Securing iOS Applications
We love developing iOS applications that delight users & spend a significant amount of time in planning UI/ UX, features, improving performance. But more than often, security and privacy is an aspect that is overlooked in most of the cases.
Through this article, I would like to highlight few points that would fix most common vulnerabilities in your application.
Disclaimer: This points mentioned here are by no means exhaustive. There are many other methods of securing the application. With given time and resource, the points mentioned might be bypassed.
Saving Data:
Collect details of all the data that is being saved in the application. Reconsider the need for saving data. It might be a case where we need to work on the data and store results only but not the actual info.
Key areas for review:
- Using Keychain: It is secure container provided by Apple to save sensitive data. However, if the device is compromised (jailbroken), it is possible to dump items in the keychain, rendering the stored data visible. Hence the data stored in keychain must also be encrypted. Further, read on this.
- Data store: If SQL Lite or Core Data is being used in the application for storing data, consider encrypting that with solutions such as SQL Cipheror Encrypted Core Data. The key needed to encrypt and decrypt has to be managed, E.g. could be either saved in a keychain or obfuscated. Apps using robust cryptography have obligations for compliance in App Store for distribution.
- Confidential strings in code: Avoid using plain text strings in your code base for confidential keys, E.g. API key for Web services, Social Platform tokens etc. Use Obfuscation to hide these text from being revealed by reverse engineering the application binary. Further, read on this.
- Files created in the application: Use the NSFileProtectionComplete key for the NSFileManager API. Enable the Data Protection Capability in Xcode. Further, read on this.
Continue reading here.