iOS App Security: Best Practices
In this post, I’ll discuss The basics of iOS App Security .I’ll walk you through what is the best way for Storing user data safely ,Secure data transportation and How to use Apple’s new cryptographic APIs.
1- Apple’s App Sandbox:
All apps running on iOS run in a sandbox to make sure the app can only access data which is stored in the app’s unique home directory. If an app wants to access data outside of its home directory it needs to use services provided by iOS, like the ones available for accessing iCloud data or the photo album. Therefore, no other app can read or modify data from your app .
2- Data Protection API:
All iOS versions since iOS 4 have a built-in security feature called Data Protection. It allows an app to encrypt and decrypt the files stored in their app directory. The encryption and decryption processes are automatic and hardware-accelerated. Data Protection is available for file and database APIs, including NSFileManager, CoreData, NSData, and SQLite.
The four available protection levels include:
- No protection: The file is always accessible and not encrypted at all
- Complete until first user authentication: This is enabled by default and decrypts the file after the user unlocks their device for the first time. Afterward, the file stays decrypted until the device gets rebooted. Locking the device doesn’t encrypt the data again.
- Complete unless open: The file is encrypted until the app opens the file for the first time. The decryption stays alive even when the device gets locked by the user.
- Complete: The file is only accessible when the device is unlocked.
3- Keychain:
Keychain offers a secure alternative to saving sensitive data, such as user names and passwords, with NSUserDefaults, plist or similar methods.
As you might already know, NSUserDefaults is simple and effective for saving small, simple bits of data, like NSNumbers or NSStrings, to your device’s file system. But this data is in no way stored securely as hackers can access it pretty easily from the device.
Apple has provided the Keychain Services API to deal with this problem and help developers build apps that safely handle passwords and other sensitive information.
A keychain is defined in Apple’s documentation as:
“…an encrypted container that securely stores small chunks of data on behalf of apps and secure services.”
Can develop it by native or using open source framework SwiftKeychainWrapper : https://github.com/jrendel/SwiftKeychainWrapper
4- HTTPs:
Most network communication is done over the HTTP protocol between a client and a server. By default, HTTP connections are not encrypted. It is easily possible for attackers to sniff data from your local network or to perform man-in-the-middle attacks.
Since iOS 9, there is a new feature called App Transport Security (ATS). It improves the security of network communication in your apps. ATS blocks insecure connections by default. It requires all HTTP connections to be performed using HTTPS secured with TLS.
ATS can be configured in many ways to loosen up these restrictions. You can, therefore, allow insecure HTTP connections for specific domains or change the minimum TLS version used for HTTPS.
Adding the following to your Info.plist will disable ATS :
<key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key><true/> </dict>
5- SSL Pinning — Secure Sockets Layer (SSL):
SSL, or Secure Sockets Layer, is an encryption-based Internet security protocol. It was first developed by Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity in Internet communications. SSL is the predecessor to the modern TLSencryption used today.
SSL is cryptographic protocol designed to provide communications security over a computer network. Several versions of the protocols are widely used in applications such as email, instant messaging, and voice over IP, but its use as the Security layer in HTTPS remains the most publicly visible.
6- Push Notifications:
To send push notifications to your users you need to use Apple’s APNS services.
you can use UNNotificationServiceExtension
7- CloudKit
If your app doesn’t need a server you can use Apple’s CloudKit. CloudKit allows you to store data in iCloud containers while using your Apple ID as the login mechanism for you app. This way, you don’t need to implement all of these services on your own
You can reach millions of users without fearing costs for traffic, data storage or requests.
8- Printing logs:
Developers often call the print() function for debugging. The problem is that they can forget to remove these calls, which might contain some information that an attacker could use to breach your security.
9- Apple CryptoKit:
CryptoKit was presented at WWDC2019 as the new framework to perform cryptographic operations in iOS. It includes the most popular encryption and hashing algorithms. Let’s take a look at some of CryptoKit’s features.
CryptoKit features these three hash functions: SHA256, SHA384, and SHA512. Here’s how you use these functions:
10- Secure Secrets in iOS app:
1- Hard-Code Secrets in Source Code
2- Xcode Configuration and Info.plist
How do I store secrets securely on the client?
Don’t (but if you must, obfuscation wouldn’t hurt)
11- iOS obfuscation
Apple encrypts the code of the applications submitted to the App Store and restricts access to the machine code of the apps after download to prevent easy static analysis of the application
This means that if an app can be installed on a jailbroken device, Apple’s app encryption will not be enough to prevent reverse engineering or app analysis by a potential malicious actor.
Types of code obfuscation:
There are several techniques available today to obfuscate code. These include:
Name Obfuscation:
Definition: The replacement of readable names in the code by difficult to decipher alternatives
Control Flow Obfuscation:
Definition: The modification of the logical structure of the code to make it less predictable and traceable
Arithmetic Obfuscation:
Definition: The conversion of simple arithmetic and logical expressions into complex equivalents
Code virtualization:
Definition: The transformation of method implementation into instructions for randomly generated virtual machines
Code obfuscation strategies include:
1.Renaming classes, fields, methods, libraries etc.
2.Altering the structure of the code
3.Transforming arithmetic and logical expressions
4.Encryption of strings, classes etc.
5.Removing certain metadata
6.Hiding calls to sensitive APIs, and more
