TL;DR

  • App Transport Security exceptions shouldn’t be set on production environments.
  • If you use third party networking libraries, verify the secure connection.
  • For high risk applications, use certificate pinning.
  • Always follow good mobile application development practices -> see our Guidelines on mobile application security — iOS edition.

Context


Nowadays, Macs cannot be treated as a niche platform in companies. We meet Macs in all sized companies — from startups to big companies with thousands of employees. It’s not a big surprise that this fact was also noticed by attackers. During the security assessment, SecuRing team observed that usually Mac environments are in most cases quite immature and stand out from widely adopted Windows environments. This article will give you 5 tips that radically improve security of your MacOS infrastructure.

Tip #1: Enroll your Macs into MDM


TL;DR

  • Keychain is the right place to store your small app’s secrets.
  • Entries saved in the Keychain can be additionally protected by setting proper accessibility and authentication flags.
  • Watch out what you synchronize with iCloud.
  • Files stored in the application container can also be additionally protected.
  • Always follow good mobile application development practices -> see our Guidelines on mobile application security — iOS edition .

Background


What is the Keychain?


LPE in macOS

MacOS infrastructure


Some time ago I got stuck in the USA because of the COVID-19. After coming back to Poland with the “evacuation flight” I had to undergo mandatory quarantine for 14 days. Every day the Polish Police was visiting me and checking if I’m sitting at home and don’t go outside. As we all expected it was a big overhead to the Police since they had to visit every day each quarantined person. My friends told me that I can install an official government app that reports my location everyday. After the installation, the user has to complete an everyday task…


Using iOS biometrics features like Touch ID and Face ID is a really convenient way to authenticate a user before performing sensitive actions. These actions, of course, depend on apps’ features. Usually, we test apps that use TouchID/FaceID to log in and to confirm financial actions (e.g. wire transfer). But, do these checks can be treated as 100% secure?

The answer is of course not. Biometrics checks are performed on your device, and like any others ‘client-side checks’ can be bypassed if attacker can control the application/device. In this blog post, I want to show you how easy that hack…


Security is a topic that should be considered also by iOS developers. Since the platform cannot be treated as 100% secure, devs and security division need to create a separate threat model for mobile applications.

For all the years when iOS exists, many different types of application vulnerabilities have been discovered. They can result in a real risk and should be covered at first! After it is done, in most cases, the fire has been extinguished.

However, if you are responsible for developing high risk application you will be probably interested in reaching a higher app resiliency. Before attackers…


Topic overview

Before the “Web server drivers” era, exploiting drivers on a machine was usually used for local privilege escalation. You needed…


Security awareness usually leads to hardening our machines, infrastructure, teaching others and generally improving our environment. We, both as private persons and employers buy software that we rely on. We trust WAF’s, network security software, anti-malware apps, but do we actually test them? Would you fully validate the input coming from trusted anti-malware software hosted on your server? The case that will be described here happened for real during the pentest that I performed with SecuRing team.

What Metadefender is?

OPSWAT Metadefender logo

Cloud-based data sanitization (Content Disarm & Reconstruction), vulnerability detection and multi-scanning with options for free and commercial users

So, Metadefender allows you to…

Wojciech Reguła

Web apps / iOS / macOS security & blogger — https://wojciechregula.blog

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store