Workbook for "Security data management for app devs" workshop during try! Swift world. By Anastasiia @vixentael.

Table of contents

1. Defining data model, risks, threats, security controls
   1. Example
   2. Exercises
2. Software security controls
3. Security tools
4. Regulations
5. Security design guidelines
6. Risk management guides
7. Security verification and testing
8. Resources

Defining data model, risks, threats, security controls.

Example

Imagine Note-taking app or Todo app. Users want to put very secret notes there and be sure that notes are protected from app developers and Apple. Developers implemented notes encryption, that leads to the following data model. App uses iCloud backend and doesn't handle user login/authorisation, as it goes through iCloudKit.

Example 1.1. Data model of Note-taking app.

Different risks can have different impact on organization/users. Higher risk means more harm.

Example 1.2. Risks to data of Note-taking app.

Levels: critical, high, moderate, low.

Risks are theoretical until attackers find the way to how exploit them. Attack vectors are such ways.

Example 1.3. High priority attack vectors.

High-priority attack vectors (how attackers can implement risks):

• data transmission between app and application backend (broken transport encryption or broken NT encryption).
• vulnerabilities in 3rd party libraries (f.e. vulnerability in analytics SDK which leads to sharing NT with 3rd party).
• unidentified (so far) iCloud vulnerabilities.
• iOS jailbreak attacks (including remote JB) that leads to stealing NT or PW.
• iCloud Keychain vulnerabilites (leads to stealing PW)

Example 1.4. Security controls against high risks and high priority attack vectors.

From threats and risks became obvious, that app shouldn't use PW in plaintext, as PW is critical resource and can be stolen due to iOS-specific vulnerabilties.

Example 1.5. Read more.

Real-world public example of risk managing for Note-taking app is Bear app. I've described building end-to-end encryption for Bear app in this blogpost.

Exercises.

Imagine app that allows users to see their sensitive documents and share them to each other (aka "SecureDropbox"). App has own backend. Based on information about app's data suggests risks model, attack vectors and security controls.

Exercise 1.1. Review data model of Document app.

Exercise 1.2. Fill in empty spaces in risks to data of Document app.

Exercise 1.3. Define high-priority attack vectors for Documents app.

High-priority attack vectors:

• data transmission between app and application backend (broken transport encryption).
• privileges escalation of user role (access to documents/projects that user shouldn’t have).
• .... (continue the list)
• ....

Exercise 1.4. Define security controls against high risks and high priority attack vectors for Documents app.

Based on what you learnt about risks and attack vectors, suggest protection measures:

Software security controls for mobile apps

There're many security controls that you can use to improve mobile app security — some of them are software-based for your app, some make sense on your app backend, some are organization-based (security awareness trainings, password reset policies, etc), some rely on 3rd party service providers (security engineering, security design, pen testing, security code audits, etc).

Noone knows the full list of security controls (but NIST SP 800-53 has good ideas), this is a short list tailored for mobile devs. Also, OWASP MASVS checklist is a good start.

Transport/network:

• proper TLS settings
• certificate pinning (client certificate pinning)
• additional encryption layer, application level payload encryption (like, end-to-end encryption of data of the same user, or encryption of data from userA to userB)
• app doesn't rely on a single insecure communication channel for critical operations

Storage:

• data encryption
• keys encryption
• keys management
• no storing data outside of app container/system secret storage
• storing in Keychain/SecureEnclave
• storing in Keychain with biometrics-protection
• wiping data when it became not needed
• "secure wipe out" of data with "zeroing" (fill variable with zeroes before nulling)
• backup of important user data (suggest to backup)

Access control:

• device pin protection
• biometrics authentication
• user session authentication (OAuth2, JWT, cookies, etc)
• user session expiration/termination
• authenticating user before performing critical operation (removing project, changing password)
• roles managing (ABAC/RBAC)

Anti-reverse engineering and JB-protection:

• app checks if device is jailbroken, especially on performing critical actions, and alerts users
• app detects when run on simulator
• app detects when run using debugging tools
• anti-bruteforce timers/counters to limit amount of attempts
• code obfuscation
• integrity checks of loaded libraries (when library is added by package manager, when app calls library in runtime)

Platform

• app is signed with valid credentials, noone has access to account's provisioning profiles and private keys
• debugging symbols are removed in release app
• app only depends on up-to-date connectivity and security libraries
• app does not export sensitive functionality via custom URL schemes

Monitoring:

• security testing/monitoring of 3rd party dependencies
• honeypots (fake user credentials, API requests, pieces of code)
• tracking "risky" user behaviour (unsuccessful login attempts, opening app on JB device, decryption errors)
• security events monitoring systems (SIEMs)

List of (defensive) appsec tools for mobile apps

Noone know full list of useful security tools for mobile apps. Check services like tools.tldr.run.

Multi-platform high-level encryption libraries:

• Themis
• SwiftSodium
• RNCryptor

Apple-first encryption libraries:

• CryptoKit (high level)
• CommonCrypto (low level)

Secrets management:

• awslasb/git-secrets — prevents from committing secrets
• cocoapods-keys by @orta — keep secrets away from github
• gitleaks — scans repo for missing secrets
• ios-datasec-basics — repo that describes methods how to encrypt API keys before storing in the app

Dependency checks (SCA, software composition analysis):

• WhiteSourceSoftware plugin for iOS, known to check Carthage
• BlackDuckSoftware pluging for iOS, known to check CocoaPods
• Snyk checks for React Native and Cordova
• npm audit, github notification, python, OWASP Dependency-Check — for backend code

Obfuscation, code hardening, threat protection :

• dexprotector, tutorial for iOS
• GuardSquare
• Swift Shield
• blogpost with other tools

Anti-JB protection (see above, plus):

• disable debug
• detect debugging
• jailbreak detection blogpost

SAST/DAST

• checkmarx
• sonarqube
• veracode
• appknox
• app-ray
• blogpost with other tools

Beware: automated tools typically require ongoing attention due to large number of false positives / false negatives.

Data protection regulations

Regulations differ for country/region, industry, business activity.

The list is not limited to:

General data security compliance: ISO/IEC 27002:2013, CCPA, NIST 800-171, FIPS 140-2, GDPR, DPA, Brazilian General Data Protection Act, etc

Finance: PCI DSS, PCI HSM, SWIFT Customer Security Controls, PSD2, FINMA, GLBA, etc

Healthcare: HIPAA, HITECH, ISO 27799:2016, etc

Education: FERPA, etc

Apple Export regulations on cryptography

Cheatsheet on major regulations, what data they require to protect.

Mobile application security design (standards and guidelines)

Apple platform security guides — 157p pdf, describes Apple's hardware security, system security, encryption and data protection, app security, network security and dev kits. Useful to understand environment app's running in, platform restrictions and security controls that Apple use themselves.

iOS security guidelines — iOS-specific guidelines that were updated till iOS 12.3, then merged with Apple security guides (see above).

Privacy chapter from App Store review guidelines — describes App Store guidelines on privacy policy, data collection, storage, use, and sharing.

NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations — describes numerous technology-independent security controls, classifies them by "family", usage, functionality, capabilities, etc.

Risk management guides

Mobile world doesn't have separate risk management guidelines, just another types of risks. Check software risk management frameworks and apply to mobile dev according to mobile app risks.

OWASP mobile risks top10 — short list of most popular risks for mobile apps made by OWASP, dated 2016. Useful for quick understanding of typical risks and their mitigations.

FAIR risk assessment — rather short (comparing to others) framework on risk calculation and triage.

NIST SP 800-37 "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy" — describes risk management of application development inside organization, provides clear guidance for large organizations. Use it if you work in large organization and need to establish risk management process across deparments, or read to feel how simple mobile app development is in comparison.

Mobile application security verification and testing

OWASP Mobile application security verification standard (MASVS) — checklist of mobile app security requirements, different depending on app/data risks, business requirements and regulations. Use it to measure "security scores" for your app — how good it is — and to track progress by repeating MASVS checks every 6-12 months.

OWASP Mobile security testing guide (MSTG) — describes how to perform security verifications from MASVS, gives ideas and pieces of code. Use it as "tutorial" to MASVS.

NIST SP 800-163, Vetting the Security of Mobile Applications — mobile app vetting is a process to ensure that mobile app conforms to an organization’s security requirements and is "reasonably free" from vulnerabilities. Describes vetting process (including budgeting and staff) and typical iOS/Android app vulnerabilities.

OWASP Software assurance maturity model (SAMM) — "checklist" for the whole organization that produces software, covers not only software properties, but organization dev process (understanding threats, selecting security providers, taking care about software security architecture). Use it to measure how good software security is in your organization.

More links

iOS-specific security things, tips how to start with your app security

• "Popular note-taking apps share these security flaws: security tips for developers"
• X Things you Need to Know before Implementing Cryptography by @vixentael
• By-passing biometrics protection slides by @julepka
• End-to-end encryption for Wire by @GerasimenkoMiha
• Building end-to-end encryption for Bear app by @vixentael

Books

• NoStarch iOS security book
• Password authentication for web and mobile apps book by Dmitry Chestnykh
• API security

Online courses / workshops

• online course on reverse engineering iOS apps by @ivRodriguezCA
• other talks and workshops on iOS app security by @vixentael

Stay tuned

We do data security for living. At Cossack Labs we help companies who process sensitive data and want to protect it against external attackers, insiders, mis-configurations and to be compliant with regulations. We build and license our own proprietary or open source software, or build custom solutions tailored for specific use cases.

Ping @vixentael or @cossacklabs, if you need security engineering assistance :)