1

I'm trying to add a bit security to my app. I have a server that the app connects to and I am thinking of sending a checksum of the binary when making a connection. If the checksum does not match with what I want. The server wont alow any connection.

I´ve read a couple of articles of how you can increase security of your app and many mention checksuming your binary but haven´t found any code explaining how you actually checksum your binary during runtime.

This one for example http://www.seoxys.com/3-easy-tips-to-prevent-a-binary-crack/#ptrace

Other than that, from what I have understood, there is no way of knowing the exact checksum before hand since Apple will sign when submitting? I could however disable the check on my server when submitting a new version, then reenable the check when I know the checksum. Not a perfect solution but what solution is?

Anyone that can point me to the right direction?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
M3rd0n
  • 311
  • 3
  • 14
  • can you tell please, didd you solve this? are your app using App Thinning, and how did you deal with it when calculating hashes? – Petr Jan 26 '21 at 14:31

1 Answers1

1

In short, this is a very difficult thing to do. The reason why, is that you don't control the client code once it leaves your hands. Even if you get everything working perfectly with the checksum, and attacker could still take a checksum of the binary, modify it, and then have it submit the previous checksum instead of the new one, by modifying that code. In fact you would probably make it easy for him/her by using a function like _getBinaryChecksum() that he can just change :-)

If you are going to do this, use a cryptographically strong hashing algorithm like SHA-256. You are right that Apple signing it will change the hash, so you will need to program the server with the hash of the file after Apple signs it. Also keep in mind that any change at all to the app will greatly affect the hash, so you need to keep a historical list of previous hashes so you don't shut out customers who haven't upgraded yet.

You may want to check out these StackOverflow question, as it sounds like you are trying to do something similar:

Security When Using REST API in an iPhone Application

https://stackoverflow.com/questions/15390354/api-key-alternative/15390892#15390892

Community
  • 1
  • 1
Freedom_Ben
  • 11,247
  • 10
  • 69
  • 89
  • Thanks for the answer. One of the links you gave me says you can use a private/public keypair. I am currently using a public key to encrypt some messages and decrypt it using my private key on the server. This does not however validate the sender since the public key is imbedded in the application, thereby can anybody use it. They say you should use the private key instead but I do not see how that would differ. The key still has to be imbedded in the application, therefore its available for anyone. – M3rd0n Mar 23 '13 at 12:53
  • I also found this link, will read through it now and see if it is of any use. http://stackoverflow.com/questions/1356896/how-to-hide-a-string-in-binary-code – M3rd0n Mar 23 '13 at 12:55