SlideShare ist ein Scribd-Unternehmen logo

Jamie Bowser - A Touch(ID) of iOS Security

C
centralohioissa

As mobile devices become more and more prevalent in our lives, the clash between security and usability moves to the forefront. Apple integrated TouchID into its main mobile devices products (iPhones/iPads). In Apple’s controlled fashion, access to the TouchID was unavailable at first and has been expanded over subsequent releases. With this expansion is a new world of authentication possible? In this talk, we will explore the architecture of TouchID and the how Apple is pushing biometrics into the forefront of consumer-based products. As companies start embracing biometrics, there are standard client-side authentication risks and TouchID Implementations risk. We will explore the architecture and common implementations, to understand possible hidden risks, and how to strengthen the implementations.

Technologie
1 von 20
Downloaden Sie, um offline zu lesen
Copyright © 2015, CigitalCopyright © 2015, Cigital A Touch(ID) of iOS Security
Copyright © 2015, CigitalCopyright © 2015, Cigital About me… • Cigital (3 years) • Technical Strategist - Mobile (iOS) • Sr. Consultant (iOS Tooling) • Consultant (MDM Implementation and iOS Security guidelines) • KeyBank (12+ years) • Application Security Program Owner (web, mobile, mainframe) • Java Web Developer (external and internal sites) • Other ( x+y/z years) • NASA UNIX Administrator / Web administrator • Developer • iOS Developer (Touch Unlock by: Reconditorium Limited)
Copyright © 2015, CigitalCopyright © 2015, Cigital Presentation Scope • In • Use of Touch ID in third-party applications • How to spot Local Authentication • Bypass-ability • Out • Apple Pay Usage • iOS (Apple) Usage
Copyright © 2015, CigitalCopyright © 2015, Cigital TOUCHID OVERVIEW
Copyright © 2015, CigitalCopyright © 2015, Cigital What really is TouchID • Touch ID is Apple's biometric fingerprint authentication technology. • Reads fingerprint and stores a “mathematical representation” of the fingerprint in the ”Secure Enclave” • Secure Enclave is a “walled off architecture” from the rest of the device view hardware • Able to store multiple fingerprint representations • Client Side Authentication • Biometric • Possible form of Second Factor Authentication
Copyright © 2015, CigitalCopyright © 2015, Cigital TouchID Architecture • Changed with each major release of iOS since released • Getting better.?.?.?.?.?. • Currently 3 options to discuss • Option1 – iOS 7 Release - Initial TouchID release • Option 2 – iOS 8 Release • Option 3 – iOS 9 Release
Copyright © 2015, CigitalCopyright © 2015, Cigital TouchID Architecture – Release 1 • Architecture is not visible to iOS Applications – other than Apple’s Applications TouchID Sensor Secure Enclave Hardware protected connection Fingerprint Representation Local Authentication API Apple ApplicationsThird-Party Applications
Copyright © 2015, CigitalCopyright © 2015, Cigital Implementations – Release 1 • No Third-party Implementation Available • No “Public” API • Only Public API usage in Apple AppStore
Copyright © 2015, CigitalCopyright © 2015, Cigital TouchID Architecture – Release 2 • Architecture becomes visible to iOS Applications – in addition to Apple’s Applications TouchID Sensor Secure Enclave Hardware protected connection Fingerprint Representation Local Authentication API Apple ApplicationsThird-Party Applications
Copyright © 2015, CigitalCopyright © 2015, Cigital Implementations – Release 2 • Typical Implementation Start Check Local Auth API Get Token in Keychain Authenticate Place token in Keychain ** Start Use Token ** Add attribute to Keychain entry that ties it to having a passcode on the device – not really associated to TouchID
Copyright © 2015, CigitalCopyright © 2015, Cigital Implementations – Release 2 • Many Third-Party Application teams jumped in and implemented something • And not updated…
Copyright © 2015, CigitalCopyright © 2015, Cigital TouchID Architecture – Release 3 • Architecture is visible to iOS Applications – in addition to Apple’s Applications (required iOS 9.x) TouchID Sensor Secure Enclave Hardware protected connection Fingerprint Representation Local Authentication API Apple ApplicationsThird-Party Applications Security Framework
Copyright © 2015, CigitalCopyright © 2015, Cigital Implementations – Release 3 • Typical Implementation Start Check Local Auth API** Attempt to get token from Keychain Authenticate Place token in Keychain * Start Use Token* Add attribute to Keychain entry that ties it to having TouchID requirements Trigger system checks ** Optional
Copyright © 2015, CigitalCopyright © 2015, Cigital Implementations – Release 3 • Does require iOS Relese restrictions on users • Not everybody updates • Can detect and do a weak, but only as strong as the weakest link
Copyright © 2015, CigitalCopyright © 2015, Cigital HOW TO SPOT LOCAL AUTHENTICATION Doing Source Code Review?
Copyright © 2015, CigitalCopyright © 2015, Cigital Spotting Local Authentication LAContext *context = [[LAContext alloc] init]; __block NSString *message; // Show the authentication UI with our reason string. [context evaluatePolicy: LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason: @"Unlock access to locked feature" reply:^(BOOL success, NSError *authenticationError) { if (success) { message = @"evaluatePolicy: succes"; } else { message = [NSString stringWithFormat:@"evaluatePolicy: %@", authenticationError.localizedDescription]; } [self printMessage:message inTextView:self.textView]; }];
Copyright © 2015, CigitalCopyright © 2015, Cigital Spotting Local Authentication SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlTouchIDAny | kSecAccessControlApplicationPassword, &error); NSData *secretPasswordTextData = [@"SECRET_PASSWORD_TEXT" dataUsingEncoding:NSUTF8StringEncoding]; NSDictionary *attributes = @{ (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecAttrService: @"SampleService", (__bridge id)kSecValueData: secretPasswordTextData, (__bridge id)kSecUseNoAuthenticationUI: @YES, (__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject, (__bridge id)kSecUseAuthenticationContext: context }; OSStatus status = SecItemAdd((__bridge CFDictionaryRef)attributes, nil); * kSecAccessControlTouchIDCurrentSet
Copyright © 2015, CigitalCopyright © 2015, Cigital TOUCHID BY-PASSING
Copyright © 2015, CigitalCopyright © 2015, Cigital TouchID By-passing • When determining risk, consider the following: • Jailbroken Device • By-passable both API and Keychain Access Groups • Swizzle the API • Hook the Keychain API and remove Access Group when inserting • SuccessID • Does not implement the Access Group removal • https://hexplo.it/successid-touchid-override-simulation/ • Non-Jailbroken Device • By-passable using API • Swizzle the API
Copyright © 2015, CigitalCopyright © 2015, Cigital Questions email: jbowser@cigital.com Copyright © 2015, Cigital

Empfohlen

Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
 
Sacon - IoT Hackfest (Sri Chakradhar K)
Sacon - IoT Hackfest (Sri Chakradhar K)Sacon - IoT Hackfest (Sri Chakradhar K)
Sacon - IoT Hackfest (Sri Chakradhar K)Priyanka Aash
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trustZscaler
 
SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)Priyanka Aash
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Securescoopnewsgroup
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessIvan Dwyer
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 

Weitere ähnliche Inhalte

Was ist angesagt?

[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architectureDenise Bailey
 
What Comes After VPN?
What Comes After VPN?What Comes After VPN?
What Comes After VPN?Zscaler
 
Connecting to the internet of things (IoT)
Connecting to the internet of things (IoT)Connecting to the internet of things (IoT)
Connecting to the internet of things (IoT)Fernando Lopez Aguilar
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...centralohioissa
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)Priyanka Aash
 
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to RealityPriyanka Aash
 
Ma story then_now_webcast_10_17_18
Ma story then_now_webcast_10_17_18Ma story then_now_webcast_10_17_18
Ma story then_now_webcast_10_17_18Zscaler
 
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (..."Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...Tech in Asia ID
 
Security & Seamless CX in User Authentication: How to Achieve Both?
Security & Seamless CX in User Authentication: How to Achieve Both?Security & Seamless CX in User Authentication: How to Achieve Both?
Security & Seamless CX in User Authentication: How to Achieve Both?Ivona M
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and predictionVishwas Manral
 
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)Priyanka Aash
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera Technologies
 
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Skycure
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterVishwas Manral
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero TrustOkta-Inc
 
Moving Beyond Zero Trust
Moving Beyond Zero TrustMoving Beyond Zero Trust
Moving Beyond Zero Trustscoopnewsgroup
 
Building secure cloud apps – lessons learned from Microsoft’s internal securi...
Building secure cloud apps – lessons learned from Microsoft’s internal securi...Building secure cloud apps – lessons learned from Microsoft’s internal securi...
Building secure cloud apps – lessons learned from Microsoft’s internal securi...Microsoft Tech Community
 
Mobile Security: A Glimpse from the Trenches
Mobile Security: A Glimpse from the TrenchesMobile Security: A Glimpse from the Trenches
Mobile Security: A Glimpse from the TrenchesYair Amit
 
Using an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT ApplicationsUsing an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT ApplicationsJan Liband
 
Office 365 kelly services
Office 365 kelly servicesOffice 365 kelly services
Office 365 kelly servicesZscaler
 

Was ist angesagt? (20)

[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
 
What Comes After VPN?
What Comes After VPN?What Comes After VPN?
What Comes After VPN?
 
Connecting to the internet of things (IoT)
Connecting to the internet of things (IoT)Connecting to the internet of things (IoT)
Connecting to the internet of things (IoT)
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
 
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
 
Ma story then_now_webcast_10_17_18
Ma story then_now_webcast_10_17_18Ma story then_now_webcast_10_17_18
Ma story then_now_webcast_10_17_18
 
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (..."Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
 
Security & Seamless CX in User Authentication: How to Achieve Both?
Security & Seamless CX in User Authentication: How to Achieve Both?Security & Seamless CX in User Authentication: How to Achieve Both?
Security & Seamless CX in User Authentication: How to Achieve Both?
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
 
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
 
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero Trust
 
Moving Beyond Zero Trust
Moving Beyond Zero TrustMoving Beyond Zero Trust
Moving Beyond Zero Trust
 
Building secure cloud apps – lessons learned from Microsoft’s internal securi...
Building secure cloud apps – lessons learned from Microsoft’s internal securi...Building secure cloud apps – lessons learned from Microsoft’s internal securi...
Building secure cloud apps – lessons learned from Microsoft’s internal securi...
 
Mobile Security: A Glimpse from the Trenches
Mobile Security: A Glimpse from the TrenchesMobile Security: A Glimpse from the Trenches
Mobile Security: A Glimpse from the Trenches
 
Using an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT ApplicationsUsing an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT Applications
 
Office 365 kelly services
Office 365 kelly servicesOffice 365 kelly services
Office 365 kelly services
 

Ähnlich wie Jamie Bowser - A Touch(ID) of iOS Security

Going Beyond the Device Heart Beat
Going Beyond the Device Heart BeatGoing Beyond the Device Heart Beat
Going Beyond the Device Heart BeatBalwinder Kaur
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2Romansh Yadav
 
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT EcosystemProtecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT EcosystemCA Technologies
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTForgeRock
 
2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetupMichael Leppitsch
 
Interconnect Mobile Application Development on Bluemix!!
Interconnect Mobile Application Development on Bluemix!!Interconnect Mobile Application Development on Bluemix!!
Interconnect Mobile Application Development on Bluemix!!Todd Kaplinger
 
Simplifying IoT App Development - A Whitepaper by RapidValue
Simplifying IoT App Development - A Whitepaper by RapidValueSimplifying IoT App Development - A Whitepaper by RapidValue
Simplifying IoT App Development - A Whitepaper by RapidValueRapidValue
 
Emergence of IOT & Cloud – Azure by Narendra Sharma at Cloud focused 76th Dev...
Emergence of IOT & Cloud – Azure by Narendra Sharma at Cloud focused 76th Dev...Emergence of IOT & Cloud – Azure by Narendra Sharma at Cloud focused 76th Dev...
Emergence of IOT & Cloud – Azure by Narendra Sharma at Cloud focused 76th Dev...DevClub_lv
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
Appcelerator Titanium - An Introduction to the Titanium Ecosystem
Appcelerator Titanium - An Introduction to the Titanium EcosystemAppcelerator Titanium - An Introduction to the Titanium Ecosystem
Appcelerator Titanium - An Introduction to the Titanium EcosystemBoydlee Pollentine
 
What's New with Perfecto? - May 2017
What's New with Perfecto? - May 2017What's New with Perfecto? - May 2017
What's New with Perfecto? - May 2017Lizzy Guido (she/her)
 
Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2FIWARE
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
Tiggr Mobile Apps Builder at Silicon Valley HTML5 Group Meetup
Tiggr Mobile Apps Builder at Silicon Valley HTML5 Group MeetupTiggr Mobile Apps Builder at Silicon Valley HTML5 Group Meetup
Tiggr Mobile Apps Builder at Silicon Valley HTML5 Group MeetupMax Katz
 
Intel® RealSense™ Technology: Code Walk-through Presented by Intel Software I...
Intel® RealSense™ Technology: Code Walk-through Presented by Intel Software I...Intel® RealSense™ Technology: Code Walk-through Presented by Intel Software I...
Intel® RealSense™ Technology: Code Walk-through Presented by Intel Software I...Intel® Software
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 

Ähnlich wie Jamie Bowser - A Touch(ID) of iOS Security (20)

Going Beyond the Device Heart Beat
Going Beyond the Device Heart BeatGoing Beyond the Device Heart Beat
Going Beyond the Device Heart Beat
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2
 
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT EcosystemProtecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOT
 
2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup
 
Are You Ready for iOS 8?
Are You Ready for iOS 8?Are You Ready for iOS 8?
Are You Ready for iOS 8?
 
Interconnect Mobile Application Development on Bluemix!!
Interconnect Mobile Application Development on Bluemix!!Interconnect Mobile Application Development on Bluemix!!
Interconnect Mobile Application Development on Bluemix!!
 
Simplifying IoT App Development - A Whitepaper by RapidValue
Simplifying IoT App Development - A Whitepaper by RapidValueSimplifying IoT App Development - A Whitepaper by RapidValue
Simplifying IoT App Development - A Whitepaper by RapidValue
 
Emergence of IOT & Cloud – Azure by Narendra Sharma at Cloud focused 76th Dev...
Emergence of IOT & Cloud – Azure by Narendra Sharma at Cloud focused 76th Dev...Emergence of IOT & Cloud – Azure by Narendra Sharma at Cloud focused 76th Dev...
Emergence of IOT & Cloud – Azure by Narendra Sharma at Cloud focused 76th Dev...
 
Oracle mobile cloud service
Oracle mobile cloud serviceOracle mobile cloud service
Oracle mobile cloud service
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
Appcelerator Titanium - An Introduction to the Titanium Ecosystem
Appcelerator Titanium - An Introduction to the Titanium EcosystemAppcelerator Titanium - An Introduction to the Titanium Ecosystem
Appcelerator Titanium - An Introduction to the Titanium Ecosystem
 
What's New with Perfecto? - May 2017
What's New with Perfecto? - May 2017What's New with Perfecto? - May 2017
What's New with Perfecto? - May 2017
 
Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
Tiggr Mobile Apps Builder at Silicon Valley HTML5 Group Meetup
Tiggr Mobile Apps Builder at Silicon Valley HTML5 Group MeetupTiggr Mobile Apps Builder at Silicon Valley HTML5 Group Meetup
Tiggr Mobile Apps Builder at Silicon Valley HTML5 Group Meetup
 
Intel® RealSense™ Technology: Code Walk-through Presented by Intel Software I...
Intel® RealSense™ Technology: Code Walk-through Presented by Intel Software I...Intel® RealSense™ Technology: Code Walk-through Presented by Intel Software I...
Intel® RealSense™ Technology: Code Walk-through Presented by Intel Software I...
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 

Mehr von centralohioissa

Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...centralohioissa
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directorscentralohioissa
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systemscentralohioissa
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...centralohioissa
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?centralohioissa
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the Warcentralohioissa
 
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a HospitalSean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospitalcentralohioissa
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
 
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...centralohioissa
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack ChainRafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack Chaincentralohioissa
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNcentralohioissa
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...centralohioissa
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiativescentralohioissa
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Casescentralohioissa
 

Mehr von centralohioissa (20)

Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
 
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a HospitalSean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack ChainRafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack Chain
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligence
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
 

Kürzlich hochgeladen

Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - AvrilIvanti
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 

Kürzlich hochgeladen (20)

Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - Avril
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 

Jamie Bowser - A Touch(ID) of iOS Security

  • 1. Copyright © 2015, CigitalCopyright © 2015, Cigital A Touch(ID) of iOS Security
  • 2. Copyright © 2015, CigitalCopyright © 2015, Cigital About me… • Cigital (3 years) • Technical Strategist - Mobile (iOS) • Sr. Consultant (iOS Tooling) • Consultant (MDM Implementation and iOS Security guidelines) • KeyBank (12+ years) • Application Security Program Owner (web, mobile, mainframe) • Java Web Developer (external and internal sites) • Other ( x+y/z years) • NASA UNIX Administrator / Web administrator • Developer • iOS Developer (Touch Unlock by: Reconditorium Limited)
  • 3. Copyright © 2015, CigitalCopyright © 2015, Cigital Presentation Scope • In • Use of Touch ID in third-party applications • How to spot Local Authentication • Bypass-ability • Out • Apple Pay Usage • iOS (Apple) Usage
  • 4. Copyright © 2015, CigitalCopyright © 2015, Cigital TOUCHID OVERVIEW
  • 5. Copyright © 2015, CigitalCopyright © 2015, Cigital What really is TouchID • Touch ID is Apple's biometric fingerprint authentication technology. • Reads fingerprint and stores a “mathematical representation” of the fingerprint in the ”Secure Enclave” • Secure Enclave is a “walled off architecture” from the rest of the device view hardware • Able to store multiple fingerprint representations • Client Side Authentication • Biometric • Possible form of Second Factor Authentication
  • 6. Copyright © 2015, CigitalCopyright © 2015, Cigital TouchID Architecture • Changed with each major release of iOS since released • Getting better.?.?.?.?.?. • Currently 3 options to discuss • Option1 – iOS 7 Release - Initial TouchID release • Option 2 – iOS 8 Release • Option 3 – iOS 9 Release
  • 7. Copyright © 2015, CigitalCopyright © 2015, Cigital TouchID Architecture – Release 1 • Architecture is not visible to iOS Applications – other than Apple’s Applications TouchID Sensor Secure Enclave Hardware protected connection Fingerprint Representation Local Authentication API Apple ApplicationsThird-Party Applications
  • 8. Copyright © 2015, CigitalCopyright © 2015, Cigital Implementations – Release 1 • No Third-party Implementation Available • No “Public” API • Only Public API usage in Apple AppStore
  • 9. Copyright © 2015, CigitalCopyright © 2015, Cigital TouchID Architecture – Release 2 • Architecture becomes visible to iOS Applications – in addition to Apple’s Applications TouchID Sensor Secure Enclave Hardware protected connection Fingerprint Representation Local Authentication API Apple ApplicationsThird-Party Applications
  • 10. Copyright © 2015, CigitalCopyright © 2015, Cigital Implementations – Release 2 • Typical Implementation Start Check Local Auth API Get Token in Keychain Authenticate Place token in Keychain ** Start Use Token ** Add attribute to Keychain entry that ties it to having a passcode on the device – not really associated to TouchID
  • 11. Copyright © 2015, CigitalCopyright © 2015, Cigital Implementations – Release 2 • Many Third-Party Application teams jumped in and implemented something • And not updated…
  • 12. Copyright © 2015, CigitalCopyright © 2015, Cigital TouchID Architecture – Release 3 • Architecture is visible to iOS Applications – in addition to Apple’s Applications (required iOS 9.x) TouchID Sensor Secure Enclave Hardware protected connection Fingerprint Representation Local Authentication API Apple ApplicationsThird-Party Applications Security Framework
  • 13. Copyright © 2015, CigitalCopyright © 2015, Cigital Implementations – Release 3 • Typical Implementation Start Check Local Auth API** Attempt to get token from Keychain Authenticate Place token in Keychain * Start Use Token* Add attribute to Keychain entry that ties it to having TouchID requirements Trigger system checks ** Optional
  • 14. Copyright © 2015, CigitalCopyright © 2015, Cigital Implementations – Release 3 • Does require iOS Relese restrictions on users • Not everybody updates • Can detect and do a weak, but only as strong as the weakest link
  • 15. Copyright © 2015, CigitalCopyright © 2015, Cigital HOW TO SPOT LOCAL AUTHENTICATION Doing Source Code Review?
  • 16. Copyright © 2015, CigitalCopyright © 2015, Cigital Spotting Local Authentication LAContext *context = [[LAContext alloc] init]; __block NSString *message; // Show the authentication UI with our reason string. [context evaluatePolicy: LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason: @"Unlock access to locked feature" reply:^(BOOL success, NSError *authenticationError) { if (success) { message = @"evaluatePolicy: succes"; } else { message = [NSString stringWithFormat:@"evaluatePolicy: %@", authenticationError.localizedDescription]; } [self printMessage:message inTextView:self.textView]; }];
  • 17. Copyright © 2015, CigitalCopyright © 2015, Cigital Spotting Local Authentication SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlTouchIDAny | kSecAccessControlApplicationPassword, &error); NSData *secretPasswordTextData = [@"SECRET_PASSWORD_TEXT" dataUsingEncoding:NSUTF8StringEncoding]; NSDictionary *attributes = @{ (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecAttrService: @"SampleService", (__bridge id)kSecValueData: secretPasswordTextData, (__bridge id)kSecUseNoAuthenticationUI: @YES, (__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject, (__bridge id)kSecUseAuthenticationContext: context }; OSStatus status = SecItemAdd((__bridge CFDictionaryRef)attributes, nil); * kSecAccessControlTouchIDCurrentSet
  • 18. Copyright © 2015, CigitalCopyright © 2015, Cigital TOUCHID BY-PASSING
  • 19. Copyright © 2015, CigitalCopyright © 2015, Cigital TouchID By-passing • When determining risk, consider the following: • Jailbroken Device • By-passable both API and Keychain Access Groups • Swizzle the API • Hook the Keychain API and remove Access Group when inserting • SuccessID • Does not implement the Access Group removal • https://hexplo.it/successid-touchid-override-simulation/ • Non-Jailbroken Device • By-passable using API • Swizzle the API
  • 20. Copyright © 2015, CigitalCopyright © 2015, Cigital Questions email: jbowser@cigital.com Copyright © 2015, Cigital