OWASP Cheat Sheet * Apple iOS Developer

advertisement
OWASP Cheat
Sheet Series
OWASP Cheat Sheet – Apple iOS
Developer
Kenneth R. van Wyk
This document is part of OWASP’s Cheat Sheet series. It is intended to help the iOS app
developer to produce secure apps, by providing a quick point of reference to the major
security pitfalls and their remediations.
OWASP
http://www.owasp.org
OWASP Cheat Sheet
Apple iOS Developer
Version 0.9
Table of Contents
INTRODUCTION
2
BASICS
2
REMEDIATIONS TO OWASP MOBILE TOP 10 RISKS
3
INSECURE DATA STORAGE (M1)
REMEDIATIONS
WEAK SERVER SIDE CONTROLS (M2)
REMEDIATIONS
INSUFFICIENT TRANSPORT LAYER PROTECTION (M3)
REMEDIATIONS
CLIENT SIDE INJECTION (M4)
REMEDIATIONS
POOR AUTHORIZATION AND AUTHENTICATION (M5)
REMEDIATIONS
IMPROPER SESSION HANDLING (M6)
REMEDIATIONS
SECURITY DECISIONS VIA UNTRUSTED INPUTS (M7)
REMEDIATIONS
SIDE CHANNEL DATA LEAKAGE (M8)
REMEDIATIONS
BROKEN CRYPTOGRAPHY (M9)
REMEDIATIONS
SENSITIVE INFORMATION DISCLOSURE (M10)
REMEDIATIONS
3
3
3
3
4
4
4
4
4
5
5
5
5
5
6
6
6
6
7
7
REFERENCES AND FURTHER READING
7
Introduction
This document is written for iOS app developers and is intended to provide a set of
basic pointers to vital aspects of developing secure apps for Apple’s iOS operating
system. It follows the [DRAFT] OWASP Mobile Top 10 Risks list.
Basics
From a user perspective, two of the best things one can do to protect her iOS device
are: enable strong passwords, and refrain from jailbreaking the device. For
developers, both of these issues are problematic, as they are not verifiable within an
app’s sandbox environment. (Apple previously had an API for testing devices to see
if they are jailbroken, but that API was deprecated in 2010.) For enterprises, strong
passwords, along with dozens of other security configuration attributes can be
managed and enforced via a Mobile Device Management (MDM) product. Small
businesses and individuals with multiple devices can use Apple’s iPhone
OWASP Cheat Sheet
Apple iOS Developer
Version 0.9
Configuration Utility (http://www.apple.com/support/iphone/enterprise/) and
Apple Configurator (available in the Mac App Store) to build secure configuration
profiles and deploy them on multiple devices.
Remediations to OWASP Mobile Top 10 Risks
Insecure Data Storage (M1)
Without a doubt, the biggest risk faced by mobile device consumers comes from a
lost or stolen device. The information stored on the device is thus exposed to anyone
who finds or steals another person’s device. It is largely up to the apps on the device
to provide adequate protection of any data they store. Apple’s iOS provides several
mechanisms for protecting data. These built in protections are quite adequate for
most consumer-grade information. For more stringent security requirements (e.g.,
financial data), additional protections beyond those provided by Apple can be built
into an application.
Remediations
In general, an app should store locally only the data that is required to perform its
functional tasks. This includes side channel data such as system logging (see M8
below).
For any form of sensitive data, storing plaintext data storage in an app’s sandbox
(e.g., ~/Documents/* ) should always be avoided.
Consumer-grade sensitive data should be stored in secure containers using Appleprovided APIs.
 Small amounts of data, such as user authentication credentials, session
tokens, etc., can be securely stored in the device’s Keychain (see Keychain
Services Reference in Apple’s iOS Developer Library).
 For larger, or more general types of data, Apple’s File Protection mechanism
can safely be used (see NSData Class Reference for protection options).
To more securely protect static data, consider using a third party encryption API
that is not encumbered by the inherent weaknesses in Apple’s encryption (e.g.,
keying tied to user’s device passcode, which is often a 4-digit PIN). Freely available
examples include SQLcipher (see http://sqlcipher.net).
Weak Server Side Controls (M2)
Although most server side controls are in fact necessary to handle on the server side
(duh)—and as such we refer the reader to [OWASP DOC REFERENCE FOR SERVER
SIDE CONTROLS]—there are several things that can be done on the mobile that aid
in the work to be done on the server.
Remediations
Design and implement the mobile client and the server to support a common set of
security requirements. For example, information deemed sensitive on the server
should be handled with equivalent due caution on the client side.
OWASP Cheat Sheet
Apple iOS Developer
Version 0.9
Perform positive input validation and canonicalization on all client-side input data.
Use regular expressions and other mechanisms to ensure that only allowable data
may enter the application at the client end.
Perform output encoding on untrusted data where feasible.
Insufficient Transport Layer Protection (M3)
Exposing sensitive data to eavesdropping attacks is a common issue with all
networked applications, and iOS mobile apps are no exception.
Remediations
Design and implement all apps under the assumption that they will be used on the
most wide-open Wi-Fi networks on the planet.
Make an inventory of all app data that must be protected while in transit.
(Protections should include confidentiality as well as integrity.) The inventory
should include authentication tokens, session tokens, as well as application data
directly.
Ensure SSL/TLS encryption is used when transmitting or receiving all inventoried
data. (See CFNetwork Programming Guide.)
Ensure your app only accepts properly validated SSL certificates. (CA chain
validation is routinely disabled in testing environments; ensure your app has
removed any such code prior to public release.)
Verify through dynamic testing that all inventoried data is adequately protected
throughout the operation of the app.
Verify through dynamic testing that forged, self-signed, etc., certificates cannot be
accepted by the app under any circumstances.
Client Side Injection (M4)
Data injection attacks are as real in mobile apps as they are in web apps, although
the attack scenarios tend to differ (e.g., exploiting URL schemes to send premium
text messages or toll phone calls).
Remediations
In general, follow the same rules as a web app for input validation and output
escaping.
Canonicalize and positively validate all data input.
Use parameterized queries, even for local SQLite/SQLcipher calls.
When using URL schemes, take extra care in validating and accepting input, as any
app on the device is able to call a URL scheme.
When building a hybrid web/mobile app, keep the native/local capabilities of the
app to a bare minimum required. That is, maintain control of all UIWebView content
and pages, and prevent the user from accessing arbitrary, untrusted web content.
Poor Authorization and Authentication (M5)
Although largely a server side control, some mobile features (e.g., unique device
identifiers) and common uses can exacerbate the problems surrounding securely
authenticating and authorizing users and other entities.
OWASP Cheat Sheet
Apple iOS Developer
Version 0.9
Remediations
In general follow the same rules as a web app for authentication and authorization.
Never use a device identifier (e.g., UDID1, IP number, MAC address, IMEI) to identify
a user or session.
Avoid when possible “out-of-band” authentication tokens sent to the same device as
the user is using to log in (e.g., SMS to the same iPhone).
Implement strong server side authentication, authorization, and session
management (control # 4.1-4.6).
Authenticate all API calls to paid resources (control 8.4).
Improper Session Handling (M6)
Similarly, session handling is in general, principally a server task, but mobile devices
tend to amplify traditional problems in unforeseen ways. For example, on mobile
devices, “sessions” often last far longer than on traditional web applications.
Remediations
For the most part, follow sound session management practices as you would for a
web application, with a few twists that are specific to mobile devices.
Never use a device identifier (e.g., UDID, IP number, MAC address, IMEI) to identify a
session. (Control 1.13)
Use only tokens that can be quickly revoked in the event of a lost/stolen device, or
compromised session.
Protect the confidentiality and integrity of session tokens at all times (e.g., always
use SSL/TLS when transmitting).
Use only trustworthy sources for generating sessions.
Security Decisions via Untrusted Inputs (M7)
While iOS does not give apps many channels for communicating among themselves,
some exist—and can be abused by an attacker via data injection attacks, malicious
apps, etc.
Remediations
The combination of input validation, output escaping, and authorization controls
can be used against these weaknesses.
Canonicalize and positively validate all input data, particularly at boundaries
between apps.
When using URL schemes, take extra care in validating and accepting input, as any
app on the device is able to call a URL scheme.
Contextually escape all untrusted data output, so that it cannot change the intent of
the output itself.
Verify the caller is permitted to access any requested resources. If appropriate,
prompt the user to allow/disallow access to the requested resource.
Apple is deprecating the API for accessing a device’s UDID, so this mechanism will
soon be unavailable to developers.
1
OWASP Cheat Sheet
Apple iOS Developer
Version 0.9
Side Channel Data Leakage (M8)
Side channels refer here to data I/O generally used for administrative or nonfunctional (directly) purposes, such as web caches (used to optimize browser
speed), keystroke logs (used for spell checking), and similar. Apple’s iOS presents
several opportunities for side channel data to inadvertently leak from an app, and
that data is often available to anyone who has found or stolen a victim’s device. Most
of these can be controlled programmatically in an app.
Remediations
Design and implement all apps under the assumption that the user’s device will be
lost or stolen.
Start by identifying all potential side channel data present on a device. These
sources should include, at a bare minimum: web caches, keystroke logs, screen
shots, system logs, and cut-and-paste buffers. Be sure to include any third party
libraries used.
Never include sensitive data (e.g., credentials, tokens, PII) in system logs.
Control iOS’s screenshot behavior to prevent sensitive app data from being captured
when an app is minimized.
Disable keystroke logging for the most sensitive data, to prevent it from being
stored in plaintext on the device.
Disable cut-and-paste buffer for the most sensitive data, to prevent it from being
leaked outside of the app.
Dynamically test the app, including its data stores and communications channels, to
verify that no sensitive data is being inappropriately transmitted or stored.
Broken Cryptography (M9)
Although the vast majority of cryptographic weaknesses in software result from
poor key management, all aspects of a crypto system should be carefully designed
and implemented. Mobile apps are no different in that regard.
Remediations
Never “hard code” or store cryptographic keys where an attacker can trivially
recover them. This includes plaintext data files, properties files, and compiled
binaries.
Use secure containers for storing crypto keys; alternately, build a secure key
exchange system where the key is controlled by a secure server, and never stored
locally on the mobile device.
Use only strong crypto algorithms and implementations, including key generation
tools, hashes, etc.
Use platform crypto APIs when feasible; use trusted third party code when not.
Consumer-grade sensitive data should be stored in secure containers using Appleprovided APIs.
 Small amounts of data, such as user authentication credentials, session
tokens, etc., can be securely stored in the device’s Keychain (see Keychain
Services Reference in Apple’s iOS Developer Library).
OWASP Cheat Sheet
Apple iOS Developer
Version 0.9

For larger, or more general types of data, Apple’s File Protection mechanism
can safely be used (see NSData Class Reference for protection options).
To more securely protect static data, consider using a third party encryption API
that is not encumbered by the inherent weaknesses in Apple’s encryption (e.g.,
keying tied to user’s device passcode, which is often a 4-digit PIN). Freely available
examples include SQLcipher (see http://sqlcipher.net).
Sensitive Information Disclosure (M10)
All sorts of sensitive data can leak out of iOS apps. Among other things to remember
at all times, each app’s compiled binary code is available on the device, and can be
reverse engineered by a determined adversary.
Remediations
Anything that must truly remain private should not reside on the mobile device;
keep private information (e.g., algorithms, proprietary information) on the server.
If private information must be present on a mobile device, ensure it remains in
process memory and is never unprotected if it is stored on the device.
Never hard code or otherwise trivially store passwords, session tokens, etc.
Strip binaries prior to shipping, and be aware that compiled executable files can still
be reverse engineered.
References and Further Reading
OWASP Top 10 Mobile Risks presentation, Appsec USA, Minneapolis, MN, 23 Sept
2011. Jack Mannino, Mike Zusman, and Zach Lanier.
“iOS Security”, Apple, May 2012,
http://images.apple.com/iphone/business/docs/iOS_Security_May12.pdf
“Deploying iPhone and iPad: Apple Configurator”, Apple, March 2012,
http://images.apple.com/iphone/business/docs/iOS_Apple_Configurator_Mar12.pd
f
“iPhone OS: Enterprise Deployment Guide”, Apple, 2010,
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
“iPhone in Business”, Apple resources,
http://www.apple.com/iphone/business/resources/
Apple iOS Developer website.
Download