iOS Application Security Checklist
Security is a crucial aspect of mobile apps development and iOS is considered to be one of the most secure mobile operating systems due to its closed system and restrictions.
Still, there are many techniques/tools/guidelines which can be directed in order to keep your user data and privacy intact.
In this article, we will run through some of the tips, tricks & security checklist that can help strengthen the security of your mobile application.
What are the security challenges in iOS?
- Data Leaks
Storing sensitive data such as access token, secrets, API credentials in an unsecured way can lead to interception or stealing of user data — which matters the most! Our sensitive application data should not be simply given away. - Unsecured communication
By making our application communicate with a server using a non-secure connection, such as HTTP, will be risky can lead to potential and easy attacks. - Man in the middle attack
By using known techniques of faking Certificate Authority (CA) on the device, the attacker could imitate the target, and decrypt traffic, i.e. a ‘Man-in-the-Middle attack’. This could lead to a leak of sensitive data which would expose other vulnerabilities. Hence, SSL is not enough to make your app secure all the time.
Checklist which can tighten your app security
1. Keychain For Sensitive Data Storage
Most of us do the mistake of storing sensitive data where they do not belong. If you are storing sensitive data in UserDefaults then you are risking your application's information.
UserDefaults are stored as simple plist file in the application without being encrypted. Hence, it's very easy to access these data using any third-party applications like iMazing etc, using you can easily view UserDefaults data for any app downloaded from the AppStore.
In Order to save our apps sensitive data, we should use Security services provided by Apple.
Keychain Services API helps you solve these problems by giving your app a way to store the small amount of user data in an encrypted database called the keychain.
In the keychain, you are free to save passwords, access tokens and other secrets that the user explicitly cares about, such as credit card information or even short sensitive notes.
You can also store items like the cryptographic keys, and certificates that you manage with Certificate, Key, and Trust Services.
The query dictionary part kSecClass:kSecClassGenericPassword indicates that the item is a password, from which keychain services understands that the data requires encryption.
I have created one sample Xcode project on KeyChain API usage, can be downloaded from here.
https://github.com/SumitKr88/KeyChainSample
https://github.com/jrendel/SwiftKeychainWrapper
2. Application Transport Security Layer
Apple introduced a security/network feature App Transport Security (ATS) post iOS9. App Transport Security (ATS) improves privacy and data integrity for all apps and app extensions.
When exchanging information, apple enforces to use ATS to provide a secure connection. ATS will make sure every connection application will make must uses HTTPS and TLS1.3, unless or until you loosened this to use HTTP layered communication, which is not advisable to do so.
The Transport Layer Security (TLS) protocol provides data encryption for socket-based communication, along with authentication of servers and (optionally) clients to prevent spoofing.
Apple guidelines:
Always look for ways to improve server security before adding ATS exceptions. Loosening ATS restrictions reduces the security of your app.
To set up, you can follow:
https://developer.apple.com/documentation/security/preventing_insecure_network_connections
https://stackoverflow.com/questions/31254725/transport-security-has-blocked-a-cleartext-http
3. SSL Pinning
SSL stands for Secure Socket Layer, which is a protocol for creating an encrypted connection between client and server. It ensures that all data passed in a network will be private and integral.
SSL pinning can help to prevent the Man In Middle Attack.
We use SSL pinning to ensure that the app communicates only with the designated server itself, and the app will not allow any requests to be sent out to any untrusted server.
When the communication starts, the client examines the server’s SSL certificate and checks if the received certificate is trusted by the Trusted Root CA store or other user-trusted certificates.
A potential drawback of this is you need to update the app as well if a server certificate expires, the server’s SSL key is changed or maybe for some other reason.
Since you hardcode the trusted certificates, the app needs to be updated too.Popular libraries of SSL Pinning :
Alamofire : Networking Library https://github.com/Alamofire/Alamofire
TrustKit : TrustKit, an open-source SSL pinning library for iOS and macOS is available at https://github.com/datatheorem/TrustKit. It provides an easy-to-use API for implementing pinning, and has been deployed in many apps.Refrences:
https://www.netguru.com/codestories/certificate-pinning-in-ios
https://github.com/antekarin/ssl-pinning-swift
4. Jailbroken Device Check
iOS jailbreaking is the process of bypassing security restrictions by Apple which permits root access to iOS. On a jailbroken device having a weak jailbroken will exposes your application to attacks and can put your application behavior and logic at risk.
The applications for which you cannot compromise on security, then it becomes necessary to restrict your app to run only on non-jailbroken devices.
Well, it's impossible to detect all jailbroken devices in all cases, but you can make hacking a bit more difficult by adding these checks.
5. Enabling Debug Logs
The device logs via application accidentally leak sensitive information, this is risky for release builds.
Now, if an application is logging sensitive information, then its data will be captured on-device logs. An attacker can easily dump device logs and retrieve the user’s sensitive information.
Many times, to ease out debug process debugging, etc, we log almost everything. Its highly recommended to cross-check this before making a release build.
Use #DEBUG macro to print in debug builds only.
NSLog to be strictly avoided.
Refrences:
https://github.com/SumitKr88/Apple-Unified-Logging-Wrapper
https://github.com/CocoaLumberjack/CocoaLumberjack
https://developer.apple.com/documentation/os/logging
6. Third-Party Library Usage Check
This should be on your list, as sometimes the third party libraries can inject harmful content in your code.
Hence it's advisable to cross-check its repository links, license and try running through some code review/vulnerability check tools.
Don’t ever disable ATS for them, even if any third party library request to do so.
7. Copy Paste Option on Sensitive TextFields
Any copy-paste operation on the text field gets copied to UIPasterboard. Pasteboard is the commonplace among all apps. If one app copies data to the pasteboard can be accessed by any other application on the system, even after the application terminates. This data can also be written to disk.
If the application does not need to support copy and paste at all, remove all use of and references to UIPasteboard objects.If there is a need for the application to copy and paste data within itself but not to other applications, use a unique, private, non-persistent pasteboard.
8. Screen Recording & Screen Capture
This is another check which should be on your list. Missing this can put your application under attack and risk of the data leak.
As some popular apps on your phone may be secretly taking screenshots of your activity and sending them to third parties.
Some banking, healthcare applications would like to restrict the users to capture the content and restrict sensitive information in order to avoid any data leak.
Risk:
— Attackers can record any paid video content being streamed
— Can record/capture any login/username/credit card info’s etc related sensitive information being added.
userDidTakeScreenshotNotification Posted when the user presses the Home and Lock buttons to take a screenshot.
NotificationCenter.default.addObserver(self, selector: #selector(didCapturedscreenshot), name: UIApplication.userDidTakeScreenshotNotification, object: nil)The contents of a screen can be recorded, mirrored, sent over AirPlay, or otherwise cloned to another destination. UIKit sends capturedDidChangeNotification notification when the capture status of the screen changes.
NotificationCenter.default.addObserver(self, selector: #selector(screenCaptureChanged), name: UIScreen.capturedDidChangeNotification, object: nil)References:
https://github.com/abhimuralidharan/ScreenCaptureDetector/tree/master/ScreenCaptureDetector/ScreenCaptureDetector
https://github.com/takashings/ScreenCapturedSample
ScreenShield — A external library. https://blog.getconfide.com/introducing-screenshield-ios-screenshot-prevention-for-confide-and-beyond-692bbae2c31d
9. Disable Auto-Correction & Enable Masking
For the user, sensitive input fields such as password, credit card info, etc, make sure to disable the auto-correction for the keyboard.
textField.autocorrectionType = .noAs keyboards used in iOS cache data used for auto-correction.
The system takes a screenshot of the screen when the app goes from foreground to background. Hence, implement proper masking if the screen has sensitive data and its visible on the screen.
10. Cryptography
As we usually do secure data communication via HTTPS secure connection etc hence, usage of cryptography looks redundant. However, there could be many situations when you need to use cryptography.
To store data using the keychain, which is good for small pieces of information such as keys, passwords, and certificates.
Say if you storing large amounts of custom data, your app may have applications featuring private photos, private chat messages archived, storing any financial/medical sensitive information, local DB, etc. then it’s better to encrypt using cryptography.
Implementing cryptography by yourself may be risky and won't be a good idea to do so. Listed down a few libraries/framework to refer
References:
CryptoSwift — https://github.com/krzyzanowskim/CryptoSwift
RNCryptor — https://github.com/RNCryptor/RNCryptorApple recently introduced a new framework named CryptoKit at WWDC19, which makes generating hashes, encrypting data and verifying/authenticating data even easier.
11. Code Obfuscation
Code Obfuscation is a technique to increase the complexity of backtracing code via a reverse engineering.
Reverse engineering apps can provide valuable insight into how your app works. Using obfuscation makes it difficult for attackers to see how the app operates, which can reduce the number of attack vectors.
Swift is a compiled language, and the Clang compiler is highly optimized. In release mode, it strips out symbols and does a lot of optimization that does a great deal of obfuscation all by itself. However, app store stripping symbols is not enough all the time, there could be a situation when you feel the need.
For example —
There is In-App-Purchases and you don’t want someone to hack your app and get around your main source of revenue stream or
You have created a significant app with a valuable intellectual property like copyright/patents etc.
References:
Sirius — https://github.com/Polidea/SiriusObfuscator
SwiftShield — https://github.com/rockbruno/swiftshield
Obfuscation.swift
Conclusion
iOS is considered one of the most secure mobile operating systems. This does not mean, that security checks can be neglected when developing an iOS application. Next time whenever you start your application development going through these checklists will surely make the app more secure.
Even after doing all these checks, it doesn’t mean that these solutions are sufficient in every case and your app is 100% invulnerable, but this will certainly make job lot tougher for attackers.
It’s a never-ending tug-of-war between developers and attackers.
Keep Learning, about new vulnerabilities and try to be up to date.
Thanks for reading the article, hope this helps!!!
— — — — — — Happy Coding !!! — — — — — — —
Any further queries/suggestions please leave a comment below or reach out to me on sumit16.kumar@gmail.com
