More Than 8-in-10 iOS Apps Have Poor Standards of Cryptography

For a profession which should use cryptography as a common knowledge base, the general standards applied are often poor, especially for those involved in software development. And so Feichtner et al [here][1] decided to analyse Apple iOS for security mis-configurations around cryptography:

For this they used a decompilation method to analyse the code within applications found on the Apple Store, and then revealed their data flows.

Within iOS, there are common crypto libaries and which are used to implement ciphers, hashes, and key derivation functions. CommonCrypto is used for symmetric ciphers, hashs and key derivation functiosn, where as Security is used for asymmetric functions, and digital certificate operations. The calls detects are:

• CCCryptorCreate/CCCrypt: This involves the initialisation of the cryptographic function, such as for the cipher type, the pointer to the key, and the pointer to the IV.
• CCKeyDerivationPBKDF. This involves the conversion from pass phrases and salt to a derived key, using PBKDF2.