After my successful presentation "Testing iOS Apps without Jailbreak in 2018" it's time to change the side. This talk will cover the most important milestones in reaching secure iOS/macOS apps. I'm going to show you how to develop modern&secure iOS/macOS apps using new security features presented on WWDC2018. H4ckers will be satisfied as well since I'm going to talk about these steps from pentester's perspective. What's more - this presentation will include vulnerabilities that I found during my professional work and my vulnz found in real Apple's apps! (That I haven't disclosed yet!)
4. www.securing.plwww.securing.pl
AGENDA
1. iOS platform myths and reality
2. securityProblemsInMASVSCategories.forEach { problem in
2.1 Discuss problem
2.2 Show solution
2.3 Present new Apple WWDC feature
}
3. My new library – iOS Security Suite 🚀
4. Short and long term things to implement in your code
@_r3ggi wojciech.regula@securing.pl
14. www.securing.plwww.securing.pl
MYTH – SWIFT
AUTOOBFUSCATES
ITSELF
- _$ Swift Symbol
- Length and module name
- Length and class name
- C function of class (method)
- Length and method name
- Parameters and return type
www.securing.plwww.securing.pl
MYTH – SWIFT
AUTOOBFUSCATES
ITSELF
- _$ Swift Symbol
- Length and module name
- Length and class name
- C function of class (method)
- Length and method name
- Parameters and return type
@_r3ggi wojciech.regula@securing.pl
16. www.securing.plwww.securing.pl
MYTH – SWIFT METHODS CANNOT
BE DYNAMICALLY CHANGED
-They can, using for example Frida
-You just need to hook the symbol
@_r3ggi wojciech.regula@securing.pl
20. www.securing.plwww.securing.pl
AUTOMATED SMS CODES INPUT
(WWDC 2018)
-Controversial feature since
other app may have access
to the one time password
-Low risk but there is
possibility to do social
engineering
@_r3ggi wojciech.regula@securing.pl
23. www.securing.plwww.securing.pl
ON-DEVICE DATA STORAGE
-Most common issue is storing sensitive data on the
device that should not be there:
• API Keys
• SSH Keys
• Cloud credentials
• Test env credentials
@_r3ggi wojciech.regula@securing.pl
24. www.securing.plwww.securing.pl
ON-DEVICE DATA STORAGE
-Sensitive data may be insecurely stored in:
•Info.plist
•User defaults
•Regular files
•Hardcoded into the binary
•Even in Keychain (as they shouldn’t be
stored client-side)
@_r3ggi wojciech.regula@securing.pl
60. www.securing.plwww.securing.pl
IOS SECURITY SUITE V1.0 LIBRARY
-What it detects:
• Jailbreaks with new
indicators
• Attached debuggers
• Tampering tools (e.g. Frida)
• If your app is run in
emulator
@_r3ggi wojciech.regula@securing.pl