From 2b8f370534873a65403e202fe26a2d6fd7a916b5 Mon Sep 17 00:00:00 2001 From: Carl J Nash Date: Thu, 8 Jun 2023 07:46:06 +0100 Subject: [PATCH] WIP --- .markdownlint.json.bak.json | 5 + .markdownlint.yaml | 7 + Gemfile | 2 + Gemfile.lock | 1 + _layouts/page_toc.html | 3 + _posts/2023-05-04-ios-app-security.md | 310 ++++++++++++++++++++++++++ _tabs/about.md | 71 +++++- _tabs/experience.md | 39 +++- 8 files changed, 428 insertions(+), 10 deletions(-) create mode 100644 .markdownlint.json.bak.json create mode 100644 .markdownlint.yaml create mode 100644 _layouts/page_toc.html create mode 100644 _posts/2023-05-04-ios-app-security.md diff --git a/.markdownlint.json.bak.json b/.markdownlint.json.bak.json new file mode 100644 index 0000000..6b1fef4 --- /dev/null +++ b/.markdownlint.json.bak.json @@ -0,0 +1,5 @@ +{ + "no-inline-html": { + "allowed_elements": [ "div", "details", "h1", "p" ] + } +} \ No newline at end of file diff --git a/.markdownlint.yaml b/.markdownlint.yaml new file mode 100644 index 0000000..3114517 --- /dev/null +++ b/.markdownlint.yaml @@ -0,0 +1,7 @@ + +MD013: + line_length: 1000 + +MD033: + # Allowed elements + allowed_elements: ["div","details","summary"] \ No newline at end of file diff --git a/Gemfile b/Gemfile index ab50fd7..67d105f 100644 --- a/Gemfile +++ b/Gemfile @@ -6,6 +6,8 @@ gem "jekyll-theme-chirpy", "~> 5.6", ">= 5.6.1" gem 'jekyll-compose', group: [:jekyll_plugins] +gem 'jekyll-seo-tag', group: [:jekyll_plugins] + group :test do gem "html-proofer", "~> 3.18" end diff --git a/Gemfile.lock b/Gemfile.lock index 2a2b520..731506f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -109,6 +109,7 @@ DEPENDENCIES html-proofer (~> 3.18) http_parser.rb (~> 0.6.0) jekyll-compose + jekyll-seo-tag jekyll-theme-chirpy (~> 5.6, >= 5.6.1) tzinfo (>= 1, < 3) tzinfo-data diff --git a/_layouts/page_toc.html b/_layouts/page_toc.html new file mode 100644 index 0000000..125e836 --- /dev/null +++ b/_layouts/page_toc.html @@ -0,0 +1,3 @@ + + +{{ content }} \ No newline at end of file diff --git a/_posts/2023-05-04-ios-app-security.md b/_posts/2023-05-04-ios-app-security.md new file mode 100644 index 0000000..a462b23 --- /dev/null +++ b/_posts/2023-05-04-ios-app-security.md @@ -0,0 +1,310 @@ +--- +layout: post +title: iOS App Security +date: 2023-05-04 15:18 +0100 +--- + + +![headerImage](https://9to5mac.com/wp-content/uploads/sites/6/2022/10/apple-security.jpg) + +Apple provides many built-in security features for iOS apps. + +## App Distribution + +To provide a level of security and safety, Apple do not allow side-loading apps on iOS devices. That is, apps can only be distributed via the [App Store](#app-store) and the Apple Developer [Enterprise Program](#enterprise-program). + +There are ways around this, ie. [Jailbreaking](#jailbreaking) a device, but this is not something most general users will do. + +### App Store + +For an app to be made available on the App Store, it must be signed with a valid code signing identity (profile & certificate) by an authorised Apple Developer account. + +The app must also be reviewed and approved by Apple. + +### Enterprise Program + +The [Apple Developer Enterprise Program](https://developer.apple.com/programs/enterprise/) is a service allows organisations to distribute apps in-house to employees, avoiding the App Store. + +For a device to run an enterprise app, the user must first install and authorise the relevant enterprise profile. Enterprise apps must still be signed using a valid profile and certificate by an authorised Apple Developer Enterprise Account. + +## iOS Security + +Once an app is installed iOS provides further security measures. + +### Code signing + +iOS only allows executable code signed by a valid profile/certificate to run on the device. + +Code signing also ensures that the code hasn't changed since being installed/last updated. + +Code signing requires: + +- Authorised Apple developer account +- Valid distribution certificate +- Valid distribution profile + +[support.apple.com/en-gb/guide/security/sec7c917bf14/1/web/1](https://support.apple.com/en-gb/guide/security/sec7c917bf14/1/web/1) + +### Runtime Processes + +> iOS and iPadOS help ensure runtime security by using a “sandbox”, declared entitlements and Address Space Layout Randomisation (ASLR). + +[support.apple.com/en-gb/guide/security/sec15bfe098e/web](https://support.apple.com/en-gb/guide/security/sec15bfe098e/web) + +#### Sandbox + +Apps are "sandboxed" to restrict access outside of their designated directory. + +[support.apple.com/en-gb/guide/security/sec15bfe098e/1/web/1](https://support.apple.com/en-gb/guide/security/sec15bfe098e/1/web/1) + +#### Entitlements + +Apple's "permission" system for which systems apps can access and actions they can perform on the system, eg.: + +- Background tasks +- Keychain +- Location +- Microphone +- Camera +- Photo library + +### ATS (App Transport Security) + +ATS ensures that all network connections are secure using HTTPS/TLS. + +This can be overridden if needed but a suitable reason must given when submitting the app to App Store review. + +> App Transport Security provides default connection requirements so that apps adhere to best practices for secure connections when using NSURLConnection, CFURL or NSURLSession APIs. + +[support.apple.com/en-gb/guide/security/sec100a75d12/1/web/1](https://support.apple.com/en-gb/guide/security/sec100a75d12/1/web/1) + +## Security Tools + +### Apple Security Tools + +Apple provide tools and features that the developer can use to further enhance security. + +Apple's [Security](https://developer.apple.com/documentation/security) framework provides tools such as: + +#### iOS Keychain + +> The infrastructure and a set of APIs used by Apple operating systems and third-party apps to store and retrieve passwords, keys and other sensitive credentials. + +This is a specialised database for storing confidential data. + +If storing passwords in the Keychain, these should be salted and hashed rather than stored in plain-text. + +
+Code sample: Hash password: + +```swift +import CryptoKit +import CommonCrypto + +func hashPassword(password: String) -> String? { + guard let salt = generateSalt() else { + return nil + } + + let passwordData = Data(password.utf8) + let saltData = Data(salt.utf8) + var hashData = Data(count: Int(CC_SHA256_DIGEST_LENGTH)) + + guard CCKeyDerivationPBKDF( + CCPBKDFAlgorithm(kCCPBKDF2), + password, passwordData.count, + salt, saltData.count, + CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA256), + 10000, // iterations + &hashData, hashData.count) == kCCSuccess else { + return nil + } + + let saltString = saltData.base64EncodedString() + let hashString = hashData.base64EncodedString() + return "\(saltString):\(hashString)" +} + +private func generateSalt() -> String? { + let count = 32 + var bytes = [UInt8](repeating: 0, count: count) + + let result = SecRandomCopyBytes(kSecRandomDefault, count, &bytes) + guard result == errSecSuccess else { + return nil + } + + return Data(bytes).base64EncodedString() +} +``` + +
+ +
+Code sample: Save password to keychain + +```swift +import Foundation +import Security + +func savePasswordToKeychain(password: String) -> Bool { + let service = "com.example.app" + let account = "user123" + + guard let passwordData = password.data(using: .utf8) else { + return false + } + + let query: [String: Any] = [ + kSecClass as String: kSecClassGenericPassword, + kSecAttrService as String: service, + kSecAttrAccount as String: account, + kSecValueData as String: passwordData + ] + + let status = SecItemAdd(query as CFDictionary, nil) + return status == errSecSuccess +} +``` + +
+ +--- + +NOTE: The code for interacting with the Apple Keychain is written in C, so to make this a little easier for iOS developers to work with Apple have a [sample project](https://developer.apple.com/library/archive/samplecode/GenericKeychain/Introduction/Intro.html#//apple_ref/doc/uid/DTS40007797-Intro-DontLinkElementID_2) which uses a Swift wrapper. + +#### iOS Secure Enclave + +> The Secure Enclave is a system on chip (SoC) that is included on all recent iPhone, iPad, Apple Watch, Apple TV and HomePod devices, and on a Mac with Apple silicon as well as those with the Apple T2 Security Chip. The Secure Enclave itself follows the same principle of design as the SoC does, containing its own discrete Boot ROM and AES engine. The Secure Enclave also provides the foundation for the secure generation and storage of the keys necessary for encrypting data at rest, and it protects and evaluates the biometric data for Face ID and Touch ID. + + + +### Third Party Security Tools + +Aside from the Apple security tools, there are many third party tools and services that can be used to improve security in various areas, such as: + +#### Certificate pinning + +- [TrustKit](https://github.com/datatheorem/TrustKit) + +#### Obfuscation + +[Security Through Obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity) + +#### Cryptography + + + +If your app minimum SDK is iOS 13 or newer then you can use Apple's [CryptoKit](https://developer.apple.com/documentation/cryptokit/). +> Use Apple CryptoKit to perform common cryptographic operations: +Compute and compare cryptographically secure digests. +Use public-key cryptography to create and evaluate digital signatures, and to perform key exchange. In addition to working with keys stored in memory, you can also use private keys stored in and managed by the Secure Enclave. +Generate symmetric keys, and use them in operations like message authentication and encryption. +Prefer CryptoKit over lower-level interfaces. CryptoKit frees your app from managing raw pointers, and automatically handles tasks that make your app more secure, like overwriting sensitive data during memory deallocation. + +If your app supports older than iOS 13 then you can use the open-source library [CryptoSwift](https://github.com/krzyzanowskim/CryptoSwift). + +## Data Security + +When it comes to app security that the developer should be concerned with, these can be grouped into [local data](#local-data) and [networking data](#network-data). + +### Local Data + +Local data is anything that is stored on the device, this could be in the compiled code, User Defaults, Keychain, on-disk, etc. + +#### Compiled Data + +Compiled data can include the app code, but it can also include any other files such as the `Info.plist` or other files that are included with the app archive. + +The app code is obfuscated when it is packaged into a `.ipa` file. This obfuscation can provide some level of protection, but it can be easily de-obfuscated. + + +##### Secrets + +Secrets can be any confidential values that the app uses for communication/encryption, etc. + +- [nshipster.com/secrets](https://nshipster.com/secrets/) +- [nshipster.com/swift-gyb](https://nshipster.com/swift-gyb/) + +###### API Key + +What are API keys? + +###### Access token + +Is an access token the same as an API key? + +#### Runtime Data + +- User data +- Refresh token + +The most secure way to store data is to not store data. + +If the app must store data, then the following options are available to store this data securely: + +- Data storage + - Keychain + - Secure enclave + - [Encryption](#encryption) + - Obfuscation + +### Network Data + +All network data to and from the app should be [authenticated](#authentication), [authorised](#authorisation) and [encrypted](#encryption). + +#### Authentication vs Authorisation + +##### Authentication + +Authentication is proving who you are. + +We can authenticate the user, and also the app. + +##### Authorisation + +Authorisation defines what you are allowed to do. + +- [Certificate Pinning](#certificate-pinning) + - [OAuth 2.0](#oauth-20) + - [JWT](#jwt) + +#### Encryption + +SOMETHING ABOUT ENCRYPTION + +#### ATS + +App Transport Security. + +Only allows secure network connections via HTTPS protocol. + +#### Certificate Pinning + +Preventing MITM (man in the middle) attacks. + +#### OAuth 2.0 + +Authorisation rather than authentication. + +#### OWASP + +[owasp.org](https://owasp.org) + +#### JWT + +> JSON Web Token (JWT) is an open standard (RFC 7519) that defines a way to securely transmit information. + +## Source Control + +- If you commit sensitive information to a source control repository then there's a possibility it could be leaked or accessed by unauthorised person(s). + +--- + +## Useful Links + +- [Apple's Platform Security Guide](https://help.apple.com/pdf/security/en_GB/apple-platform-security-guide-b.pdf) diff --git a/_tabs/about.md b/_tabs/about.md index 5e6f93b..23c6ad0 100644 --- a/_tabs/about.md +++ b/_tabs/about.md @@ -4,15 +4,76 @@ icon: fas fa-info-circle order: 4 --- -Hi, I'm Carl. +# Hi, I'm Carl I'm a plant-powered 🌱 dad, cyclist 🚴 and software (iOS) engineer 💻. +I've been a dish-washer, a vehicle mechanic and a software developer. + + + +## Vehicle Mechanic + + + +I started my apprenticeship in 1997, working as a mechanic on-and-off until 2007. + +I was mostly working on older vehicles, mainly because newer vehicles didn't need much work for a good few years, and people tended to keep cars for longer back then. + +The vehicles I worked on could be from the early '80s up to mid '90s. These were very different from the cars of today. + +![Ford Fiesta](https://www.admiral.com/sites/default/files/public/inline-images/Ford%20Fiesta_1.jpg) + +The garage that I served my time at (Forth Auto Electrics), was a small family run business in Fife, Scotland. + +There was the owner and his two sons, his brother, and his brother's son. + +The owner and his sons were all auto electricians. The owner's brother and his son were general mechanics. I joined the mechanical side of the business. + +## Software Development + +### Education + +My first coding experience was back in the mid '80s when I learned to change the screen colour on my Amstrad CPC-464 with keyboards commands. + +Throughout my teenage years I did a lot of playing around with computers, building them, reinstalling Windows (many, many time)s, and had a general interest in how they worked, but I didn't have a strong feeling that I would ever get into the software side of things. That seemed like a thing that smart people did who did well at school. + +In 2007 I started a one-year HNC (Higher National Certificate) in Computing at Edinburgh Telford College. This was a general computing course to help you find the area(s) that you were interested in to then go on to further study. + +I had no idea what I was going to do after this course, but I knew I needed a change from mechanics. + +Towards the end of the course most of my classmates were applying for university. I had never considered university before and I wasn't sure if it was for me - I had dropped out of high school at the age of 16 with no qualifications, dismayed by education. + +I decided to apply for university as I didn't have any idea what else I would do. I didn't expect that a HNC in Computing would open up many opportunities for work. + +I was accepted for a place at Edinburgh Napier University on their BSc Computing course. This was a four-year course with options for different modules throughout the course. I chose to take modules related to mobile app development as this interested me more than the other options. + +These modules focussed more on Android more than iOS, presumably because of the costs involved with requiring Apple Mac's and Apple Developer accounts for iOS development. I gave Android development a go for a week or two before getting so frustrated with the maze of dependencies that I asked if I could pass the module doing iOS development instead - to which they agreed, and this began my iOS development journey. + + + +## Career + I've been a developing iOS apps professionally since 2013. -Pre-software dev I was a vehicle technician. +### NN4M + +I began my career with NN4M (No Need 4 Mirrors), a young Edinburgh based mobile app agency specialising in transactional retail apps. + +When I graduated uni I still didn't feel ready to get into the world of software development. I went back to working in my old garage for a while as I needed to earn some money, and they would always take me back as they were quite busy and struggled to find good mechanics that would fit with their workplace environment. + +I lived in Edinburgh at the time and I remember using my train journey home as thinking time, and at this time I was really contemplating what I was going to do. Would I end up staying as a mechanic full-time? would I start up my own garage? Then very serendipitously, I received a text message from my college friend, Pete - he said that his workplace (NN4M) was looking for iOS developers and that he could refer me. + +I was nervous about it, but I knew I had to give it a go. +I hadn't done much iOS dev lately, so was pretty rusty. +I went in for the interview, suited up to the max! +I felt like it went pretty well. Although I probably charmed them more with my suit and big smile, than with my software engineering knowledge. -My first memory of being fascinated with computers was back in the mid '80s when I learned to change the screen colour on my Amstrad CPC-464 using keyboards commands. -I also have strangely fond memories of playing a game about house mortgages on the computer. +I then got a take-home tech test to do, to make an app that would fetch a list of items and display them in a list. This was a feature that basically all of their apps had for displaying lists of products for sale that you can then tap on to see more detail. -Feel free to browse around and find out a bit more about me, or [get in touch](mailto: {{ site.social.email }} ). +I think I took at least a week, maybe more, to complete it. I managed to buy more time with some excuse I don't remember now. diff --git a/_tabs/experience.md b/_tabs/experience.md index 4d16209..55634a6 100644 --- a/_tabs/experience.md +++ b/_tabs/experience.md @@ -10,15 +10,34 @@ toc: true
-A senior iOS engineer with lead experience, developing mobile apps professionally since 2013. +As you may have read in my [about](./about.md) page, my previous career was as a vehicle mechanic. -Worked with clients ranging from small startups to multi-national corporations in various sectors including: retail, fintech, digital health and social networking. +### Beginning -Experience both as a solo developer and as part of large multi-platform teams, as well as leading small iOS development teams. +My dev career started in 2013 when I got my first break as a graduate iOS developer at [NN4M](#nn4m-no-need-4-mirrors--ios-engineer--apr-2013---oct-2017). -Working pragmatically, understands how to deliver what the client needs. Utilises tactical and strategic solutions to meet clients’ priorities and expectations. +Since then I've progressed from grad, to junior, to senior, and also dabbled with lead developer roles. + +### Sectors + +I've worked in a few different sectors; including retail, digital health, fintech and most recently social networking. + +I've worked as a solo developer, on small 1-3 dev teams, and in larger 30+ dev teams. + +### Strengths + +My strengths lie in being a good all-round software engineer and team member. I don't concern myself with being the "smartest" developer in the room that can write the cleverest algorithms in a one-liner, or abstract the heck out of a networking layer to make it work for every possible scenario at the cost of readability and maintainability. + +If I had to pick some words to describe myself as a software engineer, I'd say: -Possesses the technical and communication skills required to be a key member of a successful software development team. Experience of taking many successful apps from conception to App Store. +- Pragmatic + - Understanding when to use a tactical or a strategic approach to get the work done, depending on the needs of the client and the team at the time. + - Strategic: If we need to implement an important new feature that is going to be a big part of a future release, then this probably requires a strategic approach to plan it out and ensure that users have the best experience when first using the feature and we won't need to be shipping regular updates and hot-fixes to resolve issues once it's out in the wild. + - Tactical: If users are experiencing an issue with the app or we're getting a lot of negative feedback about a feature and we need to resolve this quickly, then this probably requires a tactical approach to get a quick fix out that improves the situation quickly, while we work on a more refined long-term solution. +- Wholistic + - Look at the bigger picture \ + +### Clients Notable clients include: ___Virgin Money/Clydesdale Bank___, @@ -31,6 +50,16 @@ ___House of Fraser___, ___Debenhams___, and ___Saks Fifth Avenue___. + +
## SKILLS