With the release of iOS 7, Apple has quietly introduced a nifty feature called Multipeer Connectivity. Using a surprisingly small and simple set of APIs, developers can create applications that have the ability to discover and directly communicate with nearby iOS devices over Bluetooth or WiFi, without the need for an Internet connection. While the Multipeer Connectivity Framework brings the promise of peer-to-peer and mesh networking apps significantly closer to reality, little is known regarding how it actually works behind the scenes and what the risks are for applications leveraging this functionality.
This talk will first present an analysis of what happens at the network level when two devices start communicating with each other over WiFi, including a description of the protocols and encryption algorithms used. From this analysis, we'll derive a security model for Multipeer Connectivity and describe the threats and underlying assumptions that developers should be aware of when building applications. The impact of the various pairing options, data transmission modes, and encryption settings exposed by the Framework will also be explained. Lastly, we'll study the implementation of a real-world app that uses the Framework and describe issues and potential weaknesses; at the end of the presentation, a tool that was used to find some of these issues will be released.
Alban Diquet is Head of iOS Research at Data Theorem, a cloud-enabled scanning service for mobile application security and data privacy. Alban's research focuses on security protocols, data privacy, and mobile security with a focus on iOS, Android, and Windows Phone devices. Alban has released several open-source security tools including SSLyze, iOS-SSL-Kill-Switch, and Introspy. Furthermore, Alban has presented at various security conferences including Black Hat USA and Ruxcon. Prior to joining Data Theorem, Alban was a Principal at iSEC Partners, Inc. Alban received a MS in Computer and Electrical Engineering from the "Institut Superieur d'Electronique de Paris" in Paris, France, and a MS in "Secure and Dependable Computer Systems" from Chalmers University, in Gothenburg, Sweden.