TL;DR Do not use UIWebView. Make sure your Info.plist doesn’t contain App Transport Security Exceptions. Follow the least privilege principle. Consider disabling JavaScript. Code JavaScript-ObjC/Swift bridges carefully. Follow good mobile application development practices -> see our Guidelines on mobile application security — iOS edition . Context Recently I had a chance to…

TL;DR Stop using HTTP, use HTTPS. App Transport Security exceptions shouldn’t be set on production environments. If you use third party networking libraries, verify the secure connection. For high risk applications, use certificate pinning. Always follow good mobile application development practices -> see our Guidelines on mobile application security — iOS…

Nowadays, Macs cannot be treated as a niche platform in companies. We meet Macs in all sized companies — from startups to big companies with thousands of employees. It’s not a big surprise that this fact was also noticed by attackers. During the security assessment, SecuRing team observed that usually…

TL;DR Whenever possible, avoid storing secrets on the device. Keychain is the right place to store your small app’s secrets. Entries saved in the Keychain can be additionally protected by setting proper accessibility and authentication flags. Watch out what you synchronize with iCloud. Files stored in the application container can also…

What is the Keychain? Keychain is essentially the safest place on your phone in terms of storing data. It is used by developers to store passwords, certificates, identities, or other keys in many forms. It is quickly adopted and many developers already understand how important it is to keep the most sensitive data in…

MacOS infrastructure Apple devices have been present in the companies for a long time. Wherever there is a need to deploy iOS applications, testers and programmers have to use Macs. UX/UI designers and movie editors use Macs for apps that have only Apple versions. It is also worth noting that Macs are…

Some time ago I got stuck in the USA because of the COVID-19. After coming back to Poland with the “evacuation flight” I had to undergo mandatory quarantine for 14 days. Every day the Polish Police was visiting me and checking if I’m sitting at home and don’t go outside…

Using iOS biometrics features like Touch ID and Face ID is a really convenient way to authenticate a user before performing sensitive actions. These actions, of course, depend on apps’ features. Usually, we test apps that use TouchID/FaceID to log in and to confirm financial actions (e.g. wire transfer). …

Security is a topic that should be considered also by iOS developers. Since the platform cannot be treated as 100% secure, devs and security division need to create a separate threat model for mobile applications. For all the years when iOS exists, many different types of application vulnerabilities have been…