Category Archives: Crypto

Security consultancy from the other side

Posted on 2017-09-19 by Graham

I used to run an application security consultancy business, back before the kinds of businesses who knew they needed to consider application security had got past assessing creating mobile apps. Whoops! Something that occasionally, nay, often happened was that clients … Continue reading →

Posted in Crypto, Encryption, Policy | Leave a comment

Password checking with CommonCrypto

Posted on 2012-07-05 by Graham

I previously described a system for storing and checking credentials on Mac OS and iOS based on using many rounds of a hashing function to generate a key from the password. Time has moved on, and Apple has extended the … Continue reading →

Posted in Authentication, code-level, Crypto, password | 1 Comment

TDD and crypto in one place

Posted on 2012-04-19 by Graham

Well, I suppose if I’ve written two books, it’s about time I wrote a contorted blog post that references both of the worlds. I recently wrote an encryption module for an app, and thought it’d be useful to share something … Continue reading →

Posted in code-level, Crypto, TDD | Comments Off

On the magic of key agreement

Posted on 2012-04-12 by Graham

Imagine that you want to implement AirDrop, or something like it. Two computers that have (possibly) never communicated before are going to share a file. Now you know that you want to encrypt the file in transit so that only … Continue reading →

Posted in Crypto | Comments Off

On privacy, hashing, and your customers

Posted on 2012-02-08 by Graham

I’ve talked before about not being a dick when it comes to dealing with private data and personally-identifying information. It seems events have conspired to make it worth diving into some more detail. Only collect data you need to collect … Continue reading →

Posted in Business, Crypto, Data Leakage, Privacy, Responsibility | Comments Off

On explaining stuff to people

Posted on 2011-12-17 by Graham

An article that recently made the rounds, though it was written back in September, is called Apple’s Idioten Vektor. It’s a discussion of how the CCCrypt() function in Apple’s CommonCrypto library, when used in its default cipher block chaining mode, … Continue reading →

Posted in books, Crypto, documentation, Encryption, iPad, iPhone, Mac, PCAS | Leave a comment

On the top 5 iOS appsec issues

Posted on 2011-05-20 by Graham

Nearly 13 months ago, the Intrepidus Group published their top 5 iPhone application development security issues. Two of them are valid issues, the other three they should perhaps have thought longer over. The good Sensitive data unprotected at rest Secure … Continue reading →

Posted in buffer-overflow, code-level, Crypto, Data Leakage, Encryption, iPad, iPhone, ssl, Updates, user-error, Vulnerability | 2 Comments

Storing and testing credentials: Cocoa Touch Edition

Posted on 2011-04-29 by Graham

This article introduces the concept of key stretching, using code examples to explain the ideas. For code you can use in an app that more closely resembles current practice, see Password checking with CommonCrypto. There’s been quite the media circus … Continue reading →

Posted in Authentication, code-level, Crypto, iPad, iPhone, Mac, password, PCAS | 7 Comments

On cryptographic file storage

Posted on 2011-04-22 by Graham

In Chapter 3 of Professional Cocoa Application Security, I talk about using CommonCrypto to encrypt files stored on either Mac or iOS file systems. In Chapter 4, I talk about using CommonCrypto to generate Hashed Message Authentication Codes (HMACs) to … Continue reading →

Posted in code-level, Crypto | Leave a comment

On the broken(?) Mac App Store

Posted on 2011-01-07 by Graham

A day after the Mac App Store was launched, people are reporting that it has been cracked. There are two separate stories here, a vapourware circumvention of the FairPlay DRM used to generate the receipts and a report that certain … Continue reading →

Posted in Business, Crypto, Encryption, Mac, Vulnerability | 1 Comment