How to secure your iPhone app in 8 simple steps
You are a developer and your client is pushing you to deliver the app on time. You keep coding all around the clock, you’re struggling and you feel shattered, but suddenly you remember something:
“Oh my gosh, what about security? Did I forget something?”
In my experience as a penetration tester, I constantly see that developers get lost in details about security. Before asking for a penetration test, be sure to get rid of these low hanging fruits. You’ll avoid sad experiences to the final users and your reputation will be improved.
I’m going to give you a basilar list of things to do or to check, hoping that it will help you!
- Jailbreak detection is your friend!
Tethered, Semi-tethered, Semi-untethered, untethered.
This is not a magic formula: we’re talking about the famous jailbreak. The Jailbreak allows the users to gain root access to the device and it’s usually done to edit your iPhone’s appearance, to gain root access, install apps from alternative stores and, if you’re a pentester, to use security tools.
When you’re releasing your application to the world, you’re sending your little child to the school on feet. Your little village could be safe, but you know that we all live in a potentially hostile environment.
You have more control on your iPhone when you jailbreak it…but even malware does gain it. The jailbreak paves the way to malwares and data stealing. When the application is launched, ensure to warn the final user about using a jailbroken environment. If your application is really critical (i.e. banking application) consider stopping the execution.
Yeah, it’s true, jailbreak detection can be bypassed, but it will be better than nothing.
2. The App Transport Security (ATS)
The Application Transport Security is a feature of iOS that improves integrity and privacy of your network communication. In example, by default, ATS requires that all the HTTP requests sent by your application use HTTPS. So, no cleartext traffic, baby.
Using exceptions like NSAllowArbitraryLoads, you’re allowing to use cleartext traffic, that could be intercepted by a malicious user. Don’t do this!
Finally, be sure to implement a robust certificate pinning method. Your app shall trust only known hosts!
3. Pay attention to what you are logging!
We must not lie: 99,9% people think logs are useful.
However, this should be only done when you’re testing the app in a protected development environment. Leaving comments and spamming them into the logs in your release version is not a wise choice, since an end user could read them and gain knowledge about the way your app is working and communicating with your server. Be sure to remove the sensitive data that you are putting inside the client side logs before you release the app.
4. The Keychain has a long memory
It’s a good idea to rely on the Keychain for storing session tokens and encryption keys. However, it could happen that a user deletes all the apps and sells his iPhone without performing a factory reset. When an application is uninstalled, the data stored inside the Keychain will remain. So, if the buyer of the iPhone installs the same apps, he could access the old data stored inside the Keychain!
Since you cannot perform a Keychain wipe when your app is uninstalled, what you can do, as a developer, is to wipe the Keychain data associated with your application on the very first launch after the installation. Do the same when the user logs out from the application.
5. Avoid storing sensitive data in plaintext
Don’t store sensitive data in plaintext. Whether you’re using SQLite databases, plists or other kinds of files, storing credentials and leaving them around on the filesystem is never a good idea. Be sure to encrypt critical information.
Moreover you should know that HTTP requests and responses are cached by default inside the application /Library/Cache folder.
Be sure to delete the cache or disable the caching system.
6. Pay attention to the clipboard
It’s very useful to copy and paste data. However, other applications can read the data stored into the clipboard.
Ensure to use the “SecureTextEntry” property for text fields containing sensitive information (e.g. credit card number) so that the copy/paste functionality will be disabled. Furthermore, the SecureTextEntry property helps avoiding keyboard caching.
7. Screenshots are not your user’s best friend!
In order to show you an app view when you press the Home button, a screenshot is automatically generated and written to local storage. This feature poses a security risk, since a malicious application can read the content of the screenshot. Furthermore, someone can steal the device. If sensitive data is displayed into the screenshot, your user’s privacy would be at risk.
Be sure to cover your application’s screen with an overlay image when it goes to background.
8. Never trust user input!
This point is overlooked by most mobile developers. Since the app is mobile, the developers think there is no need to worry about the security of the endpoints on the server. It is important to know that requests sent by the mobile app can be intercepted and modified by a malicious user. If user input is not properly validated by the server, remote command execution, SQL injections and other plagues will be around the corner.
This is a golden rule:
NEVER TRUST USER INPUT.
Final Considerations
I hope this post will help someone. You could be interested in my article about
This list doesn’t claim to be exhaustive nor complete. If you wish to go further, have a look on the Mobile Security Testing Guide by OWASP.
If you liked my posts, feel free to clap or subscribe to my profile, so that you will never be without a story to read!
Otherwise, jump and clap alone in happiness :)
Have a nice day!
