2

I plan on using HTTPS for communication between the iOS client and the server that manages the session id. I would like to keep the session id hidden, completely. My plan was to store the session data inside Keychain Services, in case NSHTTPCookieStorage is not safe on jail broken devices. If the session data can be read before it is saved or as the client sends it to the server, I am curious if there is a way to keep it hidden.

I have 2 concerns regarding session data being read by humans with a jailbroken device.

  1. Will data in a NSHTTPURLResponse received via HTTPS be able to be accessed as human readable from a jailbroken device?

  2. If not, is NSHTTPCookieStorage safe for use on a jailbroken device? I know other applications cannot access it on Non-jailbroken devices.

I don't want my servers session id stolen by a rogue app/person; is there a way to keep it hidden? Or is one of these methods a best practice?

Sorry if this is noise. ( Programming is planning too)

Zoe
  • 27,060
  • 21
  • 118
  • 148
typing-faster-than-before
  • 31
  • 3

1 Answers1

0

I would like to keep the session id hidden, completely.

This is not possible.

My plan was to store the session data inside Keychain Services, in case NSHTTPCookieStorage is not safe on jail broken devices

Neither is "safe" on jailbroken devices (if by "safe" you mean "unreadable by the owner of the device").

I am curious if there is a way to keep it hidden.

No.

Will data in a NSHTTPURLResponse received via HTTPS be able to be accessed as human readable from a jailbroken device?

Yes.

If not, is NSHTTPCookieStorage safe for use on a jailbroken device? I know other applications cannot access it on Non-jailbroken devices.

No (given the above meaning of "safe").

I don't want my servers session id stolen by a rogue app/person; is there a way to keep it hidden?

No.

Or is one of these methods a best practice?

What you can do is obfuscation and hardening. Obfuscation is various techniques that try to make it a little harder for attackers to read the code or data. Hardening is various techniques to make it difficult to attach a debugger to the program.

If you are very skilled at obfuscation techniques, and have good hardening techniques in place, then you can possibly slow down dedicated attackers for a few months. You should expect to update your techniques regularly as they are defeated (which they will be). You should expect to employ a full-time team for this.

If you are not very skilled in this, you can perform some basic obfuscation techniques that would possibly slow down a dedicated attacker for an hour or so. Maybe a few hours if you're lucky. If you're interested in this, you can watch my most recent talk on various techniques.

Keep in mind, if there were a way to effectively hide information on an iPhone from someone who had jailbroken the device, Apple would simply use that technique to prevent the jailbreak in the first place. Apple controls the entire platform ecosystem, from chips to the OS. If they cannot stop jailbreaks with all of that, there is relatively little you are going to do on a device that has already been jailbroken. This doesn't mean all hope is lost. It just means you need to set your expectations, and accept that this is a very hard problem that will require significant ongoing cost to address in more than the most basic ways (though the basic ways can be valuable; see talk above).

If you want more links and discussion, see Secure https encryption for iPhone app to webpage.

Rob Napier
  • 286,113
  • 34
  • 456
  • 610