This document summarizes a presentation on iPhone and iPad security. It discusses how to configure passcode policy and other restrictions on devices through configuration profiles. It also covers securing data through encryption, securing network communications through VPNs and SSL, and developing secure applications that properly handle authentication, authorization, data storage and cryptography. The presentation warns of risks from jailbreaking devices and accessing unsecured configuration profiles and provides recommendations for addressing these risks.
Report
Share
Report
Share
1 of 45
More Related Content
iPhone and iPad Security
1. Mobility WebCastiPhone and iPad SecuritySimon GuestDirector, Mobility SolutionsNeudesic, LLCsimon.guest@neudesic.com
2. Common QuestionsI don’t want my employees doing [x]. How do I configure policy?What happens if I leave my device on the [bus|train|plane]?How do I secure communication from the device?I’m writing an application. How do I make my application secure?What other bad stuff should I be thinking about?
39. PolicyRestrictions on Device FeaturesInstalling Apps, Camera, Facetime, Screen Capture, Sync while Roaming, Voice Dialing, In App Purchases, Multi-player Gaming, Game Center FriendsRestrictions on ApplicationsAccess to YouTube, iTunes, and Safari (various settings)Content Rating RestrictionsRegional setting, with maximum content ratings across Movies, TV Shows, and AppsPolicyAdditional Settings for ConfigurationWiFi access point
51. iPhone Configuration Profile enables configuration for SCEP server URL. Also used for OTA configuration.PolicyAdditional Settings for SecurityAdvanced
52. Policy for GPRS access point, username, and password. Policy for Proxy Server (but this is for GPRS access point only)
53. Not possible to set Proxy Server for Wifi/3G networks (potential compromise with “evil profiles”)PolicyDistributing Profiles to UsersiPhone Configuration UtilityUSB cable directly to the deviceExport from Configuration Utility and Email.mobileconfig (none, signed, encrypted for device)Users do have the ability to get details on what mobile config is doingWeb Download “Configure iPhone Nowlink”Similar to above, but via URL
54. PolicyMobile Device Management (MDM)Remote ConfigurationPushing of configuration profiles to the deviceRemote QueryDevice, network, security, and application informationRemote ManagementRemote wipe, remote lock, clear passcode, OTA application delivery
55. PolicyMobile Device Management (MDM)API LevelMDMS APIs announced with iOS 4.2Very little public information, only available to MDM providers via separate agreement from AppleProducts/VendorsAirWatch, Sybase Afaria, MobileIronMicrosoft announced MDM support in SCCM 2012http://www.zdnet.com/blog/microsoft/microsoft-readies-tool-for-managing-ipads-iphones-and-android-devices/8987Beta 2 - http://www.microsoft.com/systemcenter/en/us/configuration-manager/cm-vnext-beta.aspx
57. DataHardware Based EncryptionAnything written to (flash) storage encrypted with a 256-bit AES keyCannot be disabled by usersPrimarily designed for remote wipe (delete the key, and data is inaccessible)Savvy hacker can very easily get access to the data, even if pin-code protectedBoot the device in recovery mode, SSH and various shell scripts to extract the data
58. DataData Protection (post iOS 4.2)Anything written to (flash) storage encrypted with a 256-bit AES key, derived from the user’s passcodeStrength of data protection dependent on passcode strengthBrute force with 4 digit simple PIN. A little more challenging when alphanumeric, including non-alpha charactersMitigated by PBKDF2 iterations (50ms derivation = ~20 passwords per second)However, only applies to applications that use Data Protection API
59. DataData Protection APIWhen writing NSData object to file, include the NSDataWritingFileProtectionComplete attributeHowever, your application now needs to handle failureIf application is running in background when the device is locked, you will not be able to access file
60. DataKeychainThe keychain is an encrypted container that holds passwords for multiple applications and secure services. (Apple Keychain services programming guide)Franhofer Institute Paper and Video “Lost Phone? Lost Passwords!”http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdfhttp://www.youtube.com/watch?v=uVGiNAs-QbYAccessed the keychain using techniques described in last section“Jailbroke” the device, booted into tethered Jailbreak mode, copied script to dump contents of KeychainSome passwords, not all, were revealed
61. DataKeychainThe Keychain supports several methods of encryption:kSecAttrAccessibleAlways – always accessiblekSecAttrAccessibleWhenUnlocked - only accessible when device is unlockedkSecAttrAccessibleAfterFirstUnlock - accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible againkSecAttrAccessibleWhenUnlockedThisDeviceOnly - only accessible when device is unlocked – device specifickSecAttrAccessibleAfterFirstUnlockThisDeviceOnly - accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again – device specifickSecAttrAccessibleAlwaysThisDeviceOnly – always accessible– device specificResourceshttp://labs.neohapsis.com/2011/02/28/researchers-steal-iphone-passwords-in-6-minutes-true-but-not-the-whole-story/
62. DataTry to avoid – no protectionKeychainThe Keychain supports several methods of encryption:kSecAttrAccessibleAlways – always accessiblekSecAttrAccessibleWhenUnlocked - only accessible when device is unlockedkSecAttrAccessibleAfterFirstUnlock - accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible againkSecAttrAccessibleWhenUnlockedThisDeviceOnly - only accessible when device is unlocked – device specifickSecAttrAccessibleAfterFirstUnlockThisDeviceOnly - accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again – device specifickSecAttrAccessibleAlwaysThisDeviceOnly – always accessible– device specificResourceshttp://labs.neohapsis.com/2011/02/28/researchers-steal-iphone-passwords-in-6-minutes-true-but-not-the-whole-story/Recommended for most appsRecommended for apps with background needs
67. ApplicationAuthentication and AuthorizationAuthenticationNo concept of users, accounts, passwords on the deviceUnlike Mac OS X, user is assumed to be authenticated (via pincode)No way of re-prompting user for pincode programmatically, nor locking the deviceAuthentication for your own application will have to be custom (against back end services)AuthorizationNo concept of roles, permissions on the deviceUnlike Mac OS X, user is assumed to be authorized (within the sandbox of the signed application)Resourceshttp://developer.apple.com/library/mac/#documentation/Security/Conceptual/SecureCodingGuide/Articles/SecuritySvcs.html
68. ApplicationAccessing Secure Server-Side ResourcesAuthenticationNSURLConnection does not support NTLM authNeed to use CFNetwork or 3rd party, such as ASIHTTPRequestSSL supportNSURLConnection supports SSL (prefix “https” on NSURL)Support for bypassing invalid certificates using continueWithoutCredentialForAuthenticationChallengeSupport for client side certificate requests using didReceiveAuthenticationChallenge callbackResourceshttp://stackoverflow.com/questions/933331/how-to-use-nsurlconnection-to-connect-with-ssl-for-an-untrusted-certhttp://markmail.org/message/tnh2g6u5h42ive53http://jameswilliams.me/developer/blog/2008/08/http-post-via-the-cfnetwork-stack/
69. ApplicationPassword StorageDon’t store them in NSUserDefaultsUI Abstracts the password, but can be easily accessed from the FileSystem/a simple backup/iPhone ExplorerUse the Keychain instead (albeit referring to the previous section on Keychain)Resourceshttp://software-security.sans.org/blog/2011/01/05/using-keychain-to-store-passwords-ios-iphone-ipad/
70. ApplicationCryptography SupportAsymmetric support through Certificate, Key, and Trust ServicesManage certificates, public and private keys, trust policiesCreate, request certificate objects (CERs)Import certificates, keys, and identitiesCreate public/private key pairsRepresent trust policiesSecKeyGeneratePair ExampleOSStatusSecKeyGeneratePair(CFDictionaryRefparameters,SecKeyRef*publicKey,SecKeyRef*privateKey);Resourceshttp://developer.apple.com/library/ios/#documentation/Security/Reference/certifkeytrustservices/Reference/reference.html#//apple_ref/doc/uid/TP30000157
72. ApplicationCryptography SupportCryptographically secure random numbersSecRandomCopyBytes API returns cryptographically secure random number from accelerometer, compass, radio basebandResourceshttp://developer.apple.com/library/ios/#documentation/Security/Reference/RandomizationReference/Reference/reference.html
74. Bad StuffJailbreakingWhat is Jailbreaking?Process of unlocking a device to gain full access (a.k.a. root access) to a deviceAllowing more control on the device by bypassing previous restrictionse.g. custom ringtones, wallpapers, software to capture network packets, VNC server for the device, etc.Constant battle between jailbreakers (iPhone Dev Team) and Apple releasing new software updatesIs it Legal?In the US, under exemption to DMCA 2010, although it will void Apple’s device warranty. In other countries, best to check local laws.Is it the same as SIM unlocking?No. SIM unlocking is about using different SIMs from different operators.
75. Bad StuffJailbreaking in the EnterpriseTethered vs. Untethered JailbreakingUntethered = does not required USB cable and s/w to reboot deviceMost jailbreaks post 4.2.1 require tetherSecurity RisksFrequent speculation on security for jailbroken devicesMost originate to SSH/default password exploitiKee worm (changes wallpaper to Rick Astley background)Netherlands-based botnet-like worm uploading /etc/master.passwd file to a server in Lithuania
76. Bad StuffPlaintext in Configuration ProfileScenarioAttacker grabs .mobileconfig from Email or public URLInvestigates XML file for plaintext details (e.g. WLAN SSID and password)MitigationEncrypting .mobileconfig files for device-specific deploymentsPlacing .mobileconfig files behind authenticated pages (avoid Google filetype:mobileconfig Password)
77. Bad StuffEvil Configuration ProfileScenarioAttacker generates evil .mobileconfigSigns using signature-only cert from one of the 224 root certs in the iPhone keystoreSMS the .mobileconfig to a victim, fake them into installing itMitigationCreate a locked default profile to prevent thisUser educationApple’s removal of certain policy configuration options (e.g. proxy)Resourceshttp://www.enterprisenetworkingplanet.com/netsecur/article.php/10952_3892776_1/Three-Steps-to-a-Cracked-iPhone.htm
78. Bad StuffBypassing PIN code/Forensic Recovery of DiskScenarioAttacker has physical access to your deviceEven though locked with a PIN code, the device can still be placed in recovery code to override the PIN protectionMitigationPhysical security of deviceUse of Data Protection API by applications installed on device (mail stores by default)Correct use of Key Chain algorithms to ensure passwords are not stored in clearResourceshttp://www.youtube.com/watch?v=5wS3AMbXRLs
81. ConclusionA lot to consider for iPhone and iPad SecurityDivide the problem in four waysPolicy, data, network, and application…but also understand about the bad stuff!Your device is as secure as the weakest linkDon’t rely on one mechanism (e.g. password policy) in lieu of the restThink like a hackerWhat tools would they have? What would they try?What’s the worst that could happen if they got hold of your device?
82. How Neudesic Can HelpApplication/Device Security ReviewSimulate losing one of your locked devicesWe run it through the tools that the hackers haveYou get a full report of our findingsMobile Strategy ReviewCxO Level Mobility ReviewConstruct mobile landscape of your organization together with the applications, integration points, and security considerations that make senseYou get a framework and roadmap for mobile adoption in your organization