Potential security risks in iOS Apps - Part 1

Few days back Apple developer portal hacked by someone, Do we have a leak in our apps? 

In our busy schedule and tight project deadlines we just want to ignore some basic risks in our app, some people think that Apple environment is close enough to take care of it. Do we are really missing something? yes we are..

These risk increases when we use WebServices, keep files in application folders and don't forget to remove logs while deploying in public domain. Root cause of security holes are:


WebServicesPublicly-Accessible filesInsecure database


I am trying to list down basic things that we can keep in mind while coding:
  1. Use NSTemporaryDirectory or confstr 
  2. Use of higher level APIs like NSFileManager aren't safe enough 
  3. Run static analysis tool frequently. It will not give you all possible issues but it can help with some basics.
  4. Use preprocessor directives to identify the debug environment 
  5. Avoid using NSLog, use some user define macro for logging
    #ifdef DEBUGING
              #define Log( s, ... ) NSLog( @" %@", [[NSString stringWithUTF8String:__FILE__] lastPathComponent], __LINE__, [NSString stringWithFormat:(s), ##__VA_ARGS__] )
    #else
              #define Log( s, ... )
    #endif
  6. Always log with formatted string, passing ID to log can create a potential leak
  7. Avoid Cross-site scripting
  8. While opening any URL from a web content check if it is a resource path or a link
  9. Avoid PhoneGap based environment while security is a concern 
  10. Don't trust document serialization and avoid directly executing from the same 
  11. Be aware of trojan/code injection every time you process a downloaded file or file from local directories 
  12. Use hardening techniques
  13. Be aware of security properties of APIs you use 

Useful testing stuffs 
  1. Unit-Testing is your friend 
  2. Crash Wrangler - Fuzzing
  3. Penetration testing

Connecting with iOS

I was just wondering that how to connect with an iPhone, iPod and iPad. The outcome of my research is there are three ways:
Dock
Bluetooth
WiFi
An interesting fact is that the antenna for WiFi and Bluetooth is same. To communicate with external accessories there is a ExternalAccessoryFramework.

The architecture of EAF is quite simple, it have a EAProtocol and each span of communication is known as EASession. NSStream helps to carry payload and for input there is NSInputStream and for output there is NSOutputStream

Other core level frameworks like CoreAudio, CoreLocation etc, are also helpful while communicating with an external accessory because they get notification of route change. While we connect or disconnect iOS via dock, EAAccessory notify the app by NSNotificationCenter

  •  EAAccessoryDidConnectNotification
  •  EAAccessoryDidDisconnectNotification


Things to keep in mind
  1. There are no EA events in background we should keep track of application did enter background
  2. Close your EA session as soon as your work is completed 
  3. Antenna arbitration is there
  4. Use accessory change notification generously and be prepared for connectivity loss

Web-Services recapitulate

Now days most of the apps are using WebServices and the good thing is we all know what it is :)

Just adding some notes from my side on things like SOAP, REST and ......., and what? is there anything else do we have in the name of WebService.. really?

Few days ago, a guy who have experience of more then a decade came to me and told me to integrate WebService in an app. I simply asked for WebService summary which I think an usual question while we start working on something. He said to take the reference from an existing website which he pretended that using the same. First I did't get what he wanted to tell but, his steps just gave me heart attack. He just went to Chrome, opened the Website, right clicked for the Inspect element option and while logging in to that website he monitored the Network and said look here is the WebServices just replicate it in your app. After his statement I thought is it worth to ask something anymore?




Okey, letz do a quick recap on what we know:

  1. Charles, Yet simplest tool to monitor a WebService request from an iOS and Mac environment
  2. Each and every resource request to an URI is not a WebService.
  3. One is SOAP and the rest is REST, why do extensive debate
  4. SOAP is XML based definitive object access WebService protocol made for rich guys :)
  5. OAUTH is a two tear authorization framework, ie 

iOS + WS 
  1. Avoid using 3rd party wrappers like ASIHTTP for networking without exploring them
  2. NSURLRequest + NSURLConnection are not an evil
  3. Use event driven APIs
  4. Reachability is our friend
  5. Don't put sync requests on main thread
  6. Your app UI should reflect network reality 
  7. Be prepared for speed latency and packet loss
  8. Be prepared for no network and host not reachable conditions
  9. Always code for insecure connection, use end to end security 
  10. Minimize use of network connections, keep in mind that we also have push notifications 

PHP + WS
  1. Always think above $_POST, $_GET, $_REQUEST, $_FILE they are just to help you 
  2. Use and read headers generously
  3. php://input thats what you need 
  4. Don't forget your buddy "MIME types"
  5. Be prepared for Trojan and Injunction
  6. PHP is more related to network, explore its low level possibilities
  7. Take authorization and content distribution seriously

JS + WS
  1. Don't misuse client network and resources :|
  2. Just enjoy with JSON, sometime XML and leave it all for server side :)

Hide blog post from listing based on tags

CSS Part
<b:if cond='data:blog.pageName != &quot;Doodling&quot;'>
&lt;style&gt;
.just-hide-post{
display:none;
}
&lt;/style&gt;
</b:if>
   <!- JUST ABOVE YOUR HEADER CLOSURE TAG -->

iOS - Memory Management

Must follow:
  1. For every alloc, retain, copy you should have a release as soon as you are going to leave it
  2. Avoid using autoreleased objects, You can use autorelease objects but keep in mind that they will not be released until their pool is released
  3. Always respond to memory warnings and take them seriously 
  4. Stick to Lazy Loading, means defer initialization of an object until the point at which it is necessity.
  5. Don't release the objects that we don't own.
  6. Reuse your objects instead of declaring new ones, in possible scenarios.
  7. If you are not using same resource repeatedly then avoid methods like [UIImage imageNamed:@""] because these method will increase cache size, a better alternate is [UIImage imageWithContentsOfFile:@""]
  8. Build custom UITableCell, UICollectionViewCell etc; and reuse them properly
  9. Override setters properly
  10. Use initWithCapacity when size is known to you
  11. Use delegates carefully, remember to set delegate properties to nil before releasing its owner; otherwise, the object might think that its delegate is still there, and will send a message to an invalid pointer.
  12. Use LLVM/Clang Static Analyser tool. It will catch errors regarding the Objective-C naming conventions and hidden memory leaks when using foundation frameworks
Good to have:
  1. Enable Guard Malloc
  2. Enable NSAutoreleaseFreedObjectCheckEnabled
  3. Enable NSZombieEnabled
  4. Enable NSDebugEnabled




गुनाहगारों में आ पहुँचा खतावारों में आ पहुँचा

दयारे ज़ुहुत छोड़ा और मह्ख्वारो में आ पहुंचा
गुनाह ऎ जीस्त की खातिर गुनाहगारों में आ पहुंचा
मेरे दीरा ना हमदम खूब थे पर ये हकीकत है
सबाबित से गुज़र कर आज सैयारों में आ पहुंचा
गुलिस्तानो में रहता था खिज़ा के ज़ोर सहता था
बयाबानो में आ पहुंचा ज़ुनुज़रों में आ पहुंचा
सबिस्तानो के ख़वाब आवर नाज़िर कल की बातें थी
शहर के ज़फिज़ा में बेदार नज़ारों में आ पहुँचा
जो तालिब हैं सुकून ऐ जिंदगी उनको मुबारिक हो
हलाके जूस्तजू था मै की आवारों में आ पहुंचा
नज़र को खीरा कर सकती थी सीमोज़र की ताबानी
नज़र पलती है जिनमे ऐसे नज़रों में आ पहुँचा
मै बेगाना था यज्दा के परिस्तारों की महफ़िल में
ग़नीमत है की इन्सां के परिस्तारों में आ पहुँचा
ऊरूसे ज़िन्दगी की नाज़ परदारी का सौदा था
उरूसे ज़िन्दगी के नाज़ा पर्दारों में आ पहुँचा
अगर यह जिंदगी से प्यार भी एक ज़ुर्म है फ़िर तो
गुनाहगारों में आ पहुँचा खतावारों में आ पहुँचा
भटकता फ़िर रहा था दरबदर और कूबकू  ताबां
यह यारों का तसरुफ़ है की यारों में आ पहुँचा
दयारे ज़ुहुत छोड़ा और मह्ख्वारो में आ पहुंचा
गुनाह ऎ जीस्त की खातिर गुनाहगारों में आ पहुंचा

Error in Personal frameworks after installing new xcode


I have installed the new xcode version with my last xcode version which made me crazy because my project with some personal frameworks are stopped working :(

When I have checked the Framework code it is giving some strange error; "target specifies product type 'com.apple.product-type.framework.static', but there's no such product type for the 'iphoneos' platform"

After a long long gooooogling in the dark side which did't help me so much. I have found a simple solution, ie;

1) Quit both of XCode versions
2) Switch the active XCode version to the last one (in my case it is; sudo xcode-select --switch /Applications/Xcode.app/Contents/Developer)
3) Reinstall "iOS Real Static Framework"
4) Clean and Build


Do get in touch with me in case you wish to discuss this further. Happy Coding ;)

Blackberry 10 (qnx) PhoneGap Plugins

We have two ways to create plugins for our BlackBerry PhoneGap apps ie; PG-BB Native Java and BB WebWorks

iOS App development with Windows and C

For folks who have Windows and wants to develop an iOS application or if you have written lots of code in C/C++ and just needed a standard API to display images, get touch events, mix sounds, perform file i/o and get access to the iPhone accelerometer data. You just need DragonFireSDK - very cool and inexpensive way to program and test an iPhone app.

SDK URL: http://www.dragonfiresdk.com

Docs URL: http://www.dragonfiresdk.net/help/DragonFireSDKHelp.html