iOS Appsec for Developers – IV: Points to remember

This bit discusses about secure implementation of the iOS app’s textfields. Some apps provide the option of saving sensitive information like passwords, credit cards so that for eg, when the user attempts to log in the next time, the data is retrieved from the cache memory and autofills in the textfield area. This is because iOS caches data that has been entered by the user in its textfields (In the absence of a secure tag). The same situation arises when the autocorrection feature is set to ON. Hence its advised to disable the autocorrect feature and enable the secure flag as well. Clear the data stored in PasteBoard once the app is pushed into the background.

This last bit touches upon UIWebViews. UIWebviews support javascript. If an attacker manages to exploit the UIWebView, she/he can execute her/his malicious javascripts and extract data from the user to re-direct the user to another malicious website. As a developer, you can ensure that the content that is displayed using the WebView isn’t insecure by:

  • Loading the content over HTTPS
  • Ensuring that the data loaded on the UIWebView doesn’t require user input
  • Ensure checks are in place for loading the content in the WebView URL by using the function dataWithContentsOfURL (Can be found present in the NSData class)

 

Given below is a the list of references that you can refer to:

https://learn.techbeacon.com/units/how-get-started-mobile-penetration-testing-ios

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet

https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

Secure Coding Guide:

https://developer.apple.com/library/content/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html

SSL Pinning:

https://infinum.co/the-capsized-eight/how-to-make-your-ios-apps-more-secure-with-ssl-pinning

https://developer.apple.com/library/content/technotes/tn2232/_index.html#//apple_ref/doc/uid/DTS40012884-CH1-SECSTRICTER

Keychain for storing data:

https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/

https://www.andyibanez.com/using-ios-keychain/

https://developer.apple.com/documentation/foundation/userdefaults

Keeping private info out of the repository:

http://www.jontolof.com/cocoa/using-xcconfig-files-for-you-xcode-project/

http://resources.infosecinstitute.com/ios-application-security-part-25-secure-coding-practices-ios-development/#gref

Security Development Checklist:

https://developer.apple.com/library/content/documentation/Security/Conceptual/SecureCodingGuide/SecurityDevelopmentChecklists/SecurityDevelopmentChecklists.html#//apple_ref/doc/uid/TP40002415-CH1-SW1

https://developer.apple.com/library/content/documentation/Security/Conceptual/SecureCodingGuide/Articles/SecurityGuidelines.html#//apple_ref/doc/uid/TP40009511-SW1

https://developer.apple.com/documentation/security

https://medium.com/wolox-driving-innovation/how-to-increase-my-ios-application-security-17681f068d11

https://dzone.com/articles/3-ios-app-attack-vectors-and-how-to-strengthen-you

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s