The most innovative “thing” I’ve done (so far)

The context

I’m a software engineer and really enjoy using technology, but I love using technology to solve problems and make people’s lives better. For the last six years of my professional career I’ve been focused in mobile development, mainly iOS Applications, but two years ago I started a new adventure in the technology field: Software Security. Software security can be divided in many subcategories like Network Security, Application Security, Cloud Security, Cryptography, etc. and these subcategories can also be divided in more subcategories. For example, Application Security can be divided in Web Application Security, Mobile Application Security, etc. This meant that I had many options to choose from, but not enough time to pursue or learn all of them.

Since I was already a Mobile Software Developer, started learning about mobile applications security, more specifically how to develop more secure iOS Apps. I knew the iOS platform, the internal structure and the lifecycle of iOS apps, the language (Objective-c) and more importantly “how an iOS Engineer thinks” while developing iOS Apps.

When downloaded from the App Store, all iOS Apps are encrypted usingApple’s fairplay DRM technology, this means that in order to analyze an iOS App it needs to be decrypted first. The first thing I needed to learn was: how an attacker could decrypt iOS Apps? Turns out that is very simple, the OS needs to decrypt the app in other to run it, then an attacker can simply dump the memory space where the app is allocated and voilà the attacker has a decrypted version of the iOS App. After obtaining the decrypted app the attacker can start a static analysis of the iOS App, this would reveal almost all (sometimes all) the functionality that the app provides: Class names, Methods, String Constants, Execution Flow, etc. After this I also learned that there are tools to manipulate iOS Apps at runtime, this was huge! Because with all the knowledge an attacker has from a static analysis is very easy to attack iOS Apps at runtime by changing its behaviour usingfunction hooking techniques. There is also a tool called cycript that can be installed on a jailbroken iPhone and then attached to a running process to manipulate its behaviour.

After learning and practicing a lot all these techniques and technologies (tools) I gave a presentation called “Reverse Engineering iOS Apps” where I reverse engineered an iOS App and exposed its methods and classes as well as its “debug” code (that made it to production) and finally created a fakeloyalty card with 1M (1,000,000) points.

These attacks are very dangerous but an attacker has more attack vectors. iOS Apps are usually not standalone, they often communicate with a backend server. This allows companies to use the client-server architecture where most of the logic is on the server side and the client is mainly the “front face” of the system, including user input data that the server needs for its business logic. This means that on top of attacking and controlling an iOS App an attacker will probably want to attack its backend system as well. The most common attack on the communication between an iOS App and a server is a Man-in-the-Middle (MitM) attack, where an attacker can see the plaintext data sent from the iOS App to the server even if this connection is over HTTPS (SSL/TLS). This could help an attacker understand the public/private APIs that the server provides.

I was able to “hack” iOS Apps and their communication between itself and a server after a few months of practicing. There are people that have been doing this for years! This showed me that we needed to stop looking as mobile software security as a “feature that we will implement later”.

The learning process

The way I learned how to reverse engineer iOS Apps was by reading a lot of blog posts and subreddit lists, watching youtube videos, also searching through jailbreak forums, basically a mix of posts from iOS security experts and amateur developers. This was “easy” because I was trying to break into apps and nothing “bad” would happen if it didn’t succeed. But if I needed to put in practice a plan to secure iOS production-ready Apps, I needed to learn best practices, concepts and industry standards from other sources other than blog posts and subreddit lists.

This is how I started a new phase in my life, signing up for MOOCs. Signed up for courses like: Cryptography I (Coursera), Applied Cryptography (Udacity), Intro to Machine Learning (Udacity), even a Stanford Certificate:Stanford Advanced Computer Security Certificate. Even though they were online courses and in some you choose your pace, is very difficult to find time for them. I failed on my first attempts to finish some of these courses. I had to find at least 1 hour a day to watch the videos in order to succeed, this is when I realized that I could do it over lunch, so started to watch the videos of the courses while eating lunch (and I still do it). This approach gave me the opportunity to learn a lot faster, before was just dedicating a couple of hours a month.

The passion

One of the topics that captured my passion was cryptography, after watching a few videos of Dan Boneh explaining stream ciphers and block ciphers I was hooked! Cryptography could help me solve some of the security problems that I had with iOS Apps and more importantly, this solution could be applied to literally any iOS Application out there. Being passioned about cryptography meant that I was going to immerse myself in the world of cryptography; I’d try to absorb all the concepts, all the real world use cases and all the best practices related to cryptography; I signed up for all the cryptography courses that could find, watched on youtube as many videos about crypto as I could and also bought a few cryptography books. This doesn’t mean that I’m a cryptographer or I’m even close to be one, but I was very excited to have found a field in security that I was (and still am) very passioned about.

The sharing

Now, back to securing iOS Apps. Understanding what an attacker could do with vulnerable iOS Apps gave me a good perspective on how to start building better and more secure iOS Applications. And the online courses where teaching me core concepts, best practices and common solutions to known software attacks. But the best of all was that these courses where teaching me how to properly protect data using cryptography and how to avoid common mistakes while creating cryptographic systems. (Again, this didn’t mean that I was a cryptography expert and could design any cryptosystem).

The phrase “with great power comes great responsibility” came to mind. Not only I needed to start building better and more secure apps, but I wanted to share my findings and everything new I was learning as well. So I decided to start giving tech talks about software security in my employer’s office, some of the titles: “Office Information Security (phishing, malware, ransomware)”, “Hashing Passwords: Why and How”, “Let’s talk about Encryption and how to use it in our apps”. I wanted (and still want) to spread the software security awareness and get all of my peers involved, or at least as many as possible. The more people we were, the more eyes and brains we could have to view and think about software security from different perspectives.

On top of my talks I wanted to give back something to the community, not only by reaching the people in my office but also other iOS Engineers that were probably trying to solve the same problems that I was. They could be working either in a consulting company or in a product company or both and if I was already learning all these “new” techniques why not share it with a broader audience. First I thought of creating videos explaining security topics, best practices and maybe even show a few implementations, then uploading them to youtube or vimeo. But the problem with this idea was that if it was difficult for me to allocate time for watching my courses’ videos, well, it would also be difficult for other engineers.

The “thing”

What I decided to do instead was to create an iOS Crypto Library. This library was aimed to provide basic cryptographic functions like symmetric and asymmetric encryption, decryption as well as more advanced techniques like Authenticated Encryption with Associated Data (AEAD). Since this library is targeted to iOS developers, I also wanted to add a simple interface to add TouchID and User Password protection to items saved in the Keychain, (this is a very important feature since an attacker using a jailbroken iPhone can access the items within the Keychain by dumping its contents).

I basically created an iOS Crypto Library that could (hopefully) help developers integrate cryptography into their Apps in a safe and consistent manner. One key aspect of my vision was (and still is) that this library had to be open source. By open-sourcing the library I was ensuring that other engineers could look at the source code and report bugs, point out vulnerabilities and add more features, but also that anyone would be able to use it!

So this is it, this is my greatest contribution to date to the community and the most innovative “thing” I’ve done (so far). It will hopefully help developers solve real world problems. If this library helps at least one developer all my effort, all my time and all my energy would have been worth it.


(Please read the disclaimer: I’m not a cryptographer)


Saving your Github SSH Keys in a USB Drive

Github provides 2 main options for connecting (cloning, fetching, pulling, pushing) to repositories. HTTPS and SSH:
  • HTTPS: This is the easiest way to clone a repo from Github. It needs no setup, the port 443 (https) is usually open on all networks and when we clone, fetch, pull or push we’ll be asked for our username and password and that’s it! On Mac OS X we can even save our username/password in the Keychain and just do this operation once. This is all good, but if our username and password are compromised then an attacker could perform any of these operations clone, fetch, pull or push on any of the repositories we have access to.
  • SSH: This option requires users to generate a cryptographic key pair, usually a RSA key. The user needs to upload the public key (pk) to Github before performing any of these operations clone, fetch, pull or push. The SSH port (22) also needs to be open in the user’s network (home, office, Starbucks, …). On Mac OS X we can generate a key pair by using the command ssh-keygen, if we don’t provide a location by default the key pair (id_rsa, is stored in ~/.ssh. After uploading the contents of to Github we can start cloning, fetching, pulling or pushing on any or our repositories. Now, again, if our computer (where the private key lives) is compromised the attacker has the ability to perform any of these operations clone, fetch, pull or push on any of the repositories we have access to.
Now, like we said before, if an attacker compromises our computer with our private key could have access to our Github repositories. But what if we could save our keys somewhere else (lets say a USB stick) and load them into the machine for specific amount of time and then they will be removed from the computer memory/cache and if the computer is compromised these keys won’t exist there?
This sounds awesome! and yes, it is totally possible, here is how to do it on Mac OS X:
1. Open Disk Utility
2 Choose external drive -> Erase
3. Choose Format -> Mac OS Extended (Case-sensitve, Journaled, Encrypted).
4. Give it a name (Preferably something short as you need to reference it in command line.)
5. Disk Utility will ask for a password (this is asked every time we plugin the drive)
6. Erase the USB Drive -> Go play some Angry birds
7. Open and type:
ssh-keygen -f /Volumes/<Thumbdrive name after wipe>/id_rsa -C "<Enter Name>"
8. Create a load script to help make loading your keys easier.
vi /Volumes/<Thumbdrive name>/load
Script contents
#!/usr/bin/env bash
DIR=/Volumes/<Thumbdrive name>
if [ -z $HOURS ]; then
HOURS=<number of hours>
/usr/bin/ssh-add -D
/usr/bin/ssh-add -t ${HOURS}H $KEY
/usr/sbin/diskutil umount force $DIR
9. Next give the load script run permission
chmod +x /Volumes/<Thumbdrive name>/load
10. Now copy your public key to the clipboard
pbcopy < /Volumes/<Thumbdrive name>/
11. Now add your public key to github: <>
12. We can run at the beginning of each day so that we can push and pull from Github.
 /Volumes/<Thumbdrive name>/load
Note: The script will automatically eject the drive after running.
Based on: Tammer Saleh’s post

Google Photos

Millions of photos and videos are taken every day (specially selfies) to immortalize trips, birthdays, parties, company events, etc. and after that we just share the best ones on Facebook, Twitter or Instagram and the rest just ends up in an external hard drive that we use for backups; we don’t print them anymore, which is causing photography retailers to go out of business.

Every year new cameras are released and they all come with crazy specs: gigantic resolutions for our photos, 4k video, etc., they are also getting smaller and smaller, but there is one key thing they are not getting: Storage! yes we have these amazing cameras that can take ridiculously huge photos and super hi-res videos but where do we store all this information?

I recently went to a beach in Mexico and took a scuba diving lesson which was around 45min, since it was my first time I obviously recorded the entire thing; it was a 6GB+ video! and that is just 1 of the 47 videos that I took in that trip. I love reliving my trips by watching the videos and photos I take; but I know that if I just save all of these in a hard drive I’ll never plug it into my computer just to play them, I rather have them on my phone and whenever have some time just play them. I imported the videos and photos from the trip from the GoPro to my Mac using the new Photos app but after a few of them where imported I saw the “iCloud Storage is Full” message. Apple gives you 5GB for free on iCloud, but I was importing a lot of photos and videos and quickly filled up my quota.

Google PhotosLuckily I remembered that Google released a new Google Photos service that gives you unlimited media storage for Free! yes for FREE! obviously there are T&C, if you are concerned about those you can read them here. This solved my storage problem and I’ll be able to keep taken lengthy videos and countless photos and still be able to store them in a cloud service and can access them whenever I want on my Mac, iPhone or iPad.

There you go, you can now go to the Google Photos website and sign up for free with your Gmail account. If you don’t have a Gmail account you can create one (yes it is also free).

Some of the Google Photos features:

  • Upload Hi-Res photos and Videos
  • Unlimited storage
  • Folders (they are called collections)
  • Sharing to Facebook, Twitter or get a URL link
  • You can search (i.e. “photos taken in Canada”, “photos taken in a car”)
  • Google has an amazing algorithm that will automatically create “Stories” and “Movies” using your photos and videos, even stylized photos.

You can also read this cool wired article about these features and what the T&C mean for professional photographers.

This is an example of an automatically generated stylized photo:

Styled Photo