This document summarizes a presentation on iPhone and iPad security. It discusses how to configure passcode policy and other restrictions on devices through configuration profiles. It also covers securing data through encryption, securing network communications through VPNs and SSL, and developing secure applications that properly handle authentication, authorization, data storage and cryptography. The presentation warns of risks from jailbreaking devices and accessing unsecured configuration profiles and provides recommendations for addressing these risks.
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Â
iPhone Security WebCast
1. Mobility WebCastiPhone and iPad Security Simon Guest Director, Mobility Solutions Neudesic, LLC simon.guest@neudesic.com
2. Common Questions I donât want my employees doing [x]. How do I configure policy? What happens if I leave my device on the [bus|train|plane]? How do I secure communication from the device? Iâm writing an application. How do I make my application secure? What other bad stuff should I be thinking about?
3. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda
4. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda I donât want my employees doing [x] on their device. How do I configure policy?
52. Policy for GPRS access point, username, and password. Policy for Proxy Server (but this is for GPRS access point only)
53.
54. Policy Mobile Device Management (MDM) Remote Configuration Pushing of configuration profiles to the device Remote Query Device, network, security, and application information Remote Management Remote wipe, remote lock, clear passcode, OTA application delivery
55. Policy Mobile Device Management (MDM) API Level MDMS APIs announced with iOS 4.2 Very little public information, only available to MDM providers via separate agreement from Apple Products/Vendors AirWatch, Sybase Afaria, MobileIron Microsoft announced MDM support in SCCM 2012 http://www.zdnet.com/blog/microsoft/microsoft-readies-tool-for-managing-ipads-iphones-and-android-devices/8987 Beta 2 - http://www.microsoft.com/systemcenter/en/us/configuration-manager/cm-vnext-beta.aspx
56. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda What happens if I leave my device on the [bus|train|plane]?
57. Data Hardware Based Encryption Anything written to (flash) storage encrypted with a 256-bit AES key Cannot be disabled by users Primarily designed for remote wipe (delete the key, and data is inaccessible) Savvy hacker can very easily get access to the data, even if pin-code protected Boot the device in recovery mode, SSH and various shell scripts to extract the data
58. Data Data Protection (post iOS 4.2) Anything written to (flash) storage encrypted with a 256-bit AES key, derived from the userâs passcode Strength of data protection dependent on passcode strength Brute force with 4 digit simple PIN. A little more challenging when alphanumeric, including non-alpha characters Mitigated by PBKDF2 iterations (50ms derivation = ~20 passwords per second) However, only applies to applications that use Data Protection API
59. Data Data Protection API When writing NSData object to file, include the NSDataWritingFileProtectionComplete attribute However, your application now needs to handle failure If application is running in background when the device is locked, you will not be able to access file
60. Data Keychain The keychain is an encrypted container that holds passwords for multiple applications and secure services. (Apple Keychain services programming guide) Franhofer Institute Paper and Video âLost Phone? Lost Passwords!â http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf http://www.youtube.com/watch?v=uVGiNAs-QbY Accessed the keychain using techniques described in last section âJailbrokeâ the device, booted into tethered Jailbreak mode, copied script to dump contents of Keychain Some passwords, not all, were revealed
61. Data Keychain The Keychain supports several methods of encryption: kSecAttrAccessibleAlways â always accessible kSecAttrAccessibleWhenUnlocked - only accessible when device is unlocked kSecAttrAccessibleAfterFirstUnlock - accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again kSecAttrAccessibleWhenUnlockedThisDeviceOnly - only accessible when device is unlocked â device specific kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly - accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again â device specific kSecAttrAccessibleAlwaysThisDeviceOnly â always accessibleâ device specific Resources http://labs.neohapsis.com/2011/02/28/researchers-steal-iphone-passwords-in-6-minutes-true-but-not-the-whole-story/
62. Data Try to avoid â no protection Keychain The Keychain supports several methods of encryption: kSecAttrAccessibleAlways â always accessible kSecAttrAccessibleWhenUnlocked - only accessible when device is unlocked kSecAttrAccessibleAfterFirstUnlock - accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again kSecAttrAccessibleWhenUnlockedThisDeviceOnly - only accessible when device is unlocked â device specific kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly - accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again â device specific kSecAttrAccessibleAlwaysThisDeviceOnly â always accessibleâ device specific Resources http://labs.neohapsis.com/2011/02/28/researchers-steal-iphone-passwords-in-6-minutes-true-but-not-the-whole-story/ Recommended for most apps Recommended for apps with background needs
63. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda How do I secure communication from the device?
64. Network SSL/TLS SSL v3 / TLS v1 support for Web based applications Wireless Security Supported schemes WEP/WPA/WPA2 Enterprise Recommended: WPA2 Enterprise (128bit AES) 802.1x authentication protocols EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM, PEAP v0, v1, LEAP
65. Network VPN (Virtual Private Network) Support Supported Schemes Cisco IPSec, L2TP/IPSec, PPTP, SSL VPN Additional AppStore clients from Juniper, Cisco, and F5 Deployable via configuration profile VPN Proxy also configurable Support for Split IP Tunneling VPN on Demand (for cert-based authentication) Authentication Username/Password X.509 Certificate (Cisco IPSec only) Two Factor Authentication (RSA SecurID and CRYPTOCard) Resources http://developer.apple.com/library/ios/#featuredarticles/FA_VPN_Server_Configuration_for_iPhone_OS/Introduction/Introduction.html
66. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda Iâm writing an application. How do I make my application secure?
67. Application Authentication and Authorization Authentication No concept of users, accounts, passwords on the device Unlike Mac OS X, user is assumed to be authenticated (via pincode) No way of re-prompting user for pincode programmatically, nor locking the device Authentication for your own application will have to be custom (against back end services) Authorization No concept of roles, permissions on the device Unlike Mac OS X, user is assumed to be authorized (within the sandbox of the signed application) Resources http://developer.apple.com/library/mac/#documentation/Security/Conceptual/SecureCodingGuide/Articles/SecuritySvcs.html
68. Application Accessing Secure Server-Side Resources Authentication NSURLConnection does not support NTLM auth Need to use CFNetwork or 3rd party, such as ASIHTTPRequest SSL support NSURLConnection supports SSL (prefix âhttpsâ on NSURL) Support for bypassing invalid certificates using continueWithoutCredentialForAuthenticationChallenge Support for client side certificate requests using didReceiveAuthenticationChallenge callback Resources http://stackoverflow.com/questions/933331/how-to-use-nsurlconnection-to-connect-with-ssl-for-an-untrusted-cert http://markmail.org/message/tnh2g6u5h42ive53 http://jameswilliams.me/developer/blog/2008/08/http-post-via-the-cfnetwork-stack/
69. Application Password Storage Donât store them in NSUserDefaults UI Abstracts the password, but can be easily accessed from the FileSystem/a simple backup/iPhone Explorer Use the Keychain instead (albeit referring to the previous section on Keychain) Resources http://software-security.sans.org/blog/2011/01/05/using-keychain-to-store-passwords-ios-iphone-ipad/
70. Application Cryptography Support Asymmetric support through Certificate, Key, and Trust Services Manage certificates, public and private keys, trust policies Create, request certificate objects (CERs) Import certificates, keys, and identities Create public/private key pairs Represent trust policies SecKeyGeneratePair Example OSStatusSecKeyGeneratePair( CFDictionaryRefparameters, SecKeyRef*publicKey, SecKeyRef*privateKey ); Resources http://developer.apple.com/library/ios/#documentation/Security/Reference/certifkeytrustservices/Reference/reference.html#//apple_ref/doc/uid/TP30000157
72. Application Cryptography Support Cryptographically secure random numbers SecRandomCopyBytes API returns cryptographically secure random number from accelerometer, compass, radio baseband Resources http://developer.apple.com/library/ios/#documentation/Security/Reference/RandomizationReference/Reference/reference.html
73. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda What other bad stuff should I be thinking about?
74. Bad Stuff Jailbreaking What is Jailbreaking? Process of unlocking a device to gain full access (a.k.a. root access) to a device Allowing more control on the device by bypassing previous restrictions e.g. custom ringtones, wallpapers, software to capture network packets, VNC server for the device, etc. Constant battle between jailbreakers (iPhone Dev Team) and Apple releasing new software updates Is it Legal? In the US, under exemption to DMCA 2010, although it will void Appleâs device warranty. In other countries, best to check local laws. Is it the same as SIM unlocking? No. SIM unlocking is about using different SIMs from different operators.
75. Bad Stuff Jailbreaking in the Enterprise Tethered vs. Untethered Jailbreaking Untethered = does not required USB cable and s/w to reboot device Most jailbreaks post 4.2.1 require tether Security Risks Frequent speculation on security for jailbroken devices Most originate to SSH/default password exploit iKee worm (changes wallpaper to Rick Astley background) Netherlands-based botnet-like worm uploading /etc/master.passwd file to a server in Lithuania
76. Bad Stuff Plaintext in Configuration Profile Scenario Attacker grabs .mobileconfig from Email or public URL Investigates XML file for plaintext details (e.g. WLAN SSID and password) Mitigation Encrypting .mobileconfig files for device-specific deployments Placing .mobileconfig files behind authenticated pages (avoid Google filetype:mobileconfig Password)
77. Bad Stuff Evil Configuration Profile Scenario Attacker generates evil .mobileconfig Signs using signature-only cert from one of the 224 root certs in the iPhone keystore SMS the .mobileconfig to a victim, fake them into installing it Mitigation Create a locked default profile to prevent this User education Appleâs removal of certain policy configuration options (e.g. proxy) Resources http://www.enterprisenetworkingplanet.com/netsecur/article.php/10952_3892776_1/Three-Steps-to-a-Cracked-iPhone.htm
78. Bad Stuff Bypassing PIN code/Forensic Recovery of Disk Scenario Attacker has physical access to your device Even though locked with a PIN code, the device can still be placed in recovery code to override the PIN protection Mitigation Physical security of device Use of Data Protection API by applications installed on device (mail stores by default) Correct use of Key Chain algorithms to ensure passwords are not stored in clear Resources http://www.youtube.com/watch?v=5wS3AMbXRLs
79. 2 3 4 5 1 Policy Data Network Application Bad Stuff Agenda
81. Conclusion A lot to consider for iPhone and iPad Security Divide the problem in four ways Policy, data, network, and application âŠbut also understand about the bad stuff! Your device is as secure as the weakest link Donât rely on one mechanism (e.g. password policy) in lieu of the rest Think like a hacker What tools would they have? What would they try? Whatâs the worst that could happen if they got hold of your device?
82. How Neudesic Can Help Application/Device Security Review Simulate losing one of your locked devices We run it through the tools that the hackers have You get a full report of our findings Mobile Strategy Review CxO Level Mobility Review Construct mobile landscape of your organization together with the applications, integration points, and security considerations that make sense You get a framework and roadmap for mobile adoption in your organization