Embed Size (px)
Citation preview
iOS Development - Tips & Tricks
iOS Development - Tips & Tricks
Software Development Lead - iOSGalin Kardzhilov
Software Development Manager - iOSStefan Tsvyatkov
iOS Development - Tips & Tricks
Agenda
Why iOS
Some challenges
iOS Security
iOS Development - Tips & Tricks
About Me
Started with
iOS Development - Tips & Tricks
About Me
iOS Development - Tips & Tricks
Why iOS?
-(NSString *)generateReasonsWhyiOS { NSMutableString *reasons = [[NSMutableString alloc] init]; [reasons appendString:@"It's new"]; [reasons appendString:@"It's challenging"]; [reasons appendString:@"It compiles to native"]; [reasons appendString:@"You have to deal with hardware limitations"]; [reasons appendString:@"You have to provide responsiveness"]; [reasons appendString:@"You have to provide usability"]; [reasons appendString:@"You have to provide security"]; [reasons appendString:@"0ften craftsmanship [reasons appendString:@"Your code runs into people's pockets"]; return reasons; }
iOS Development - Tips & Tricks
Table view
Background image
Custom drawn cells
… flipped
iOS Development - Tips & Tricks
iOS Development - Tips & Tricks
Scroll View
Custom View
iOS Development - Tips & Tricks
iOS Development - Tips & Tricks
Security in iOS
Local Storage
Communication with the server
Binary analysis and manipulation
iOS Development - Tips & Tricks
Local Storage Security NSUserDefaults Convenient Not encrypted by default Keeps the data in a plist file
CoreData Not encrypted by default Keeps the data in sqlite db
Not secure
iOS Development - Tips & Tricks
Local Storage Security
Keychain Access Encrypted by default A bit more complex for use Insecure on jailbroken devices
Data encryption Crypto API Obfuscate the encryption key Use unique device information
String constant
[[UIDevice currentDevice]
identifierForVendor]
Custom algorith
Secure encryption
iOS Development - Tips & Tricks
Server Communication Security
Use SSL
Don’t accept self-signed certificates
Client and server side data validation
iOS Development - Tips & Tricks
Runtime Manipulation
#import "AppDelegate.h" #import "ptrace.h" !int main(int argc, char * argv[]) { #ifndef DEBUG ptrace(PT_DENY_ATTACH, 0, 0, 0); #endif @autoreleasepool { return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); } }
ptrace Deny a debugger to attach Can be patched from binary Put it in multiple places
iOS Development - Tips & Tricks
! SEC_IS_BEING_DEBUGGED_RETURN_NIL()
!!!!!!
Check if a debugger is attached Hard to be patched from binary Make the check regularly and in critical parts Doesn’t work against Cycript
Runtime Manipulation
#ifndef DEBUG SEC_IS_BEING_DEBUGGED_RETURN_NIL(); #endif
iOS Development - Tips & Tricks
Conclusion
Keychain Access for storing
SSL for transporting
Check for debuggers
100% security does not exist
iOS Development - Tips & Tricks
Thank you!
Galin Kardzhilov @graveraStefan Tsvyatkov @stsvyatkov
