Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Securing Your iOS Apps in the FieldSuganya Baskaran
Services Security
ArcGIS
Local Data SecurityApp Security
Securing your app in the field
ConcernHow can I protect my app?
Securing your app in the field
Local Authentication
• Use device’s Touch ID - Two Models
1. Stand Alone Local Authentication- Provides access to app- Acts as a checkpoint- Fall back – Custom authentication
2. Local Authentication Integration With Keychain- Provides access to app + Authenticates Users- Allows users to stay signed in- Fall back – Device’s passcode
Securing your app in the field
Demo – Local Authentication
Securing your app in the field
Stand Alone Local AuthenticationSecuring your app in the field
• Import Local Authentication framework• Create an instance of LAContext• Evaluate Policy for Biometrics
Securing your services in the field
ConcernDo the right people have access to the services?
Securing your services in the field
ArcGIS
Authentication
• Set up at Server / Portal• Types of Authentication Mechanisms
- Token based- External users, username/password- OAuth
- Windows based- Enterprise users, username/password
- PKI based- Enterprise users, Client certificate
• Save Credential to Keychain
Securing your services in the field
SDK supports all Auth Mechanisms!
Youhandle Client Code and UI!
ArcGIS
ConcernDo people have the right access to the services?
Securing your services in the field
ArcGIS
Authorization
• Set up at Server / Portal• Configured for each service• Two methods
1. Ownership Based Access Control- Owner has update / delete privileges- Can limit non-owner privileges
2. Capabilities- Can limit privileges for all users
Securing your services in the field
ArcGIS
Capabilities: Create,Query,Update
Capabilities: Create,Query
Popup Editing • SDK - handles everything• You – do nothing!
Manual Editing• You – do the checking
canDeleteFeature,canUpdateFeaturecanCreate, canDelete, canUpdatecanUpdateGeometry
Demo – Authentication & Authorization ArcGIS
ConcernAm I connecting to the right server in a secure way?
Securing your services in the field
ArcGIS
SSL
• Secure Socket Layer protocol• Digital Certificate
- Verifies Identity of Server- Creates encrypted link
• Types of Digital Certificate- Certificate Authority signed certificate- Domain certificate- Self-signed certificate
• Set up at Server / Portal
Securing your services in the field
ArcGIS
You - use https
SDK• redirects http to https• warns user about self-signed certificate
Securing your local data in the field
ConcernHow can I protect the data in my device?
Securing your local data in the field
Data Protection
• iOS provides Data Encryption• Set up passcode to opt-in• Data Protection Modes
- Complete- Available only when unlocked
- Protected Unless Open- Available when unlocked - Also available when file is open already
- Protected Until First User Authentication- Available after first unlock since reboot- Default
- No Protection- Always Available
Securing your local data in the field
Modifying Data Protection Mode
• App Level- ‘Capabilities’ pane of settings
• File Level- Use NSFileManager- Set NSFileProtectionKey
Securing your local data in the field
AuthenticationAuthorization
OBACCapabilities
SSL
Services Security
Data Protection
Local Data Security
Touch ID
App Security
Summary
Rate the session www.esri.com/RateMyDevSummitSession
Related Documents
