 So I see you've got a lot of languages here in Singapore. I hope I didn't make any mistakes when translating those. If I did, I apologize. Maybe I'll translate it to my language. In my language it is called Maybe that sounds funny to you, but this is how it is in Polish. And speaking about languages, I've also been learning Mandarin for one month, because I find it very challenging, and I like challenges. So let me introduce myself in Mandarin. I hope I won't do any mistake here. Ni hao. What's yao ma che? Waszu tron boland. I will be having a few questions during the talk. The first of those will be How many of you know where Poland actually is located? I'm impressed. That's super cool. So Poland is this country in Europe. I come from Poland. This is on the west of Poland. And actually my trip here was quite a long one, but it wasn't a direct flight, so I had to go by train to Warsaw, which is the capital city of Poland. Then I had to take a flight to Zurich, and then I came here. And I've been enjoying my stay here. Singapore is super cool. And I also ran a blog with my colleagues. It's called Swifting Geo. You may want to check it. There will be some interesting articles probably for you. On the daily basis, I'm an iOS programmer. I work for a pharmaceutical company for five years. And security and data privacy is at high priority at my company. To be honest, when I'm traveling, I have on my computer always a privacy filter, so no one sees what I'm doing at my computer. Do you know what a privacy filter is? It's a piece of glass, basically, that protects anyone from unwanted... Basically, it won't display things to others. You will be the only one who can see through this protective glass. I have different passwords to portals. I have often a mobile passcode on my phone. I use VPN. I have my hard drive encrypted. And why am I doing all that stuff? Maybe because I've watched Mr. Robot too much. Do you know what Mr. Robot is? This is a TV series. And this TV series... The main character is a hacker. And he and his colleagues work in Allstate. This is a company that deals with the services security for corporate corporations. And in this TV series, I think it was the second episode of the first season, the colleague of the main character, the hacker, was walking down the street with his girlfriend. And there was this guy who was giving away his CDs with music. He was saying that he wants to promote his dad. So there was this... He met both of the couple, the guy who works for the security company and his girlfriend. They took the CD from him. And in the evening, the guy actually put the CD into their computer. He tried opening it, but the music didn't play. But this CD had a malware on it. So some malware software was installed on the computer. And then that whole action goes. Okay, but then I wondered... The guy works for a security company, puts a CD to his own computer. How he can be that foolish and do something like that. Okay, but this is just a TV series example. So does it happen in real world? So let me give you another example. In Poland, we have a website called Nie bezpiecznik wel. This is a Polish website, and it contains articles about security, network security, mobile security. And they did a report. They made a report about security of Polish banking apps. And actually there was one banking application that included a list of passwords, credentials, to their system. In the back set, there were only test accounts, but some have checked those accounts, and actually they work on production environment. So this is something closer to our area, because this was in... Yeah, this was above mobile application. But even I did something similar last year. After WWDC 2016, there was iOS 10 beta released, and I installed it right away on my phone. But on this very phone, I also had my personal data. I wondered after a month, is that beta secure? And actually how secure iOS is. So basically iOS security consists of three pillars. First of them is creating secure operating system by Apple. Then there are users upgrading operating systems on their phones. And there are also developers who should be able to secure applications. And iOS is secure because of a few reasons. First of them is Passcode. So Passcode is what Steve Jobs... You might have heard of him. Passcode is what Steve Jobs didn't use, actually. This is one of security mechanisms. This is a pin code you can set on your iPhone, and based on that, data on your device is encrypted. After five unsuccessful attempts, someone trying to enter a Passcode will be slowed down. And after ten unsuccessful attempts, data can be erased from your phone. There is also something called Touch ID. This is a fingerprint sensor scanner. And after if you touch ID failures, there is also a demand to enter a Passcode. So it's quite secure, I guess. Let me share some more metrics with you. Did you know that user alerts their phone approximately 80 times per day? It's quite a lot. And only 49 people used Passcode in the past. Before introduction of Touch ID after that, that number raised up to 89%. Thanks to Touch ID. There are security users upgrading their software. And according to data collected by Google till January 9th this year, only 0.7 people used the newest Android version. There is a huge diversification, diversity on Android market. We have different phones. Not all support the newest version. And I think it's not that far in the past that the newest system was introduced, but Marshmallow, the previous version, was adopted only by almost 30% of user. So it's not much. According to Apple 76% of people use iOS 10, so the newest version. This data comes from Apple from January 4th. iOS 10 adoption is quite good, but it's not excellent. In the past almost 89% of users had the newest version of system installed. You may know why is that, why this number dropped. It's because iPhone 4s are older and iPod 3 are older do not support the newest version of the system. Enter 80% of iOS 9 devices still in the market because of old hardware, basically. And Security Foundation is also based on developers who build secure applications. This foundation is based on establishing secure connection with our back-ends, protecting data that users provide within our application, rejecting unwanted content from different apps, inter-process communication, and acting upon a jailbreak. I will be briefly speaking about those topics in a moment. So why should we bother with all of these? It is because our applications can be under attack. You probably still remember the Polish banking app? It was attacked. Somebody had to extract accounts from the binary file of the application. And our apps can be attacked when they contain, for example, information that can identify a user. For example, some IDs, photos of credit cards, identity cards, because they can contain names or names of our friends. So you can extract from those relations between people which might be useful in some kinds of attacks. As I said, our application can also contain credit card data. They can also contain health information. And by the way, health information security is regulated by the HIP, sort of H-A-P. It's hard to pronounce. H-I-P-A-A. Yeah, thanks. And also an attacker might want to perform some financial operations in banking apps. Can I have a question? Yes. What's the monetary value of having mindful information? Having which information? What's the monetary value of having mindful information? How are you going to decide to do that? Or are you just a celebrity? Yeah. If you're, for example, a CEO of a company and you have a counselor or something like that and someone knows about it, this is data information that can somehow compromise you. Okay. Hackers or attackers can use data for its benefit or, yes, to compromise a person or the whole company. For example, we're building this application, developing application for a blog post to show some different architectures of apps. And this is an application for loyalty cards. It's called MyCards, which is enhancing. But a user can store any data in it. Let me show you. And it will work somehow if I find my screen. Right here, you can see the screen of my phone. So the application displays loyalty cards or the data that the user entered. So, for example, this is an artificial, shifting IO loyalty card. And, yeah, you can see the front of this. Yeah, this is the front of the card and the back of the card. It contains some bar code that can be scanned by, for example, a cashier or someone at the shop to give you a discount. But actually, we could also take a photo or a credit card. In the application. This would be data that should be secured. More or less. Yeah. Yeah, let's enter some name for the card with custom keyboard I use. It's called Swipe, I guess. And the card appears. So you have data that should be secured in this application. Yeah, and we can get back to presentation. Yeah, it's switching screens during the presentation. Okay. Oh, might be an attacker. I think all the people who want, for example, tap out money from our credit cards, criminals, some business competitors, people that deal with corporate espionage, people who wants to know what are we going to do next in our business. They can also be internet service providers, sniffing our network traffic for the government, for example, and maybe people we love. You know, control is the best form of trust, or trust but verified, like in this Russian proverb, because of that. Okay. And then they can attack in a few cases. The easiest, the easy one is when they steal your phone, they have direct access to the device. It's even easier if we don't have any passcode. But as we've seen on the previous slides, almost 89% of people use passcodes today. If device is jailbroken, that's end for our security, probably. There is also some malware on App Store. They have pretty good filters to reject such applications from the App Store. But there's also an article from Make Use of website that tells something about malware or application that did something bad on your phone and passed through the filter on the App Store. It is linked at the end of the presentation. And they can also attack if we have a pretty new phone. So a zero-day mobile device means that the device is not configured. We just received it from, or we just bought it. And somebody can install some malware on it or jailbreak the device and do whatever they want with it. As we know what the threats are, so we can speak right now about securing our applications. The first part, as I said, is network. This is a very important aspect. We want to use secure connections to avoid eavesdropping, namely use HTTPS, always, when communicating with backend. Use it for a serial session and a serial connection, APIs. And by the way, there is up-transport security mechanism from Apple, ATS, that requires you to use SSL, HTTPS calls. And they said that it will be mandatory for applications by the end of 2016, but recently they said it will be enforced later this year. I don't know when exactly. So there's also another mechanism you can use to even enhance your network security of your network calls. There is a technique called certificate pinning. Basically, you embed within your application public key of your server. Once you make an HTTPS call, you get the public key of certificate from your server and you have to compare them. If they're not equal, you should reject such a connection. And there's also a new mechanism introduced on WWDC 2016 called certificate transparency. The video is linked also at the end of the presentation. You can see it. Yeah, it's quite an interesting topic as well. Data within our application should also be protected. There's files within our application are represented by NSFile object. And by default, those objects have a protection key set to complete until first user authentication. It means that all data on our device from our application will be encrypted as long as that user unlocks the device for the first time. This is the default. But we may want to set this flag to complete or complete unless open, which means that we want the data on our device to be secured all the time. So if I had my phone locked and this flag set to complete, it would mean that data in my application is encrypted as long as I use that ID or unlock phone with a password. There's also a flag protection type called complete unless open that allows us to open the file once our application is in foreground and we may want to do some background network calls and write something to our database, for example. And if we set the flag to complete unless open, it would allow us to process data and write it to database in the background. If we use a flag protection type complete or our output crash, I'm going to write it to database in the background. Yeah, there's also something called keychain. This is Apple's security vault. You may want to start credentials if you're a user over there. Or, you know, let's snapshot this. There is, you know, we have this multi-tasking manager here. So snapshot is, are those screenshots of our app when it goes background? When application goes background, it may display some foundational data, username, name and surname, credit card number. And those snapshots are accessible even when application is, sorry, if our phone is locked and we don't want to export the data. There is also a UA passport object that we should clear from time to time. This is an object to which you can copy some data and you can paste it, for example, in another application. And there are custom keyboard extensions. You probably have seen the one I've used. This is custom keyboard that you can swipe on once I was writing the name of my card. Those can intercept user's input. They can also send it somewhere else. So maybe it's a good idea also to disable those extensions for our application. Okay, so let's speak a bit about URL schemes. Interprocess communication is basically URL schemes. They allow other applications to open our app with some data. We should validate the source application. So the one that tries to open our app and we should validate params that it passes in. It was introduced, I guess, in iOS 8 or 9. There was this method application and the open URL, it's now deprecated. Don't use it because it doesn't give you a way to validate a bundled ID of source application. There's another one, application open URL options. Use that one and validate your input to your application. Okay, so let's check how we can secure the microns up. And still I'll have some problems probably with screen. Maybe not? Yeah, so let's start with custom snapshot. It's quite easy. Basically, when our application goes background, this is up delegate of our application. When our application enters background, we will set a frame of visual effect view. Visual effect view is the one that gives this blur effect to everything that's beneath this view. So we'll set the frame of this view to the size of the screen. We'll add it to the window. So all application views will be in the window. On top of that, there will be this visual effect view. And that's it. It will be secured. If you don't believe me, well, maybe I will show it that it works. Come on, you got a big kidding. Not now. Let's just see it later. Unfortunately, I don't have any data on this later. But this is what you would see as a screenshot if we didn't have this visual effect view. I want to set this to background. And we show multitasking manager. You know, it's blurred. All the data will be blurred. So it worked. Okay, so let me switch to another example. This one will be about disabling custom keyboard. And I don't know, you will maybe know them on the simulator because I don't have any keyboard extension on the simulator. However, it's also pretty simple. And up-delegators, a method called application should allow extension point identifier. And we can check whether it's keyboard and if we return false from that statement, it would disable custom keyboards for application. So we'll only use native keyboards. Maybe I could show you that on the phone. I'll see. No, sorry. I won't show you this. We can also protect our files in the application. I will show you how to protect the database on your phone. I have this file called Core Data Service and there is NSPersistentContainerObject. This was introduced in iOS 10. Basically, we create a persistent container with some name and we load persistent stores. So the database itself. And when it completes, we get store description object and we can set on it the file protection type we want to sell. Complete or complete unless open for some key. And that's it. The database won't be exposed when locked. And last part will be a demo regarding URL validation. So imagine we would allow to open application with some data. This is immediate. I was talking about application open URL options and it takes a dictionary with some options. We can extract from this dictionary the bundle ID of the color. We can validate that. I've written some fancy methods. And we can check whether it's optional here because dictionary can return an optional if there is no value for a certain key. So we check whether it's of type string and we can check whether it contains, for example, the model name of our team. If it doesn't contain it, we return false. So it would mean that we don't want to open content from the color. We can also validate the URL itself under fancy methods. We can extract URL components from a URL and we can check query items. So query items are those key-volume pairs that are after a question mark. We can check whether query items, for example, key is destroyed as they're not and this is set to true. If that statement is true, we of course don't want to open anything from the color. So I think that was it regarding the demo. There's also a theoretical part about jailbreak. I don't have much experience with jailbreak. But this is a mechanism of disabling all security features of the operating system. In order to detect jailbreak, you can search for CDA app on your phone. This is a sort of app store for jailbroken application, I guess. You can also check system calls outside the sandbox. So for example, you can create another processes in your application. You can fork processes. You can also write some files or read files from the space that was given to your application. So the app sandbox. You can also check for the code that was injected into your application or replaced for release builds of your applications. The debug induction is disabled on a jailbroken device. You can detect attached debugger because it's possible to debug the application and attack it somehow. There are also some non-start art ports opened. For example, OpenSSH. So what can we do if we detected jailbreak? So like in the unsuccessful iOS passcode attempt, we can slow down somehow an attacker. We can make requests to back-end a bit longer. We can erase silently all the data that is considered crucial for us. We can also inform back-end that user that uses this application. This particular account is a fraud and the application was misused. So what secure your application is. I've showed you some very simple security mechanism. Of course, there are more of them. You can protect user's data while traveling network with using HTTPS. You can protect data on the device with file protection types. You can also replace snapshots, disable custom keyboards. You can validate the input that is given to your application in IPC. You may write secure code and build top-notch security mechanism. However, still the most vulnerable part of your application is human. We're just humans. We make mistakes all the time, either as programmers or users of applications. We call this banking app with a list of passwords and credentials and Mr. Robot stories. And if there was one thing I wanted you to take from this presentation, it would be educate your users about privacy and security because their data security and privacy is in their hands. It all depends on them at the end. So, thank you very much. Who wants to ask the first question? Yeah. The guy over there is my friend. Yeah, yeah. So, did you switch the file encryption option with the practical performance of your application with a lot of devices that you're interested in? Maybe a bit. I don't want to... Oh, or maybe not. It's a hard topic. There is iOS security programming guide. It's also linked at the end of the presentation. It's hard to explain it really fast, but not all the data is actually encrypted. I mean, the key to understand the data, the encryption key gets, master key gets encrypted. And based on that, after user alerts the phone, it encrypts the master key and then does the decryption part of the job. And on the iPhone, there is also this secure m-plate chipset which does the whole job of dealing with encryption and decryption. Yeah? Is there any reason why not a lot of apps use the engine of the default snapshot? I don't know. It's so easy. I don't know why they don't use it. Maybe it's also... If user switches applications in Task Manager, so cool. Maybe it's good to display some data. You may want to update data in the background and update your snapshot. And once user selects or navigates through this Task Manager, the newest data can be displayed on the snapshot as well. The one that was fetched in the background. Yeah? Is there any complete protection in keeping the data? Is there any complete, streamlined database and then global data? I'm afraid I didn't understand. Do we have any microphone? I don't know. Maybe I'll go through it. Yeah? Is there any complete protection? Yeah. You may have it in the background. So, depending on your local, isolated database, keeping the data in the background. So, the flash is on this pre-encrypted database. That's on... Yeah. I don't know what part of it exactly gets encrypted. I know there's this master encryption key that gets encrypted. There's some magic that goes to an insecure endpoint that's also encrypted and decrypted. I can answer that. It's called data, right? Yeah. So, called data is actually powered by SQLite. SQLite is out on this. So, if you set that option, that power is encrypted. So, I'll give you a slide. So, the parts of the data... The data? The data. So, the values? Yeah, I think so. So, the values are encrypted and how the description changes the power? The description changes the set of values. Yeah, so, the description follows both ways, right? So, when it's open, then the power changes. So, how... Do you know what is SQLite? Yes, I can. I can explain that. I used SQLite before. I think the SQLite works like it creates... it gives the whole database five percent. You know, it gives you the data, so, as a five, it gives you the data. So, given that four data came out, the data is not as secure but as a fine product. I've got some stickers for laptop.