iOS Appsec for Developers – IV: Points to remember

This bit discusses about secure implementation of the iOS app’s textfields. Some apps provide the option of saving sensitive information like passwords, credit cards so that for eg, when the user attempts to log in the next time, the data is retrieved from the cache memory and autofills in the textfield area. This is because iOS caches data that has been entered by the user in its textfields (In the absence of a secure tag). The same situation arises when the autocorrection feature is set to ON. Hence its advised to disable the autocorrect feature and enable the secure flag as well. Clear the data stored in PasteBoard once the app is pushed into the background.

This last bit touches upon UIWebViews. UIWebviews support javascript. If an attacker manages to exploit the UIWebView, she/he can execute her/his malicious javascripts and extract data from the user to re-direct the user to another malicious website. As a developer, you can ensure that the content that is displayed using the WebView isn’t insecure by:

  • Loading the content over HTTPS
  • Ensuring that the data loaded on the UIWebView doesn’t require user input
  • Ensure checks are in place for loading the content in the WebView URL by using the function dataWithContentsOfURL (Can be found present in the NSData class)


Given below is a the list of references that you can refer to:

Secure Coding Guide:

SSL Pinning:

Keychain for storing data:

Keeping private info out of the repository:

Security Development Checklist:





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s