iOS App development : 10 Major Notes

Share on facebook
Share on google
Share on twitter
Share on linkedin

10 security threats that you need to watch out for while developing iOS apps:

App development might seem like a piece of cake for the passionate coders out there but it is not everytime you make sure that the application is brilliantly secure. Security is a prime concern for app development and every developer should be quite aware of what can and might jeopardize their app. Here are 10 security threats that you need to watch out for while developing apps.


1. SSL Pinning

SSL Pinning is mandatory for encrypted connection between the client and the server. It ensures that all data passed in the network is private and integral. This allows client connection to trusted sources that have the valid certificates. This will prevent Man-In-The-Middle (MITM) attacks.


2.Jailbreak detection

Checking whether an iPhone is jailbroken or not can have many benefits for your app. An attacker can run tools like Cycript, GDB, etc. to perform runtime analysis and steal sensitive data inside your application. If you want to add an extra layer of security for your app, your app should not be run on a jailbroken device.


3.Logs

Mostly, applications log the input data to simplify the debug process. Now, if an application is logging sensitive information, then its data will be captured on-device logs. An attacker can easily dump device logs and retrieve user’s sensitive information. So, it is crucial to check all the logs and eliminate unnecessary ones.


4.Application backgrounding

When you press the home key on your iPhone or iPad, the current screenshot of the app is taken. This is done to create an animation of the app that appears to “sink” on the screen. The image is stored for use as a thumbnail image for a running application. If sensitive information is displayed on the screen during a screenshot, serious security consequences may arise. Personal information may be stored without writing to the device. An attacker can easily steal an image cache.

How to fix 

There are two ways in which you can fix this issue : 

1. Overlay an image as the application enters the background state. The overlaid image will “mask” the current screen, thus covering any sensitive information which may be on screen. Below is sample code:

@property (UIImageView *)backgroundImage;
- (void)applicationDidEnterBackground:(UIApplication *)application {
  UIImageView *myBanner = [[UIImageView alloc] initWithImage:@"overlayImage.png"];
  self.backgroundImage = myBanner;
  [self.window addSubview:myBanner];
}

2. Explicitly mark the fields hidden via the View Controller. Given below is the code to accomplish the same:

- (void)applicationDidEnterBackground:(UIApplication *)application {
 viewController.accountNumber.hidden = YES;
 viewController.username.hidden = YES;
 viewController.SSN.hidden = YES;
 viewController.password.hidden = YES;

5.Keyboard cache

In iOS, your application’s input text fields are logged unless the secure flag is not set or autocorrect is not disabled. It’s easy to retrieve all keystroke logs from a device. Therefore, the developers should be very careful with sensitive data input fields such as SSN, pin, and so on, so that it should not be captured.

* During the application development, to disable auto complete for a text field, either mark it as secure (ex: mytextField.secureTextEntry = YES) or disable the autocomplete (mytextField.autocorrectionType = UITextAutocorrectionTypeNo;).


6.Pasteboard

When we copy / cut text to iOS, it enters in a buffer known as a pasteboard. In iOS, pasteboard is the commonplace among all apps. If one app copies data to a pasteboard, other apps can access it by reading the pasteboard. Therefore, developers should be very careful while allowing sensitive data to be copied. If an application allows sensitive data, such as SSN, pin, and so forth, to be copied to the clipboard, other applications can access this sensitive information.


7.Code Obfustication

Anybody can reverse engineer and check for classes and methods in an iOS app, try to dynamically inject code for that method/notification observer with help of tools like Frida and Cycript. It is advised to obfusticate the code, so the logic of the application is not compromised at direct runs.


8.User data protection

Many developers assume that storing data on client-side will restrict other users from having access to this data.

Best coding habits for data storage:

  • Never store credentials on the phone file system. Force the user to authenticate using a standard web or API login scheme (over HTTPS) to the application.
  • Where storage or caching of information is necessary to consider using a standard iOS encryption library such as CommonCrypto.
  • If the data is small, using the provided apple keychain API is recommended.
  • Encrypting sensitive values in an SQLite database using SQLCipher.
  • For items stored in the keychain, leverage the most secure API designation, kSecAttrAccessibleWhenUnlocked.
  • For larger or more general types of consumer-grade data, Apple’s File Protection mechanism can safely be used (see NSData Class Reference for protection options).
  • Avoid using NSUserDefaults to store sensitive pieces of information as it stores data in plist files.
  • Be aware that all data/entities using NSManagedObjects will be stored in an unencrypted database file.
  • Avoid exclusively relying upon hardcoded encryption or decryption keys when storing sensitive information assets.

9.Network Traffic

  • Use CSRF tokens in all forms and use the new SameSite Cookie response header which fixes CSRF once and for all newer browsers.
  • Don’t use GET requests with sensitive data or tokens in the URL as these will be logged on servers and proxies.
  • Cookies must be httpOnly and secure and be scoped by path and domain.
  • Use X-Frame-Option, X-XSS-Protection headers in client responses.
  • Use HSTS responses to force TLS only access. Redirect all HTTP requests to HTTPS on the server as backup.

10.Hardcoding sensitive data

The Objective-C architecture makes segmentations in iOS rather simple. Tools like Clutch or class-dump make it easy for hackers to analyze any application. While reversing the hard coded passwords, session token, private keys, etc can be easily found. So never hardcode any secret.

Creating secure and robust iOS applications is not easy. However, you can improve security in your iOS apps without much effort by sticking to best practices.  User data protection should be a top priority and should not be ignored. And it is also definitely worth doing a security audit before launching an app.

admin

admin

Leave a Reply

Sign up for our Newsletter

Contact our Experts

Contact our Experts