With the release of iOS 7, Apple has quietly introduced a nifty feature called Multipeer Connectivity. Using a surprisingly small and simple set of APIs, developers can create applications that have the ability to discover and directly communicate with nearby iOS devices over Bluetooth or WiFi, without the need for an Internet connection. While the Multipeer Connectivity Framework brings the promise of peer-to-peer and mesh networking apps significantly closer to reality, little is known regarding how it actually works behind the scenes and what the risks are for applications leveraging this functionality.
This talk will first present an analysis of what happens at the network level when two devices start communicating with each other over WiFi, including a description of the protocols and encryption algorithms used. From this analysis, we'll derive a security model for Multipeer Connectivity and describe the threats and underlying assumptions that developers should be aware of when building applications. The impact of the various pairing options, data transmission modes, and encryption settings exposed by the Framework will also be explained. Lastly, we'll study the implementation of a real-world app that uses the Framework and describe issues and potential weaknesses; at the end of the presentation, a tool that was used to find some of these issues will be released.