#21 iOS Security 101
Recently, I have been watching first season of Mr. Robot and I started paying even more attention to security and privacy. I’ve always used multiple passwords, privacy filter on my Mac when traveling and a strong passcode on my iPhone. But from time to time everyone does some silly mistakes. In Mr. Robot for example, a guy from AllSafe (i.e. company that deals with cyber security) inserts to his computer a CD disk from an unknown source which installs spyware. I was wondering how one can be that stupid? But only after you do something wrong do you realize that you made a huge mistake. I feel very secure with my passcode and Touch ID. A few days ago I caught myself going around with iOS beta 10 on my personal phone. I hope that beta is at least as secure as iOS 9 and doesn’t have any crucial vulnerabilities. But how secure iOS is, by the way?
Our apps can be under attack…
And unfortunately that’s true. Especially when we deal with three kinds of data:
- PII - Personal Identifiable Information (e.g. name, surname, adress, date of birth, personal identification number)
- PCI - Personal Card Information (e.g. credit cards)
- PHI - Personal Health Information (e.g. vitals, medical conditions)
Or we provide an app for banking or any other that deals with money, which is a tidbit for attackers.
Who might be an attacker?
There are a few types of people who might want to infringe our privacy and get access to our data:
- Criminals - to steal our money or identity
- Business competitors - e.g. individuals that perform corporate espionage 😉
- Governments - can get network calls from our Internet Service Provider (ISP)
- Romantic partners, family, friends - jealously can be a strong factor to make them break into our private life ;)
When can they attack?
The easiest and probably the only way to attack is when one has a direct access to the device, i.e. by stealing an iPhone or by being somebody’s co-worker, flatmate, or family member. Attack is even simpler if we have a jailbroken device or we don’t have a passcode set on an iPhone. That can happen especially for zero-day mobile device, i.e. devices that we have just bought and haven’t configured yet. From time to time on the AppStore one can also find some malware distributions, that try to access data in our apps, event if we have a non-jailbroken devices.
How Secure iOS is?
Ok, but how secure iOS actually is? This year, on WWDC there was a nice session that explained iOS Security mechanisms and gave me a few insights on security pillars, which consists of:
- platform security (i.e. iOS)
- users upgrading their software
- developers building secure apps
The iOS platform is secure especially because of security and encryption build in the silicon. If a user has a passcode set, data on the device is encrypted by using their password and encryption key “from the silicon”. Ok, but how many users have a passcode set?
In the aforementioned WWDC session, the presenter says that an average users unlocks their device about 80 per day. Can you imagine typing in a password about 80 times per day? In the old days, only 49% of people used passcode in the past. With the introduction of Touch ID the number of users securing their devices increased to 89%! That’s good enough I suppose :)!
What’s great about securing your phone with a passcode is that your data can be wiped out after 10 unsuccessful passcode attempts.
Probably you are aware about Android version distribution problem. At the time of writing, only 15.2% of users are running the latest version of Android. According to Apple statistics 86% of users are running the latest version of iOS. Hurray, because newer software = improved security! 🎉
Building Secure Apps
We, as developers, have to ensure creating secure apps that build up trust and don’t infringe user’s privacy. In order to do that, we can tap into best practices in a few areas:
- Data Protection
- Inter-Process Communication (IPC)
- Jailbreak detection
To ensure security of data transported over network layer we have to use an encrypted connection to an endpoint (i.e. use HTTPS instead of HTTP protocol). App Transport Security (ATS) is a mechanism introduced in iOS 9. It enforces using a secure connection (HTTPS) when connecting to network endpoint with NSURLSession and NSURLConnection APIs. WWDC session What’s New in Security announces that ATS will be enforced for all apps by the end of 2016, with a possibility for some exceptions for apps with a reasonable justification (e.g. communication with a backend one doesn’t own).
📖TL;DR: Use HTTPS
Anyone with access to an iPhone can read data from it, e.g. by using iExplorer app for macOS. The app can list all applications installed on your device and copy data from its sandbox, unless files in your sandbox are marked with NSFileProtectionComplete flag. The flag causes files to be encrypted when device is locked with passcode. Other flags for files can be found here.
Another important aspect of protecting data is storing user’s credentials in Keychain and securing it with an appropriate attribute, e.g. kSecAttrAccessibleWhenUnlocked if you wish an item to be accessible only when device is unlocked. Other flags for Keychain items can be found here.
UIPasteboard is a class that enables an app to share its data with another app. It can be done for example by selecting a text within your app and using copy & paste option from the edit menu. You can use UIPasteboard specific for your app, your app group or system pasteboard. Use it wisely in order not to leak sensitive data from your app. Use appropriate UIPasteboard or clear its contents when application goes background. You can grab more about copy, cut, and paste operations on iOS here.
Starting from iOS 7 the system takes and caches a screenshot of user interface at the time your application goes background. The interface snapshot image can contain sensitive data. To avoid its leakage we can cover it with an arbitrarily added image view when app goes background. Use
applicationDidBecomeActive: to manage additional image view.
iOS 8 introduced possibility to write extension apps. One of extension type is a keyboard extension that replaces the standard keyboard with a custom keyboard. Such an extension is still a third party app that can investigate text you input with it. You can disable a custom keyboard extension usage in your app by returning
false in UIApplicationDelegate’s method
📖 TL;DR: Use NSFileProtectionComplete for files, store credentials in Keychain, clear UIPasteboard and replace Snapshot when going background, disable custom keyboards.
Inter-Process Communication (IPC)
iOS allows opening app via URL Schemes. It means that your app can be opened with a custom URL with params. Do not use
application:handleOpenURL: which is deprecated in iOS 9. Implement
application:openURL:options: instead and validate incoming source application Bundle ID and incoming URL with its params.
📖 TL;DR: Use
application:openURL:options: and validate URL
Jailbreaking is an action of disabling security features of the system and gaining root privilege. Thanks to it one can attach a debugger to release version of your app, hook different method implementations and inject code in the run time or exploit your application data.
How can you detect if your app is run on a jailbroken phone?
- you can search for the existence of Cydia app (AppStore equivalent for jailbroken environment)
- test system calls outside the app sandbox
- check for hooks and code injection
- check debuggers and device anomalies
- check open non-standard ports (open ssh)
What actions should you take when you detect a jailbreak on a phone?
- slow down an attacker (e.g. extend time of backend responses)
- wipe out sensitive data
- mark account as potential fraud on backend side
Bad news is that almost all detection mechanisms can be overcome by an experienced attacker with a well configured jailbroken environment. Good news is that, for newest version of iOS, jailbreak is currently possible on non passcode-locked devices.
📖 TL;DR: Slow down an attacker upon detection; Almost all methods can be overcome; Pray for your customers to use a passcode ;)
Other Security methods
There are other security methods you can tap into:
- Use inline functions for critical parts of your code (check here and here for more)
- Use system calls instead of functions, which can be hooked
- Obfuscate code
- Use certificate pinning technique to validate communication with server
You can find more about aforementioned techniques on Max Bazily’s Vixantel’s slides from multiple presentations.
There is no panacea for running your app on a jailbroken device, however it’s our responsibility, as developers, to follow best practices. Hope this post will give you some insights and materials to dig deeper into the topic.
- WWDC 2016 How iOS Security Really Works
- WWDC 2016 What’s New in Security
- Apple’s Security
- Apple’s iOS Security Guide
- Apple’s Security Overview
- Apple’s Secure Coding Guide
- Apple’s Cryptographic Services Guide
- Max Bazily’s slides
- Vixantel’s slides
- The Mobile Application Hacker’s Handbook
- OWASP Mobile Security Project
- iOS App Security Assessment Tool
- Jailbreak concealment
- Pixel Privacy - 10 Tips To Make Your iPhone & iPad Safer