Understanding Key aspects of iOS App security
In this article we will be discussing some key aspects involved in iOS app security.
Before starting we should list down some common misconceptions about the same.
- iOS platform is secure by default so we as developers should not think about adding extra measures.
We assume that our apps will only run on non-rooted devices. But our apps can also run on jail broken (rooted) device which bypass apple security layer. Hence compromising the security of your app and its data. - Only using HTTPS secures all the network requests made by the application.
There is much more to securing network requests than just using HTTPS. Concepts like OAuth, SSL Pinning, etc. are essential to provide a more secure network communication environment. - Data protection is enabled automatically when the user sets an active passcode for the device
The above quote coming from the official documentation misleads many people until you read the complete documentation. The default protection level encrypts your file only until first unlock. It is accessible until the device shutdown or reboots.
Now we will look on some common or “not so common” techniques we can adopt to improve our app security.
NOT storing sensitive information in plain text.
We should never store any sensitive information in plain text using mechanisms like User Defaults, plists or text files.
Here we should also avoid using hashing techniques like MD5, SHA1, etc. These things make the data pseudo secure as these hashes are easily reversible.
We should only store sensitive information on keychains.
But an important thing to consider is that the keychain only remains secure on non-jailbroken devices. The unauthorized modifications done on Jail broken devices bypass platform’s security features rendering keychain data exposed to tools like Keychain-dumper
An approach to address above problem is to encrypt data using frameworks like CryptoKit and then storing the computed encrypted value in the keychain making the data double secured even in jailbroken device.
Making your app protected by passcode, FaceID or TouchID
Adding extra authentication mechanisms like passcode, FaceID or TouchID adds to an extra layer of security when it comes to day to day usage of the application.
Making mobile database encrypted.
If using CoreData for persisting data on the device. We can try to add encryption to the persistent store as mentioned in this article or use a third party library such as EncryptedCoreData
Making network requests secure
We can make the network requests secure by using some practices like OAuth, SSL pinning, etc.
SSL pinning is a very useful technique preventing man in the middle attack for iOS apps. SSL pinning assures that the application only communicates with the designated server and if any intercepted traffic is sent to the app it simply ignores it.
Summary
As any device or platform, iOS too is vulnerable to many security concerns and it is the duty of the developer to ensure that the app is secure in not only optimal scenarios but also in extreme scenarios like jail-broken devices. Using the above techniques we can surely improve the security of our apps but we should always keep an eye on the related news and updates as new security threats get introduced regularly.
If you found the above information interesting consider clapping for the same.
Cheers!!
