5 min read
Developers working in iOS app development have to deal with a serious challenge that Android devs don’t have to face—jailbreak. As soon as an Apple device is jailbroken, hackers can use it to obtain details from your app if the code is not secure enough.
After one of its latest iOS updates, Apple had to quickly patch a zero-click malware vulnerability that could have let hackers take over iPhones. But if Apple can’t ensure 100% security of their code, how can you?
This article will describe five steps to ensuring data security during iOS development. To save time, we will skip the details of the hacking processes and concentrate on explaining solutions to potential issues instead. Whether you are a development agency or a business planning on launching an iOS app—read on to learn what measures to take to secure your customer’s data and safeguard your business from lawsuits.
Let’s start by acknowledging that jailbreaking is one of the primary ways iOS apps get hacked, as jailbroken devices provide unlimited capabilities to manage system settings and data. As it stands, there is no sure-fire way for a developer to check if the user’s device is jailbroken (any checks can be skipped due to the unlimited device management capabilities jailbreaking provides).
However, one can check for certain apps or files that are only found on jailbroken devices. For example, this tool from NERDZ LAB helps to check for all the main jailbreak presence triggers.
It’s also important to include additional validation of your URL schemes, as these are easily available. If your URL schemes allow for actions to be completed without validation, hackers can use them to scam your app owners. For example, If there’s no additional validation for purchases, hackers can emulate purchase confirmations and buy a ton of things through your app for free.
Remember that all the resources can be easily extracted from an application’s bundle, so managing them correctly is essential for your app security. You should always manually check the resources your app uses and ensure no sensitive private details are contained within them.
The same paradigm applies to xcconfig files. Quite often, they contain private keys from services used by your app, which can become a big issue if hackers gain access to them.
Based on the above, is it possible to keep sensitive details like private keys in a plaintext string inside the app code? Nope. Believe it or not, hackers can extract any string value from code in your apps.
The next logical step lies in securing your various types of private data storage. In the course of our iOS application development services, we differentiate between three primary variants of data storage, which are databases (Core Data, Realm, etc.), UserDefaults, and Keychain. Only the latter can be used to store private data like tokens, payment details, health data, and more. The former two locations can’t be encrypted, so hackers can easily extract the details.
But don’t start running to Keychain with all your sensitive data just yet. Due to the encryption, saving and retrieving information from Keychain is a time-consuming operation that can slow down your app and make it laggy. But, similarly to strings in your code, hackers can still get details from any jailbroken device.
The solution here is to additionally encrypt the data before adding it to the Keychain. This way, should they hack the Keychain the fraudsters will only get the encrypted data. Using a popular CryptoSwift library is the go-to approach here.
The direct hacking method as the man-in-the-middle attack is widely discussed because of its severe threats to security in iOS development. For example, this is a worthy long read on using SSL pinning to prevent man-in-the-middle, and we highly recommend making use of the information it discloses. TL;DR: before your app gets any data from the server, it commences a handshake operation to check the validity of the certificates.
Hackers might compromise a public Wi-Fi certificate, for example, and sniff your application’s traffic looking for weak spots. You can test out this scenario yourself using the ProxyMan tool (you will probably learn a lot of interesting details about your app when you check it out:))
The answer to this challenge is SSL pinning—which uses a manual certificate match validation against the certificate stored at the backend. Alamofire has built-in functionality for SSL pinning, but if you use any other solution for networking, TrustKit from Data Theorem may be a good choice. At NERDZ LAB we use this tool along with our networking solution NerdzNetworking.
The last security threat we need to discuss is social engineering. It happens when scammers don’t try to crack your app directly but instead try various tricks to get the data without using the usual hacking methods. This challenge can be solved through the following iOS app development best practices:
1. Use security fields in UI elements, so the system hides the content automatically and replaces it with an *. Using these fields also enables other security features—automatically hiding the data from the hierarchy of elements, content copying prohibition, etc.
2. If there are lots of sensitive details shown on screen frequently (like in a bank app that displays transaction details and card numbers), you MUST replace the screen contents before going to the background.
Because the system takes a snapshot of the screen before going to the background, this snapshot is used in the stack of your launched apps (which can be effortlessly opened to disclose sensitive information). Such screenshots are also easily obtained from jailbroken devices. So, ensure no sensitive data is left on the screen before going to the background. The simplest way to do this is to replace the data with the login page or app logo.
3. Use Keychain in a smart way. Decide what data can be obtained and what verification level it will require. The Keychain has several levels, and you must select the most appropriate one for each kind of information.
For example, you can specify that a user can obtain a token only on the device in use and only after unblocking it. This will elevate the security level without affecting your application’s performance and ensure hackers will not be able to obtain the token from other devices belonging to that user or from a phone backup. More details on possible approaches here are available in the Apple developer documentation on Keychain.
As you can see, you can take several measures and precautions to ensure your app is secured not only against hacking but also social engineering.
The best method of ensuring security in iOS app development is as follows—write the code correctly, without shortcuts, workarounds, or technical debt. Your app code is the main source of possible challenges and problems, as well as potential backdoors. Hackers are in the business of finding such security holes, so try NERDZ LAB’s mobile app development services for a solution you can trust.
Contact us for a more in-depth project consultation on how to ensure security in iOS development.