48

When thinking about iPhone/iPad applications security, I can notice that there is:

  • Widely available hacking tools allow filesystem access
  • Network interception, men in the middle attack

==> data theft threat

and also:

  • Availability of hacking tools that allow to freely share a paid app with friends/community (seen in Cydia)
  • Availability of hacking tools that allow to get in app purchases without paying (seen in Cydia, and heard that it doesn't work with any app)

==> Revenue loss threat

So I am wondering #1 what are best practices to get a better security in iOS application? Also, #2 what are best ways to reduce revenue loss and minimise hacking exposure?

for #1 I've seen some WWDC slides about security 1 2 3 4 + apple docs

and I can say that between theses best practices there are:

  • Using APIs Offering Data Protection (like NSFileManager with NSFileProtectionKey attribute)
  • Using Keychain
  • Protecting sensitive data with SSL and using certificates

for #2 I think that using a business model based on free application, then in app purchase with Store Receipts verification can be the model with minimum revenue loss.

What are your best practices for security, and best way to minimise app hacking chances?

AmineG
  • 1,908
  • 2
  • 27
  • 43

5 Answers5

71

#1 what are best practices to get a better security in iOS application?

Appropriate data security is highly dependent on the nature of the information. Is it long-lived or short-lived? Is it a general credential that can be used to open other things, or a single piece of data? Is the potential loss privacy, financial, or safety? Determining the appropriate protections requires a specific case and has no general answer. But you ask for best practices and there are several. None of them are perfect or unbreakable. But they are best practice. Here are a few:

  • Store sensitive information in Keychain
  • Set Data Protection to NSFileProtectionComplete wherever possible.
  • Do not store sensitive data you don't actually need, or for longer than you need.
  • Store application-specific authentication tokens rather than passwords.
  • Use HTTPS to verify the server you are contacting. Never accept an invalid or untrusted certificate.
  • When connecting to your own server, validate that the service presents a certificate that you have signed, not just "a trusted certificate."

This is just a smattering of approaches, but they set the basic tone:

  • Use the built-in APIs to store things. As Apple improves security, you get the benefits for free.
  • Avoid storing sensitive information at all and minimize the sensitivity of what you do store.
  • Verify the services you communicate with.

#2 what are best ways to reduce revenue loss and minimise hacking exposure?

This has been discussed many times on SO. This answer includes links to several of the other discussions:

Secure https encryption for iPhone app to webpage

The short answer is: worry about your customers, not your non-customers. Many pirates will never, ever pay you money, so your time and money are better spent helping your actual customers want to pay you, and making it easy for them to do so. Focus on making more money rather than protecting yourself from money that you could never have. Never, ever, tick off a paying customer in your efforts to chastise a non-paying customer. Revenge is a sucker's game and a waste of resources.

There are two great ways to avoid piracy:

  • Don't publish.
  • Publish junk no one wants.

There are some basic things you can do that are worth it just, as they say, to keep honest people honest (some are discussed in the various linked discussions). But don't lie awake nights worrying about how to thwart pirates. Lie awake worrying about how to amaze your customers.

And always remember: Apple spends more money than most of us have ever seen in our lives trying to secure the iPhone. Still it's jailbroken. Think about what your budget is going to achieve.

Community
  • 1
  • 1
Rob Napier
  • 286,113
  • 34
  • 456
  • 610
  • Thanks for this response. The problem with #2 is that sometimes we can be using a paid third party service, so that it is important to reduce hacking exposure because of additional costs it will cause. – AmineG Feb 26 '12 at 11:10
  • 5
    You will never make this problem go away; your real goal is to make the lossage an acceptable percentage of net. Think of it as shoplifting and treat it accordingly. (If the Kwiki-Mart made absolutely certain no one could shoplift, then no one would want to shop there.) That said, to help address this, if possible, tie your revenue to people rather than devices. Then authenticate the person, not the software. Then monitor for inappropriate user behaviors and shut down the accounts. This is basically the WoW model. But never spend more on enforcement than the actual lossage. – Rob Napier Feb 27 '12 at 14:25
  • 2
    One more side note here: There is the danger of a financial DoS against you with these kinds of situations. Someone intentionally floods your system in order to get you to spend unbounded money. The first thing you should do is work with your 3rdparty provider to mitigate this. At the very least, putting some kind of cap on your damages in the case of malicious use. Talk with them about it; you're *their* customer. Beyond that, I recommend normal DoS protections. Look for floods from a single source and cut them off if they go over reasonable limits (and page someone), etc. – Rob Napier Feb 27 '12 at 14:37
  • Interesting, I've seen that, for example, google places API offer the possibility to have a quota per user. thank you for these explanations. – AmineG Feb 27 '12 at 20:14
7

When the attacker gains physical access to the device (e.g. theft), he can do almost anything. Note that is very easy to read application files. Stolen device can be jailbroken easily and the attacker gains access even to the protected files.

My advice for storing sensitive data to the device:

  1. don't do it if they can be stored on secure server
  2. use your own encryption, decrypt when user is logged in, delete decrypted file when they logs out or after some time the app is in the background.
  3. every password and encryption key must be stored into the keychain.
Sulthan
  • 128,090
  • 22
  • 218
  • 270
5

Rob Napier mentioned good points. But to make it more secure,

1 what are best practices to get a better security in iOS application?

  1. Store sensitive information in encrypted format in Keychain.
    • Upon physical access to the device keychain data can be dumped easily.
  2. Set appropriate Data Protection class (NSFileProtectionComplete preferable).
  3. Always use custom encryption along with built in API to store data.
    • Even if hackers find loopholes in built in API, your app is secure.
  4. Over write temporary stored data before deletion.
    • Forensic techniques can be used to recover the deleted data.
  5. Use HTTPS and certificate pinning. Never accept untrusted certificates.
  6. Store important plist, sqlite, etc... files in Library/caches folder.
    • Files stored in the caches folder are not backedup with iTunes.
  7. Always build the app with latest XCode.
    • Adds support only for latest SSL Ciphers

2 what are best ways to reduce revenue loss and minimise hacking exposure?

It may not be possible to stop the piracy but we can make it tough.

  1. Prevent the app from running on Jailbroken devices (think twice, you may lose valid customers)
    • Add code that detects the existence of Jailbreak
  2. Prevent the app from attaching to debuggers
    • Apps downloaded from AppStore are encrypted. Debuggers are used to decrypt and analyze the App. Add code that detects debuggers.
satishb3
  • 61
  • 1
  • 2
2

It varies really depending on what you do. As for accessing an API, all you really need to do is hash and/or salt user information and then save the information (if necessary) in the keychain (you could add extra security by encrypting the passwords before pushing them into the keychain. It's best that you don't use NSUserDefaults as the data entered into it is stored in a .txt file on the iPhone filesystem, which as you said, can be accessed by hackers.

max_
  • 24,076
  • 39
  • 122
  • 211
0

Adding more to improve the security of the application

  • Do not send parameters using HTTP GET instead use HTTP POST.
  • You can do SSL Pinning to avoid MITM Attacks.
  • Remove all the logs from the source before moving to production.
  • Do not hardcode encryption key's in the app itself, it is better to keep them somewhere remote.
  • When making a request always use the latest SSL version (TLSv1.2).
  • If your app has WebView's then beware of Link Injection. If you do not expect any URL's other than HTTP in the WebView then check all the redirect URL's with prefix "http" so that the loaded website does not allow other link's to be opened.
  • You can choose to allow or block Keyboard Extensions since they listen to all your keystrokes.
kadar
  • 71
  • 1
  • 3