SlideShare uma empresa Scribd logo

Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016

Subho Halder
Subho Halder

Mobile App Security is an issue which isn’t given much priority while your app is in the development stage, as a result of which hackers are able to target your iOS app. This talk will feature the most common security mistake developers do, and how to fix them easily. It will also cover different security & privacy enhancements provided by Apple such as SecKey API, Differential Privacy, Cryptographic Libraries, et cetera in iOS 10 which will enable developers to ship secure applications in the Appstore

Tecnologia
1 de 25
Baixar para ler offline
Outsmarting Hackers before your App gets Hacked Subho Halder CoFounder & CTO Appknox iOS Conf Edition 5
 Securing iOS Mobile Apps Mobile Security Talk Introduction Android vs iOS Securing Your Mobile Apps Secured Pasteboard Application Snapshots iOS Dataprotection API Juice Jacking - Slurrp Top 10 Mobile Security List 4 Myths About Mobile Security Questions? Contact Me :) 2 About Me Co-Founder and CTO at , a mobile security company that helps developers and companies to build secure mobile application. I have presented many talks and conducted workshops at conferences like BlackHat, Defcon, ToorCon, SysCan, ClubHack, NullCon, OWASP AppSec, RSA Conference. Subho Halder / CoFounder & CTO
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 3 Introduction  The Great Mobile Security Debate ! " # x $  ă Ć & ą r 5 8 1 ü Ĉ É ' Ġ Ä c h l [ j Å a ä n ‚ Z : è s o @ û ĥ p ö y Ç 9 é e W e B ù éë 0 01 Fragmented Applications Multiple Applications for Multiple Platform and Multiple Architectures makes it difficult for App Developers to keep-up with security concerns 03 Personal & Social Information Mobile Devices holds your personal and social information, and applications has access to these information 02 Fragmented Platforms With multiple platforms and multiple versions of Mobile Operating System, the OEM faces challenges to keep Security up-to-date 04 Businesses & Enterprise Data With mobile getting adopted at workplaces, sensitive information are now accessible to applications
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 4 Android vs iOS  With the dominance of iOS and the rising popularity of Android devices in the mobile marketplace, the security of these devices is a growing concern and focus for smartphone users. IMAGE 0 20 40 60 80 0 25 50 75 100 Vulnerable Apps Malwares Device Vulnerability Fragmentation 0 25 50 75 100 0 25 50 75 100 Vulnerable Apps Malwares Device Vulnerabilities Fragmentation Despite iOS being traditionally regarded as the safest platform, there are a number of reasons why that assumption may be becoming outdated. Firstly, occurrences of ransomware, malware, rotten apps on the iTunes store, and social engineering have been coming into the news far more often in recent times. The iOS Device Google’s Android platform has become a larger target for mobile malware writers than Apple iOS. This could be a result of Android’s popularity—with more than 1 million activations per day, Android smartphones command a 59% market share worldwide. The Android Device
 The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations. Securing Your Mobile Apps
 Do you think Pasteboard can be used to steal information ? Secured Pasteboard
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 7 Secured Pasteboard Vulnerabilities  Universal Clipboard changes for iOS 10 and macOS Sierra With the changes to the UIPasteboard iOS 10 API that introduce Universal Clipboard, it also opens a slight security vulnerability in that an end user could copy a sensitive piece of data and inadvertently make it available across all their devices Understanding the Clipboard Contents As a developer, you can either: 1. Flag a piece of data as “local only” in which it will not appear in the Universal Clipboard across devices, and 2. Set an expiration date on a piece of data such that it isn’t available after that date.
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 8 Secured Pasteboard Vulnerabilities  Flag a piece of data as “local only” in which it will not appear in the Universal Clipboard across devices a In one line, you set the item in the UIPasteboard with an option localOnly as true.
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 9 Secured Pasteboard Vulnerabilities  Set an expiration date on a piece of data such that it isn’t available after that date a Again, in one line you get to pass an expiration date for when the UIPasteboard item should expire. You can also use these together
 If an application goes into background, can the data be hacked ? Application Snapshot Vulnerability
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition IMAGE 11 Application Snapshots  These screenshots can be accessed without jailbreaking iOS caches a screenshot of the last screen of the application and when you click on it the application resumes. This caching technique provides the user with the impression that their application has resumed immediately. This “feature” on its own is not vulnerability, and does exactly what it is supposed to do. So when does a feature become a vulnerability? As a developer, you can: blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot These screenshots can be accessed without jailbreaking using any free tool like ‘ifunbox’
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 12 Application Snapshots  blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot a Need to write the code in Application life cycle methods, here we are putting an imageView while the app animate to background
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 13 Application Snapshots  blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot a Here is the code to remove the imageView when the application comes to foreground
 Have you ever used this to secure your data ? iOS Dataprotection API: NSDataWritingFileProtection
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 15 iOS Dataprotection API: NSFileProtection  Have you ever used this to secure your data ? NSFileProtectionNone NSDataWritingFileProtectionNone The file is not protected and can be read or written at any time. This is the default value. iOS provides hardware-level encryption of files. Files marked for protection are encrypted using a per-device key, which is encrypted using the user’s password or PIN. Ten seconds after the device is locked, the unencrypted per-device key is removed from memory. When the user unlocks the device, the password or personal identification number (PIN) is used to decrypt the per-device key again, which is then used to decrypt the files. NSFileProtectionComplete NSDataWritingFileProtectionComplete Any file with this setting is protected ten seconds after the device is locked. Files with this setting may not be available when your program is running in the background. When the device is unlocked, these files are unprotected.
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 16 iOS Dataprotection API: NSFileProtection  Have you ever used this to secure your data ? iOS provides hardware-level encryption of files. Files marked for protection are encrypted using a per-device key, which is encrypted using the user’s password or PIN. Ten seconds after the device is locked, the unencrypted per-device key is removed from memory. When the user unlocks the device, the password or personal identification number (PIN) is used to decrypt the per-device key again, which is then used to decrypt the files. NSFileProtectionCompleteUnlessOpen NSDataWritingFileProtectionCompleteUnlessOpen Files with this setting are protected ten seconds after the device is locked unless they’re currently open. This allows your program to continue accessing the file while running in the background. When the file is closed, it will be protected if the device is locked. NSFileProtectionCompleteUntilFirstUserAuthentication NSDataWritingFileProtectionCompleteUntilFirstUserAuthentication Files with this setting are protected only between the time the device boots and the first time the user unlocks the device. The files are unprotected from that point until the device is rebooted. This allows your application to open existing files while running in the background.
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 17 iOS Dataprotection API: NSFileProtection  Have you ever used this to secure your data ? Sample usages with NSData Sample usages with NSFileManager
 File protection is very easy, simple and hardware-optimised, you should use this in every project of yours, unless you have a good reason to not to.
 Juice jacking is a term used to describe a cyber attack where wherein a smart phone, tablet or other computer device using a charging port that doubles as a data connection, typically over USB. Juice Jacking - Slurrp
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 20 Juice Jacking - Slurrp  A smart phone, tablet or other computer device using a charging port that doubles as a data connection, typically over USB. Sample charging Kiosks in Public Places Would you trust this Public USB Kiosk to charge your iPhone?
 The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations. Top 10 Mobile Security List
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 22 Top 10 Mobile Security List  The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations. Poor Authorization and Authentication Poor or missing authentication schemes allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app. ç Unintended Data Leakage Unintended data leakage occurs when a developer inadvertently places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device. ‚ Insufficient Transport Layer Protection If the application is coded poorly, threat agents can use techniques to view this sensitive data. Unfortunately, mobile applications frequently do not protect network traffic 0 Insecure Data Storage Many developers assume that storing data on client-side will restrict other users from having access to this data. : Weak Server Side Controls Most security experts might argue that server-side security falls outside of the area of mobile application security threats. Till last year, it was the second most important mobile security threat. Z 05 04 03 02 80% 43% 01 64% 72% 19% Source: https://blog.appknox.com/category/owasp-top-10-mobile/
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 23 Top 10 Mobile Security List  The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations. 06 07  08 09  10  Client side injection results in the execution of malicious code on the client side which is the mobile device, via the mobile app. Client Side Injection As the name suggests, this issue is because session tokens are not handled in the best way. Improper Session Handling Broken Cryptography or insecure usage of cryptography is mostly common in mobile apps that leverage encryption. Broken Cryptography Developers generally use hidden fields and values or any hidden functionality to distinguish higher level users from lower level users. Security Decisions Via Untrusted Inputs A lack of binary protections within a mobile app exposes the application and it’s owner to a large variety of technical and business risks if the underlying application is insecure or exposes sensitive intellectual property. Lack of Binary Protections
Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 24 4 Myths About Mobile Security  “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” – Gartner ĉ Ą 7 Ĉ Public app stores are safe because they have security filters Data encryption is not required for mobile devices PCs are more secure than mobile phones Two-factor authentication can be neglected for mobile security
 Questions ? @sunnyrockzzs sunny@appknox.com https://www.appknox.com

Recomendados

Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSubho Halder
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsHariharan Ganesan
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesBee_Ware
 
Mobile security - Intense overview
Mobile security - Intense overviewMobile security - Intense overview
Mobile security - Intense overviewPrivateWave Italia SpA
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overviewFabio Pietrosanti
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 

Recomendados

Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSubho Halder
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsHariharan Ganesan
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesBee_Ware
 
Mobile security - Intense overview
Mobile security - Intense overviewMobile security - Intense overview
Mobile security - Intense overviewPrivateWave Italia SpA
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overviewFabio Pietrosanti
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Kaspersky Internet Security Multi-Device 2015
Kaspersky Internet Security Multi-Device 2015Kaspersky Internet Security Multi-Device 2015
Kaspersky Internet Security Multi-Device 2015Dejan Pogačnik
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
Samsung KNOX for Dummies
Samsung KNOX for DummiesSamsung KNOX for Dummies
Samsung KNOX for DummiesSamsung Business USA
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellPrathan Phongthiproek
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
End Point Security - K7
End Point Security - K7End Point Security - K7
End Point Security - K7Prime Infoserv
 
Mobile Programming LLC sample Case Studies
Mobile Programming LLC sample Case StudiesMobile Programming LLC sample Case Studies
Mobile Programming LLC sample Case StudiesMobile Programming LLC
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile HackingNovizul Evendi
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
Mobile Programming
Mobile Programming Mobile Programming
Mobile Programming Mobile Programming LLC
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Apple threat-landscape
Apple threat-landscapeApple threat-landscape
Apple threat-landscapeAndrey Apuhtin
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 
The Ultimate Security Checklist While Launching Your Android App
The Ultimate Security Checklist While Launching Your Android AppThe Ultimate Security Checklist While Launching Your Android App
The Ultimate Security Checklist While Launching Your Android AppAppknox
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 

Mais conteúdo relacionado

Mais procurados

Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Kaspersky Internet Security Multi-Device 2015
Kaspersky Internet Security Multi-Device 2015Kaspersky Internet Security Multi-Device 2015
Kaspersky Internet Security Multi-Device 2015Dejan Pogačnik
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
End Point Security - K7
End Point Security - K7End Point Security - K7
End Point Security - K7Prime Infoserv
 
Mobile Programming LLC sample Case Studies
Mobile Programming LLC sample Case StudiesMobile Programming LLC sample Case Studies
Mobile Programming LLC sample Case StudiesMobile Programming LLC
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Apple threat-landscape
Apple threat-landscapeApple threat-landscape
Apple threat-landscapeAndrey Apuhtin
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 

Mais procurados (20)

Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Kaspersky Internet Security Multi-Device 2015
Kaspersky Internet Security Multi-Device 2015Kaspersky Internet Security Multi-Device 2015
Kaspersky Internet Security Multi-Device 2015
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
Samsung KNOX for Dummies
Samsung KNOX for DummiesSamsung KNOX for Dummies
Samsung KNOX for Dummies
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
 
End Point Security - K7
End Point Security - K7End Point Security - K7
End Point Security - K7
 
Mobile Programming LLC sample Case Studies
Mobile Programming LLC sample Case StudiesMobile Programming LLC sample Case Studies
Mobile Programming LLC sample Case Studies
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Mobile Programming
Mobile Programming Mobile Programming
Mobile Programming
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Apple threat-landscape
Apple threat-landscapeApple threat-landscape
Apple threat-landscape
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00
 

Destaque

The Ultimate Security Checklist While Launching Your Android App
The Ultimate Security Checklist While Launching Your Android AppThe Ultimate Security Checklist While Launching Your Android App
The Ultimate Security Checklist While Launching Your Android AppAppknox
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 
Offline first with Couchbase Mobile
Offline first with Couchbase MobileOffline first with Couchbase Mobile
Offline first with Couchbase MobileVegard Haugstvedt
 
Scaling Harm: Designing Artificial Intelligence for Humans
Scaling Harm: Designing Artificial Intelligence for HumansScaling Harm: Designing Artificial Intelligence for Humans
Scaling Harm: Designing Artificial Intelligence for HumansClare Corthell
 
Die Macht der Daten - CeBIT 2017
Die Macht der Daten - CeBIT 2017Die Macht der Daten - CeBIT 2017
Die Macht der Daten - CeBIT 2017Detlev Sandel
 
¿QUÉ ES Y QUÉ SE ENTIENDE POR GOBIERNO ABIERTO?. Análisis de la percepción e ...
¿QUÉ ES Y QUÉ SE ENTIENDE POR GOBIERNO ABIERTO?. Análisis de la percepción e ...¿QUÉ ES Y QUÉ SE ENTIENDE POR GOBIERNO ABIERTO?. Análisis de la percepción e ...
¿QUÉ ES Y QUÉ SE ENTIENDE POR GOBIERNO ABIERTO?. Análisis de la percepción e ...eraser Juan José Calderón
 
Scrum! But ... SAP Inside Track Frankfurt 2017
Scrum! But ... SAP Inside Track Frankfurt 2017Scrum! But ... SAP Inside Track Frankfurt 2017
Scrum! But ... SAP Inside Track Frankfurt 2017Martin Fischer
 
2018 State of the Union Address: Rediscovering the American way: USA XXI: Fut...
2018 State of the Union Address: Rediscovering the American way: USA XXI: Fut...2018 State of the Union Address: Rediscovering the American way: USA XXI: Fut...
2018 State of the Union Address: Rediscovering the American way: USA XXI: Fut...Azamat Abdoullaev
 

Destaque (13)

The Ultimate Security Checklist While Launching Your Android App
The Ultimate Security Checklist While Launching Your Android AppThe Ultimate Security Checklist While Launching Your Android App
The Ultimate Security Checklist While Launching Your Android App
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 
CIBERBULLING
CIBERBULLINGCIBERBULLING
CIBERBULLING
 
1000 үг
1000 үг1000 үг
1000 үг
 
Offline first with Couchbase Mobile
Offline first with Couchbase MobileOffline first with Couchbase Mobile
Offline first with Couchbase Mobile
 
Obama chronicles the book
Obama chronicles the bookObama chronicles the book
Obama chronicles the book
 
Scaling Harm: Designing Artificial Intelligence for Humans
Scaling Harm: Designing Artificial Intelligence for HumansScaling Harm: Designing Artificial Intelligence for Humans
Scaling Harm: Designing Artificial Intelligence for Humans
 
Die Macht der Daten - CeBIT 2017
Die Macht der Daten - CeBIT 2017Die Macht der Daten - CeBIT 2017
Die Macht der Daten - CeBIT 2017
 
¿QUÉ ES Y QUÉ SE ENTIENDE POR GOBIERNO ABIERTO?. Análisis de la percepción e ...
¿QUÉ ES Y QUÉ SE ENTIENDE POR GOBIERNO ABIERTO?. Análisis de la percepción e ...¿QUÉ ES Y QUÉ SE ENTIENDE POR GOBIERNO ABIERTO?. Análisis de la percepción e ...
¿QUÉ ES Y QUÉ SE ENTIENDE POR GOBIERNO ABIERTO?. Análisis de la percepción e ...
 
Road to Analytics
Road to AnalyticsRoad to Analytics
Road to Analytics
 
Scrum! But ... SAP Inside Track Frankfurt 2017
Scrum! But ... SAP Inside Track Frankfurt 2017Scrum! But ... SAP Inside Track Frankfurt 2017
Scrum! But ... SAP Inside Track Frankfurt 2017
 
Phygital
PhygitalPhygital
Phygital
 
2018 State of the Union Address: Rediscovering the American way: USA XXI: Fut...
2018 State of the Union Address: Rediscovering the American way: USA XXI: Fut...2018 State of the Union Address: Rediscovering the American way: USA XXI: Fut...
2018 State of the Union Address: Rediscovering the American way: USA XXI: Fut...
 

Semelhante a Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016

Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
Android vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityAndroid vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityCloudCheckr
 
Comparing Security- iOS vs Android.pdf
Comparing Security- iOS vs Android.pdfComparing Security- iOS vs Android.pdf
Comparing Security- iOS vs Android.pdfTechugo
 
Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2SHOLOVE INTERNATIONAL LLC
 
IT Essentials (Version 7.0) - ITE Chapter 12 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 12 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 12 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 12 Exam AnswersITExamAnswers.net
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)Vince Verbeke
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsVince Verbeke
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)abilitySubho Halder
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 

Semelhante a Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016 (20)

iOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdfiOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdf
 
MSR iOS Tranining
MSR iOS TraniningMSR iOS Tranining
MSR iOS Tranining
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Android security
Android securityAndroid security
Android security
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
Ios vs android
Ios vs androidIos vs android
Ios vs android
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
Android vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityAndroid vs. iPhone for Mobile Security
Android vs. iPhone for Mobile Security
 
Comparing Security- iOS vs Android.pdf
Comparing Security- iOS vs Android.pdfComparing Security- iOS vs Android.pdf
Comparing Security- iOS vs Android.pdf
 
Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2
 
IT Essentials (Version 7.0) - ITE Chapter 12 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 12 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 12 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 12 Exam Answers
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
OWASP for iOS
OWASP for iOSOWASP for iOS
OWASP for iOS
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 
IOS security
IOS securityIOS security
IOS security
 
SensActions-Report
SensActions-ReportSensActions-Report
SensActions-Report
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 

Último

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Último (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016

  • 1. Outsmarting Hackers before your App gets Hacked Subho Halder CoFounder & CTO Appknox iOS Conf Edition 5
  • 2.  Securing iOS Mobile Apps Mobile Security Talk Introduction Android vs iOS Securing Your Mobile Apps Secured Pasteboard Application Snapshots iOS Dataprotection API Juice Jacking - Slurrp Top 10 Mobile Security List 4 Myths About Mobile Security Questions? Contact Me :) 2 About Me Co-Founder and CTO at , a mobile security company that helps developers and companies to build secure mobile application. I have presented many talks and conducted workshops at conferences like BlackHat, Defcon, ToorCon, SysCan, ClubHack, NullCon, OWASP AppSec, RSA Conference. Subho Halder / CoFounder & CTO
  • 3. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 3 Introduction  The Great Mobile Security Debate ! " # x $  ă Ć & ą r 5 8 1 ü Ĉ É ' Ġ Ä c h l [ j Å a ä n ‚ Z : è s o @ û ĥ p ö y Ç 9 é e W e B ù éë 0 01 Fragmented Applications Multiple Applications for Multiple Platform and Multiple Architectures makes it difficult for App Developers to keep-up with security concerns 03 Personal & Social Information Mobile Devices holds your personal and social information, and applications has access to these information 02 Fragmented Platforms With multiple platforms and multiple versions of Mobile Operating System, the OEM faces challenges to keep Security up-to-date 04 Businesses & Enterprise Data With mobile getting adopted at workplaces, sensitive information are now accessible to applications
  • 4. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 4 Android vs iOS  With the dominance of iOS and the rising popularity of Android devices in the mobile marketplace, the security of these devices is a growing concern and focus for smartphone users. IMAGE 0 20 40 60 80 0 25 50 75 100 Vulnerable Apps Malwares Device Vulnerability Fragmentation 0 25 50 75 100 0 25 50 75 100 Vulnerable Apps Malwares Device Vulnerabilities Fragmentation Despite iOS being traditionally regarded as the safest platform, there are a number of reasons why that assumption may be becoming outdated. Firstly, occurrences of ransomware, malware, rotten apps on the iTunes store, and social engineering have been coming into the news far more often in recent times. The iOS Device Google’s Android platform has become a larger target for mobile malware writers than Apple iOS. This could be a result of Android’s popularity—with more than 1 million activations per day, Android smartphones command a 59% market share worldwide. The Android Device
  • 5.  The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations. Securing Your Mobile Apps
  • 6.  Do you think Pasteboard can be used to steal information ? Secured Pasteboard
  • 7. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 7 Secured Pasteboard Vulnerabilities  Universal Clipboard changes for iOS 10 and macOS Sierra With the changes to the UIPasteboard iOS 10 API that introduce Universal Clipboard, it also opens a slight security vulnerability in that an end user could copy a sensitive piece of data and inadvertently make it available across all their devices Understanding the Clipboard Contents As a developer, you can either: 1. Flag a piece of data as “local only” in which it will not appear in the Universal Clipboard across devices, and 2. Set an expiration date on a piece of data such that it isn’t available after that date.
  • 8. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 8 Secured Pasteboard Vulnerabilities  Flag a piece of data as “local only” in which it will not appear in the Universal Clipboard across devices a In one line, you set the item in the UIPasteboard with an option localOnly as true.
  • 9. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 9 Secured Pasteboard Vulnerabilities  Set an expiration date on a piece of data such that it isn’t available after that date a Again, in one line you get to pass an expiration date for when the UIPasteboard item should expire. You can also use these together
  • 10.  If an application goes into background, can the data be hacked ? Application Snapshot Vulnerability
  • 11. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition IMAGE 11 Application Snapshots  These screenshots can be accessed without jailbreaking iOS caches a screenshot of the last screen of the application and when you click on it the application resumes. This caching technique provides the user with the impression that their application has resumed immediately. This “feature” on its own is not vulnerability, and does exactly what it is supposed to do. So when does a feature become a vulnerability? As a developer, you can: blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot These screenshots can be accessed without jailbreaking using any free tool like ‘ifunbox’
  • 12. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 12 Application Snapshots  blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot a Need to write the code in Application life cycle methods, here we are putting an imageView while the app animate to background
  • 13. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 13 Application Snapshots  blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot a Here is the code to remove the imageView when the application comes to foreground
  • 14.  Have you ever used this to secure your data ? iOS Dataprotection API: NSDataWritingFileProtection
  • 15. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 15 iOS Dataprotection API: NSFileProtection  Have you ever used this to secure your data ? NSFileProtectionNone NSDataWritingFileProtectionNone The file is not protected and can be read or written at any time. This is the default value. iOS provides hardware-level encryption of files. Files marked for protection are encrypted using a per-device key, which is encrypted using the user’s password or PIN. Ten seconds after the device is locked, the unencrypted per-device key is removed from memory. When the user unlocks the device, the password or personal identification number (PIN) is used to decrypt the per-device key again, which is then used to decrypt the files. NSFileProtectionComplete NSDataWritingFileProtectionComplete Any file with this setting is protected ten seconds after the device is locked. Files with this setting may not be available when your program is running in the background. When the device is unlocked, these files are unprotected.
  • 16. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 16 iOS Dataprotection API: NSFileProtection  Have you ever used this to secure your data ? iOS provides hardware-level encryption of files. Files marked for protection are encrypted using a per-device key, which is encrypted using the user’s password or PIN. Ten seconds after the device is locked, the unencrypted per-device key is removed from memory. When the user unlocks the device, the password or personal identification number (PIN) is used to decrypt the per-device key again, which is then used to decrypt the files. NSFileProtectionCompleteUnlessOpen NSDataWritingFileProtectionCompleteUnlessOpen Files with this setting are protected ten seconds after the device is locked unless they’re currently open. This allows your program to continue accessing the file while running in the background. When the file is closed, it will be protected if the device is locked. NSFileProtectionCompleteUntilFirstUserAuthentication NSDataWritingFileProtectionCompleteUntilFirstUserAuthentication Files with this setting are protected only between the time the device boots and the first time the user unlocks the device. The files are unprotected from that point until the device is rebooted. This allows your application to open existing files while running in the background.
  • 17. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 17 iOS Dataprotection API: NSFileProtection  Have you ever used this to secure your data ? Sample usages with NSData Sample usages with NSFileManager
  • 18.  File protection is very easy, simple and hardware-optimised, you should use this in every project of yours, unless you have a good reason to not to.
  • 19.  Juice jacking is a term used to describe a cyber attack where wherein a smart phone, tablet or other computer device using a charging port that doubles as a data connection, typically over USB. Juice Jacking - Slurrp
  • 20. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 20 Juice Jacking - Slurrp  A smart phone, tablet or other computer device using a charging port that doubles as a data connection, typically over USB. Sample charging Kiosks in Public Places Would you trust this Public USB Kiosk to charge your iPhone?
  • 21.  The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations. Top 10 Mobile Security List
  • 22. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 22 Top 10 Mobile Security List  The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations. Poor Authorization and Authentication Poor or missing authentication schemes allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app. ç Unintended Data Leakage Unintended data leakage occurs when a developer inadvertently places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device. ‚ Insufficient Transport Layer Protection If the application is coded poorly, threat agents can use techniques to view this sensitive data. Unfortunately, mobile applications frequently do not protect network traffic 0 Insecure Data Storage Many developers assume that storing data on client-side will restrict other users from having access to this data. : Weak Server Side Controls Most security experts might argue that server-side security falls outside of the area of mobile application security threats. Till last year, it was the second most important mobile security threat. Z 05 04 03 02 80% 43% 01 64% 72% 19% Source: https://blog.appknox.com/category/owasp-top-10-mobile/
  • 23. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 23 Top 10 Mobile Security List  The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations. 06 07  08 09  10  Client side injection results in the execution of malicious code on the client side which is the mobile device, via the mobile app. Client Side Injection As the name suggests, this issue is because session tokens are not handled in the best way. Improper Session Handling Broken Cryptography or insecure usage of cryptography is mostly common in mobile apps that leverage encryption. Broken Cryptography Developers generally use hidden fields and values or any hidden functionality to distinguish higher level users from lower level users. Security Decisions Via Untrusted Inputs A lack of binary protections within a mobile app exposes the application and it’s owner to a large variety of technical and business risks if the underlying application is insecure or exposes sensitive intellectual property. Lack of Binary Protections
  • 24. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 24 4 Myths About Mobile Security  “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” – Gartner ĉ Ą 7 Ĉ Public app stores are safe because they have security filters Data encryption is not required for mobile devices PCs are more secure than mobile phones Two-factor authentication can be neglected for mobile security