As mobile applications still gain in popularity and more and more transactions are carried out via mobile devices, security is topic of growing importance. In his talk "Modern iOS Application Security" at QCon New York 2016, Dan Guido takes a closer look at iOS security.
Guido starts by explaining the security mechanisms in place for iOS applications. The security model consists of various levels from securing communication channels down to hardware based device specific encryption:
- Transport Layer Security: iOS provides support for securing network connections.
- Data Protection: iOS offers strong encryption for nearly all files used by applications.
- Code Signing: Since Apple requires every piece of code to be signed, memory contents in a granularity of 4kB pages can be traced down to an individual developer.
- Runtime Process Security: iOS isolates processes via strong sandboxing. Processes are not able to access the memory of other processes.
- Secure Enclave: Newer iOS devices with fingerprint sensor feature hardware based encryption keys that are uniquely generated for every device at manufacturing time and reside outside the operating system.
While these mechanisms provide very secure environments for apps, Guido continuous showing the threads that still have to be kept in mind.
Transport Layer Security is not mandatory for all network connections but without proper data encryption and certificate checking, information is vulnerable to man in the middle attacks. All necessary mechanisms can be activated while configuring network connections or even easier by embedding libraries like TrustKit that will handle security in the background.
Data Protection is a very powerful mechanism which also lead to the recent dispute between Apple and the FBI. If data is encrypted using the internal hardware key, it cannot be encrypted outside the device. Thus, sensitive data should always be encrypted with passcode and device id. Though, developers still would have to avoid data leakage. There are apps and tools which try to find data in places where it is not highly secure like the pasteboard or preferences and cookies. Furthermore, sensitive data should be minimized - developers should avoid to backup or sync that data, background screen shots and logging should exclude sensitive data and keyboard caches need to be deactivated.
According to Guido, following those guidelines provides a high level of application security but there is one more thing that developers need to take care of: Jailbreaks. As soon as a device is jailbroken, all of the above security mechanisms might get rendered useless - no matter if the jailbreak was installed voluntarily or maliciously. If a developer needs to provide high security she or he has to ensure that no jailbreak is active:
- Jailbreak detection - developers can check for certain traces that are left behind when jailbreaks are installed. This included specific files and processes.
- Anti-debug protection - developers need to make sure that their application won't run in debug mode because any jailbreak detection would be visible there.
- Anti-reversing - developers need to make sure that their code can't be re-engineered in a useful way. Usually this is done by artificially making the code larger and more complex.
Guido concludes with hinting at the fact that LLVM only produces bitcode instead of machine code. Apple uses this to actually change or optimize the code for different platforms and developers can use the same concept add automatic security hardening already in the IDE. There are also toolkits like MAST that can be used in this context.
Please note that most QCon presentations will be made available for free on InfoQ in the weeks after the conference and slides are available for download on the conference web site.