The Ultimate Security Checklist While Launching Your iOS App

As you build your app and work on your mobile strategy, it is essential to test your application across various parameters - Performance, Usability, Functionality, Compatibility, Load, Security, etc. Since time to market is essential, most businesses often neglect the security testing part. Ensuring the safety of the information of your customers and your business is very crucial. 

Here's a list of different tests to take care of before you launch your iOS app, and even if you already have, it might be good to revisit:

Information Gathering

• Observe the application behavior and data states and sensitivity

• Identify - access methods, what frameworks are in use, server side APIs that are in use, what protocols are in use, other applications or services with which the application interacts

• Locate the PIE (Position Independent Executable) - an app compiled without PIE (using the “–fPIE –pie” flag) will load the executable at a fixed address. Check this using the command: otool –hv

Use of Privilege

• Reduce privileges whenever possible

• Use elevated privileges sparingly, and only in privileged helpers. If you must run code with elevated privileges, here are some rules:

• Never run your main process as a different user. Instead, create a separate helper tool that runs with elevated privileges.

• Your helper tool should do as little as possible.

• Your helper tool should restrict what you can ask it to do as much as possible.

• Your helper tool should either drop the elevated privileges or stop executing as soon as possible.

• Minimize the amount of code that must be run with elevated privileges

• Never run a GUI application with elevated privileges

Authentication between Client-Server

• Do not store, validate, or modify passwords yourself. It is a terrible idea to store, validate, or modify passwords yourself. OS X and iOS provide secure facilities for just that purpose and will ensure better security.

• Never send passwords over a network connection in cleartext form. Never assume that an unencrypted network connection is secure.

• Always perform server authentication even though it is optional in the SSL/TLS protocols. Otherwise, an attacker might spoof your server, injuring your users and damaging your reputation in the process.

• Use password policies wherever possible, like password strength, password expiration, limitations on password length, password retrieval methods, etc.

• Do not store unencrypted passwords and do not reissue passwords

Usage of Cryptographic Algorithms

• Do not attempt to generate your own random numbers. Use trusted random number generators.

• Use TLS/SSL instead of custom schemes.

• Do not try to implement your own crypto algorithms. It is very difficult to implement a secure cryptographic algorithm, and good, secure cryptographic functions are readily available.

Installation and Loading

• Don’t use custom install scripts.

• Don’t install components in /Library/StartupItemsor/System/Library/Extensions. Code installed into these directories runs with root permissions. Therefore, it is very important that such programs be carefully audited for security vulnerabilities.

• Load plug-ins and libraries only from secure locations. If your application loads plug-ins from directories that are not restricted, then an attacker might be able to trick the user into downloading malicious code, which your application might then load and execute.

The above list is not an exhaustive list, but a good one to start off and ensure you have some basic security checks in place for your applications. It might be a challenge fixing everything at once, but you should keep revisiting this list till you've checked each one off.