductionRakuten Group, Inc.
 
Introduction of GORA API Group technology
Introduction of GORA API Group technologyIntroduction of GORA API Group technology
Introduction of GORA API Group technologyRakuten Group, Inc.
 
100PBを越えるデータプラットフォームの実情
100PBを越えるデータプラットフォームの実情100PBを越えるデータプラットフォームの実情
100PBを越えるデータプラットフォームの実情Rakuten Group, Inc.
 
社内エンジニアを支えるテクニカルアカウントマネージャー
社内エンジニアを支えるテクニカルアカウントマネージャー社内エンジニアを支えるテクニカルアカウントマネージャー
社内エンジニアを支えるテクニカルアカウントマネージャーRakuten Group, Inc.
 
モニタリングプラットフォーム開発の裏側
モニタリングプラットフォーム開発の裏側モニタリングプラットフォーム開発の裏側
モニタリングプラットフォーム開発の裏側Rakuten Group, Inc.
 
楽天のインフラ事情 2022
楽天のインフラ事情 2022楽天のインフラ事情 2022
楽天のインフラ事情 2022Rakuten Group, Inc.
 
楽天サービスとインフラ部隊
楽天サービスとインフラ部隊楽天サービスとインフラ部隊
楽天サービスとインフラ部隊Rakuten Group, Inc.
 
Rakuten Platform
Rakuten PlatformRakuten Platform
Rakuten PlatformRakuten Group, Inc.
 
Kafka & Hadoop in Rakuten
Kafka & Hadoop in RakutenKafka & Hadoop in Rakuten
Kafka & Hadoop in RakutenRakuten Group, Inc.
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 

Weitere ähnliche Inhalte

Mehr von Rakuten Group, Inc.

大規模なリアルタイム監視の導入と展開
大規模なリアルタイム監視の導入と展開大規模なリアルタイム監視の導入と展開
大規模なリアルタイム監視の導入と展開Rakuten Group, Inc.
 
楽天における大規模データベースの運用
楽天における大規模データベースの運用楽天における大規模データベースの運用
楽天における大規模データベースの運用Rakuten Group, Inc.
 
楽天サービスを支えるネットワークインフラストラクチャー
楽天サービスを支えるネットワークインフラストラクチャー楽天サービスを支えるネットワークインフラストラクチャー
楽天サービスを支えるネットワークインフラストラクチャーRakuten Group, Inc.
 
楽天の規模とクラウドプラットフォーム統括部の役割
楽天の規模とクラウドプラットフォーム統括部の役割楽天の規模とクラウドプラットフォーム統括部の役割
楽天の規模とクラウドプラットフォーム統括部の役割Rakuten Group, Inc.
 
Rakuten Services and Infrastructure Team.pdf
Rakuten Services and Infrastructure Team.pdfRakuten Services and Infrastructure Team.pdf
Rakuten Services and Infrastructure Team.pdfRakuten Group, Inc.
 
The Data Platform Administration Handling the 100 PB.pdf
The Data Platform Administration Handling the 100 PB.pdfThe Data Platform Administration Handling the 100 PB.pdf
The Data Platform Administration Handling the 100 PB.pdfRakuten Group, Inc.
 
Supporting Internal Customers as Technical Account Managers.pdf
Supporting Internal Customers as Technical Account Managers.pdfSupporting Internal Customers as Technical Account Managers.pdf
Supporting Internal Customers as Technical Account Managers.pdfRakuten Group, Inc.
 
Making Cloud Native CI_CD Services.pdf
Making Cloud Native CI_CD Services.pdfMaking Cloud Native CI_CD Services.pdf
Making Cloud Native CI_CD Services.pdfRakuten Group, Inc.
 
How We Defined Our Own Cloud.pdf
How We Defined Our Own Cloud.pdfHow We Defined Our Own Cloud.pdf
How We Defined Our Own Cloud.pdfRakuten Group, Inc.
 
Travel & Leisure Platform Department's tech info
Travel & Leisure Platform Department's tech infoTravel & Leisure Platform Department's tech info
Travel & Leisure Platform Department's tech infoRakuten Group, Inc.
 
Travel & Leisure Platform Department's tech info
Travel & Leisure Platform Department's tech infoTravel & Leisure Platform Department's tech info
Travel & Leisure Platform Department's tech infoRakuten Group, Inc.
 
Introduction of GORA API Group technology
Introduction of GORA API Group technologyIntroduction of GORA API Group technology
Introduction of GORA API Group technologyRakuten Group, Inc.
 
100PBを越えるデータプラットフォームの実情
100PBを越えるデータプラットフォームの実情100PBを越えるデータプラットフォームの実情
100PBを越えるデータプラットフォームの実情Rakuten Group, Inc.
 
社内エンジニアを支えるテクニカルアカウントマネージャー
社内エンジニアを支えるテクニカルアカウントマネージャー社内エンジニアを支えるテクニカルアカウントマネージャー
社内エンジニアを支えるテクニカルアカウントマネージャーRakuten Group, Inc.
 
モニタリングプラットフォーム開発の裏側
モニタリングプラットフォーム開発の裏側モニタリングプラットフォーム開発の裏側
モニタリングプラットフォーム開発の裏側Rakuten Group, Inc.
 
楽天のインフラ事情 2022
楽天のインフラ事情 2022楽天のインフラ事情 2022
楽天のインフラ事情 2022Rakuten Group, Inc.
 
楽天サービスとインフラ部隊
楽天サービスとインフラ部隊楽天サービスとインフラ部隊
楽天サービスとインフラ部隊Rakuten Group, Inc.
 

Mehr von Rakuten Group, Inc. (20)

大規模なリアルタイム監視の導入と展開
大規模なリアルタイム監視の導入と展開大規模なリアルタイム監視の導入と展開
大規模なリアルタイム監視の導入と展開
 
楽天における大規模データベースの運用
楽天における大規模データベースの運用楽天における大規模データベースの運用
楽天における大規模データベースの運用
 
楽天サービスを支えるネットワークインフラストラクチャー
楽天サービスを支えるネットワークインフラストラクチャー楽天サービスを支えるネットワークインフラストラクチャー
楽天サービスを支えるネットワークインフラストラクチャー
 
楽天の規模とクラウドプラットフォーム統括部の役割
楽天の規模とクラウドプラットフォーム統括部の役割楽天の規模とクラウドプラットフォーム統括部の役割
楽天の規模とクラウドプラットフォーム統括部の役割
 
Rakuten Services and Infrastructure Team.pdf
Rakuten Services and Infrastructure Team.pdfRakuten Services and Infrastructure Team.pdf
Rakuten Services and Infrastructure Team.pdf
 
The Data Platform Administration Handling the 100 PB.pdf
The Data Platform Administration Handling the 100 PB.pdfThe Data Platform Administration Handling the 100 PB.pdf
The Data Platform Administration Handling the 100 PB.pdf
 
Supporting Internal Customers as Technical Account Managers.pdf
Supporting Internal Customers as Technical Account Managers.pdfSupporting Internal Customers as Technical Account Managers.pdf
Supporting Internal Customers as Technical Account Managers.pdf
 
Making Cloud Native CI_CD Services.pdf
Making Cloud Native CI_CD Services.pdfMaking Cloud Native CI_CD Services.pdf
Making Cloud Native CI_CD Services.pdf
 
How We Defined Our Own Cloud.pdf
How We Defined Our Own Cloud.pdfHow We Defined Our Own Cloud.pdf
How We Defined Our Own Cloud.pdf
 
Travel & Leisure Platform Department's tech info
Travel & Leisure Platform Department's tech infoTravel & Leisure Platform Department's tech info
Travel & Leisure Platform Department's tech info
 
Travel & Leisure Platform Department's tech info
Travel & Leisure Platform Department's tech infoTravel & Leisure Platform Department's tech info
Travel & Leisure Platform Department's tech info
 
OWASPTop10_Introduction
OWASPTop10_IntroductionOWASPTop10_Introduction
OWASPTop10_Introduction
 
Introduction of GORA API Group technology
Introduction of GORA API Group technologyIntroduction of GORA API Group technology
Introduction of GORA API Group technology
 
100PBを越えるデータプラットフォームの実情
100PBを越えるデータプラットフォームの実情100PBを越えるデータプラットフォームの実情
100PBを越えるデータプラットフォームの実情
 
社内エンジニアを支えるテクニカルアカウントマネージャー
社内エンジニアを支えるテクニカルアカウントマネージャー社内エンジニアを支えるテクニカルアカウントマネージャー
社内エンジニアを支えるテクニカルアカウントマネージャー
 
モニタリングプラットフォーム開発の裏側
モニタリングプラットフォーム開発の裏側モニタリングプラットフォーム開発の裏側
モニタリングプラットフォーム開発の裏側
 
楽天のインフラ事情 2022
楽天のインフラ事情 2022楽天のインフラ事情 2022
楽天のインフラ事情 2022
 
楽天サービスとインフラ部隊
楽天サービスとインフラ部隊楽天サービスとインフラ部隊
楽天サービスとインフラ部隊
 
Rakuten Platform
Rakuten PlatformRakuten Platform
Rakuten Platform
 
Kafka & Hadoop in Rakuten
Kafka & Hadoop in RakutenKafka & Hadoop in Rakuten
Kafka & Hadoop in Rakuten
 

Kürzlich hochgeladen

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 

Kürzlich hochgeladen (20)

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 

eXtend Security on Xcode

  • 1. eXtend Security on Xcode Vol.01 Mar/26/2014 Tokuji Akamine Raymund Pedraita DU, Rakuten, Inc. http://www.rakuten.co.jp/
  • 2. About Us • Who we are – Tokuji Akamine @tokujia • Lead Security Engineer, Rakuten Inc. – Raymund Dante Pedraita (redwud) • Senior Security Engineer, Rakuten Inc.
  • 3. Statistics : iOS Apps • More than 1 million apps on the AppStore • Users spent $ 10 billion for paid apps • 3 billion apps were downloaded • Almost half of all smartphone owners were concerned about privacy • 90% of iOS mobile apps show security vulnerabilities References: http://www.apple.com/pr/library/2014/01/07App-Store-Sales-Top-10-Billion-in-2013.html http://www.mobilesecurity.com/articles/656-smartphone-users-reveal-mobile-privacy-fears http://www.zdnet.com/hp-research-finds-vulnerabilities-in-9-of-10-mobile-apps- 7000023324/
  • 4. Statistics : iOS Apps • According to the IOActive’s research, many banking apps have security issues – 40% of the audited apps did not validate the authenticity of SSL certificates presented. – Many of the apps (90%) contained several non-SSL links – 50% of the apps are vulnerable to JavaScript injections via insecure UIWebView implementations. Reference: http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html
  • 5. So, what can we use? • Security Awareness and Education – OWASP Top 10 Mobile Risks – iGoat, DVIA • Secure Development – OWASP Top 10 Mobile Controls – iOS Developer Cheat Sheet – iMAS • Security Testing – iOS Application Security Testing Cheat Sheet – Anything else? Reference: OWASP Mobile Security Project
  • 6. Security Testing Tools for iOS Apps • Free Tools – Dynamic Analysis Tools, Pen-testing frameworks: iAuditor, iNalyzer, snoop-it, Introspy-iOS • Commercial Tools – Static Security Analysis Tools & Service: Veracode, Cxsuite, Fortify, AppScan Source and maybe more …
  • 7. Motivations • No free security source code analysis tools • A lot of manual work for security testing • Can't fully depend on grep and scripts. • Security coding guideline doesn’t work well by itself • Introduce an early detection tool
  • 8. Xcode Plug-in • We extend security on Xcode with our plug-in – Centralize developer-friendly security features on the IDE – Provide a solution to avoid making vulnerabilities – Detect vulnerabilities at earlier phases of development – Cut down the cost of manual security testing
  • 9. Intro of Xcode plug-in development • Choose “Bundle” as a template and “Cocoa” as a Framework • Configure build settings (XCGCReady, XCPluginHasUI, XC4Compatible, Deployment Location, Wrapper Extension, etc.) • Create a Class • Build • Relaunch Xcode
  • 10. Xcode plug-in development continues … • Internal Frameworks – IDEKit, IDEFoundation /Applications/Xcode.app/Contents/Frameworks/ – DVTKit, DVTFoundation /Applications/Xcode.app/Contents/SharedFrameworks/ – IDESourceEditor, IDEQuickHelp, Xcode3UI, etc. /Applications/Xcode.app/Contents/PlugIns/ – DevToolsCore, etc. /Applications/Xcode.app/Contents/OtherFrameworks/ – WebKit, etc. /Applications/Xcode.app/Developer/Platforms/MacOSX.platform/D eveloper/SDKs/MacOSX[ver].sdk/System/Library/Frameworks/
  • 11. Xcode plug-in development continues … • Obtain internal class information with class- dump to look for useful Class, Methods, Properties @interface IDESourceCodeEditor : IDEEditor <NSTextViewDelegate, NSMenuDelegate, NSPopoverDelegate, …> … + (id)keyPathsForValuesAffectingIsWorkspaceBuilding; + (void)revertStateWithDictionary:(id)arg1 withSourceTextView:(id)arg2 withEditorDocument:(id)arg3; + (void)commitStateToDictionary:(id)arg1 withSourceTextView:(id)arg2; + (long long)version; + (void)configureStateSavingObjectPersistenceByName:(id)arg1; @property(retain) IDESingleFileProcessingToolbarController *singleFileProcessingToolbarController; // … @property(retain) IDEAnalyzerResultsExplorer *analyzerResultsExplorer; // … @property(retain, nonatomic) DVTSourceExpression *mouseOverExpression; // … @property(retain) IDESourceCodeEditorContainerView *containerView; // … @property(retain) DVTSourceTextView *textView; // … …
  • 12. Available Xcode Plug-ins • XVim • Injection • BBUncrustifyPlugin • Xcode Fixins • XcodeColors • OMColorSense • KSImageNamed-Xcode • XcodeExplorer etc.
  • 13. XSecurity • XSecurity – Quick Security Help with built-in Security Guidelines – Real-time Vulnerability Notifications – Static Analysis with Clang Static Analyzer
  • 14. Feature 1: Quick Security Help • Quick Help – Display concise reference documentation without taking focus away from the file you’re editing.
  • 15. Feature 1: Quick Security Help • Quick Security Help – Add security guidelines in reference documentation. – Added to both Quick Help Inspector and the Quick Help Window – Can automatically display and hide the inspector area.
  • 16. Feature 1: Quick Security Help Quick Help Window Quick Help Inspector
  • 17. Feature 2: Real-time Vulnerability Notifications • Real-time Vulnerability Notifications – Show the vulnerability as it is being created. – Instant bug know-how to developers. – Early prevention.
  • 18. Feature 2: Real-time Vulnerability Notifications • Detection Triggers – When the source is modified. – When switching between source files. • Methodology – Research parts of Xcode, how it works. – Categorize vulnerabilities according to characteristics. – Heavy use of RegEx
  • 20. Feature 3: Clang Static Security Analyzer • Clang – A compiler front-end for C family languages – It uses LLVM as its back end – Creates an abstract syntax tree (AST) of the code – LLVM Community (Mainly professionals from Apple, Google, ARM, Intel, etc.)
  • 21. Feature 3: Clang Static Security Analyzer • Clang Static Analyzer – A source code analysis tool that can find bugs in C, C++ and Objective-C programs. – Can run from CLI and within Xcode – 100% open source and part of Clang project • Alternative static code analysis tool: OCLint
  • 22. Feature 3: Clang Static Security Analyzer • It boils down to checkers – Static analyzer engine can do path-sensitive exploration of the program. – Checkers implement the logic for bug detection – And, construct bug reports. – Well-documented http://clang-analyzer.llvm.org/checker_dev_manual.html
  • 23. Feature 3: Clang Static Security Analyzer • Analyzer in action
  • 24. Feature 3: Clang Static Security Analyzer • CI with Security Checkers
  • 25. Detectable Vulnerabilities Category Vulnerability Real-time Checker Insecure Data Storage Insecure Keychain Storage ● ● Insecure NSUserDefaults Usage ● ● Unencrypted Data in plist File ● Insecure Permanent Credential Storage ● ● Insufficient Transport Layer Security Ignores Certificate Validation Errors ● ● Security Decisions Via Untrusted Inputs Abusing URL Schemes ● ● Side Channel Data Leakage Leaking Web Caches ● Leaking Logs ● ● Leaking Pasteboard ● Client Side Injection SQL Injection (SQLite) ●
  • 26. XSecurity Project • XSecurity Project https://github.com/XSecurity/ @prj_xsecurity
  • 27. Future Plans • We aim to… – Make configurations flexible or customizable guideline in Quick Security Help – Have an option to select rules – Improve reporting functionalities – Develop more rules for real-time vulnerability notifications and checkers
  • 28. Next vulnerabilities Category Vulnerability Insufficient Transport Layer Security Data Transport Over Unencrypted Channel Query String for Sensitive Data Certificate Unpinning Sensitive Information Disclosure Hard Coded Sensitive Information Query String for Sensitive Data Broken Cryptography Use Vulnerable Encryption Algorithms Poor Authorization & Authentication Invalid Usage of Persistent Identifier Insecure OAuth implementation Client Side Injection Cross Site Scripting
  • 31. References • References – OWASP Mobile Security Project – Mac Developer Library – The LLVM project – OCLint – Clang Scan-Build Jenkins Plugin