The most innovative “thing” I’ve done (so far)

The most innovative “thing” I’ve done (so far)

The context

I’m a software engineer and really enjoy using technology, but I love using technology to solve problems and make people’s lives better. For the last six years of my professional career I’ve been focused in mobile development, mainly iOS Applications, but two years ago I started a new adventure in the technology field: Software Security. Software security can be divided in many subcategories like Network Security, Application Security, Cloud Security, Cryptography, etc. and these subcategories can also be divided in more subcategories. For example, Application Security can be divided in Web Application Security, Mobile Application Security, etc. This meant that I had many options to choose from, but not enough time to pursue or learn all of them.

Since I was already a Mobile Software Developer, started learning about mobile applications security, more specifically how to develop more secure iOS Apps. I knew the iOS platform, the internal structure and the lifecycle of iOS apps, the language (Objective-c) and more importantly “how an iOS Engineer thinks” while developing iOS Apps.

When downloaded from the App Store, all iOS Apps are encrypted using Apple’s fairplay DRM technology, this means that in order to analyze an iOS App it needs to be decrypted first. The first thing I needed to learn was: how an attacker could decrypt iOS Apps? Turns out that is very simple, the OS needs to decrypt the app in other to run it, then an attacker can simply dump the memory space where the app is allocated and voilà the attacker has a decrypted version of the iOS App. After obtaining the decrypted app the attacker can start a static analysis of the iOS App, this would reveal almost all (sometimes all) the functionality that the app provides: Class names, Methods, String Constants, Execution Flow, etc. After this I also learned that there are tools to manipulate iOS Apps at runtime, this was huge! Because with all the knowledge an attacker has from a static analysis is very easy to attack iOS Apps at runtime by changing its behaviour using function hooking techniques. There is also a tool called cycript that can be installed on a jailbroken iPhone and then attached to a running process to manipulate its behaviour.

After learning and practicing a lot all these techniques and technologies (tools) I gave a presentation called “Reverse Engineering iOS Apps” where I reverse engineered an iOS App and exposed its methods and classes as well as its “debug” code (that made it to production) and finally created a fake loyalty card with 1M (1,000,000) points.

These attacks are very dangerous but an attacker has more attack vectors. iOS Apps are usually not standalone, they often communicate with a backend server. This allows companies to use the client-server architecture where most of the logic is on the server side and the client is mainly the “front face” of the system, including user input data that the server needs for its business logic. This means that on top of attacking and controlling an iOS App an attacker will probably want to attack its backend system as well. The most common attack on the communication between an iOS App and a server is a Man-in-the-Middle (MitM) attack, where an attacker can see the plaintext data sent from the iOS App to the server even if this connection is over HTTPS (SSL/TLS). This could help an attacker understand the public/private APIs that the server provides.

I was able to “hack” iOS Apps and their communication between itself and a server after a few months of practicing. There are people that have been doing this for years! This showed me that we needed to stop looking as mobile software security as a “feature that we will implement later”.

The learning process

The way I learned how to reverse engineer iOS Apps was by reading a lot of blog posts and subreddit lists, watching youtube videos, also searching through jailbreak forums, basically a mix of posts from iOS security experts and amateur developers. This was “easy” because I was trying to break into apps and nothing “bad” would happen if it didn’t succeed. But if I needed to put in practice a plan to secure iOS production-ready Apps, I needed to learn best practices, concepts and industry standards from other sources other than blog posts and subreddit lists.

This is how I started a new phase in my life, signing up for MOOCs. Signed up for courses like: Cryptography I (Coursera), Applied Cryptography (Udacity), Intro to Machine Learning (Udacity), even a Stanford Certificate: Stanford Advanced Computer Security Certificate. Even though they were online courses and in some you choose your pace, is very difficult to find time for them. I failed on my first attempts to finish some of these courses. I had to find at least 1 hour a day to watch the videos in order to succeed, this is when I realized that I could do it over lunch, so started to watch the videos of the courses while eating lunch (and I still do it). This approach gave me the opportunity to learn a lot faster, before was just dedicating a couple of hours a month.

The passion

One of the topics that captured my passion was cryptography, after watching a few videos of Dan Boneh explaining stream ciphers and block ciphers I was hooked! Cryptography could help me solve some of the security problems that I had with iOS Apps and more importantly, this solution could be applied to literally any iOS Application out there. Being passioned about cryptography meant that I was going to immerse myself in the world of cryptography; I’d try to absorb all the concepts, all the real world use cases and all the best practices related to cryptography; I signed up for all the cryptography courses that could find, watched on youtube as many videos about crypto as I could and also bought a few cryptography books. This doesn’t mean that I’m a cryptographer or I’m even close to be one, but I was very excited to have found a field in security that I was (and still am) very passioned about.

The sharing

Now, back to securing iOS Apps. Understanding what an attacker could do with vulnerable iOS Apps gave me a good perspective on how to start building better and more secure iOS Applications. And the online courses where teaching me core concepts, best practices and common solutions to known software attacks. But the best of all was that these courses where teaching me how to properly protect data using cryptography and how to avoid common mistakes while creating cryptographic systems. (Again, this didn’t mean that I was a cryptography expert and could design any cryptosystem).

The phrase “with great power comes great responsibility” came to mind. Not only I needed to start building better and more secure apps, but I wanted to share my findings and everything new I was learning as well. So I decided to start giving tech talks about software security in my employer’s office, some of the titles: “Office Information Security (phishing, malware, ransomware)”, “Hashing Passwords: Why and How”, “Let’s talk about Encryption and how to use it in our apps”. I wanted (and still want) to spread the software security awareness and get all of my peers involved, or at least as many as possible. The more people we were, the more eyes and brains we could have to view and think about software security from different perspectives.

On top of my talks I wanted to give back something to the community, not only by reaching the people in my office but also other iOS Engineers that were probably trying to solve the same problems that I was. They could be working either in a consulting company or in a product company or both and if I was already learning all these “new” techniques why not share it with a broader audience. First I thought of creating videos explaining security topics, best practices and maybe even show a few implementations, then uploading them to youtube or vimeo. But the problem with this idea was that if it was difficult for me to allocate time for watching my courses’ videos, well, it would also be difficult for other engineers.

The “thing”

What I decided to do instead was to create an iOS Crypto Library. This library was aimed to provide basic cryptographic functions like symmetric and asymmetric encryption, decryption as well as more advanced techniques like Authenticated Encryption with Associated Data (AEAD). Since this library is targeted to iOS developers, I also wanted to add a simple interface to add TouchID and User Password protection to items saved in the Keychain, (this is a very important feature since an attacker using a jailbroken iPhone can access the items within the Keychain by dumping its contents).

I basically created an iOS Crypto Library that could (hopefully) help developers integrate cryptography into their Apps in a safe and consistent manner. One key aspect of my vision was (and still is) that this library had to be open source. By open-sourcing the library I was ensuring that other engineers could look at the source code and report bugs, point out vulnerabilities and add more features, but also that anyone would be able to use it!

So this is it, this is my greatest contribution to date to the community and the most innovative “thing” I’ve done (so far). It will hopefully help developers solve real world problems. If this library helps at least one developer all my effort, all my time and all my energy would have been worth it.

Please read the disclaimer: I’m not a cryptographer

Photo by Markus Spiske on Unsplash