Links

Potential security risks in iOS Apps - Part 1

Few days back Apple developer portal hacked by someone, Do we have a leak in our apps? 

In our busy schedule and tight project deadlines we just want to ignore some basic risks in our app, some people think that Apple environment is close enough to take care of it. Do we are really missing something? yes we are..

These risk increases when we use WebServices, keep files in application folders and don't forget to remove logs while deploying in public domain. Root cause of security holes are:


WebServicesPublicly-Accessible filesInsecure database


I am trying to list down basic things that we can keep in mind while coding:
  1. Use NSTemporaryDirectory or confstr 
  2. Use of higher level APIs like NSFileManager aren't safe enough 
  3. Run static analysis tool frequently. It will not give you all possible issues but it can help with some basics.
  4. Use preprocessor directives to identify the debug environment 
  5. Avoid using NSLog, use some user define macro for logging
    #ifdef DEBUGING
              #define Log( s, ... ) NSLog( @" %@", [[NSString stringWithUTF8String:__FILE__] lastPathComponent], __LINE__, [NSString stringWithFormat:(s), ##__VA_ARGS__] )
    #else
              #define Log( s, ... )
    #endif
  6. Always log with formatted string, passing ID to log can create a potential leak
  7. Avoid Cross-site scripting
  8. While opening any URL from a web content check if it is a resource path or a link
  9. Avoid PhoneGap based environment while security is a concern 
  10. Don't trust document serialization and avoid directly executing from the same 
  11. Be aware of trojan/code injection every time you process a downloaded file or file from local directories 
  12. Use hardening techniques
  13. Be aware of security properties of APIs you use 

Useful testing stuffs 
  1. Unit-Testing is your friend 
  2. Crash Wrangler - Fuzzing
  3. Penetration testing