How to build secure iOS App avoid breach by Reverse engineering

In today’s world customer trust is at most required for any app to be successful. To gain the customer trust its most important to build secure app which take care of data privacy and store customer data securely. Customer data can be secured by adding inbuilt data protection and not storing customer private data on device without encryption. Here are few steps which can provide data security for iOS app.

• Using Xcode inbuilt capability of data protection to store the sensitive data on the device so data will be encrypted format
• Use secure and if required multi-authentication login flow
• Not storing sensitive data locally on device unless it’s encrypted
• Use secure authentication (https) for accessing data from network
• Use trusted and well established backend systems (AWS, Firebase, etc) for storing data remotely

Also, apart from customer data, it’s very important to protect apps from reverse engineering. Hackers, competitors or anyone can learn a lot of things about the app by doing reverse engineering the public binary of the app (App on the app store). With just few steps and little technical background, anyone can access what frameworks used in the app, images and publicly stored files. But as app developer, no need to worry about this as most of these details are already publicly available be in on the app store or frameworks used by millions of other apps. The thing which needs to be concerned is, reverse engineering of the app, shouldn’t lead to accessing intellectual property (IP), architecture of the app, design flows and source code. There is high risk of hacking / reverse engineering the app which are running on jailbroken devices compared to non-jailbroken devices. Through code injection, traffic monitoring, IPA decoding, hacker has ability to access the code. Below are few things which can avoid unintended access by reverse engineering the app.

• Check for jailbroken devices and close the app by wiping out sensitive data from the device.
• Do string obfuscation
• There are some third-party API’s which can be used to protect app from reverse engineering, hacking and malpractices. Like EnsureIT from Arxan

In conclusion, There is always danger of access app by unintended users so it’s architect/developer responsibility to build the app as much secure as possible.

Originally published at leapforwards.wordpress.com on March 31, 2017.