It seems like the word “hacking” is getting a lot of exposure in the media these days, so you will be very aware of the current predicament. From rouge states to criminal groups, there are various types of security violations taking place on a regular basis. Although the majority of malicious mobile hacks have occurred on Android, iOS apps are not safe like people perceive them to be. Although Apple’s App Store has been secure for the most part, some of the same security flaws that were seen in the ‘90s with the web and PCs, have now appeared on a mobile platform.
Hacking predates websites and it’s not ever going to go away. From hacking into servers and cracking popular software, the ethos has remained the same on a mobile platform. Hackers are still rummaging through binary files to find areas to exploit and obtain access and privileges and this phenomenon has made the leap to mobile. The main reason for this is the fact that iOS developers are failing to add security protocols around every layer as they build the app. Part of the reason for this is the illusion that the iOS ecosystem is a fortress that cannot be penetrated, but obviously this isn’t the reality on the ground.
Secure Remote Services
When building an iOS mobile app, developers need to ensure that the remote services used by the app are secure. This will ensure that there won’t be any room for remote services to be abused. However, this is only necessary for apps that make use of remote services. In some cases, some remote services provide their own authentication mechanisms and as a result you won’t have any choice but to use it.
It will also help to be up to date with the iOS Security guides to keep up with the evolution of the operating system and new flaws that might emerge.
Secure Data in the App
It’s important for developers to keep in mind that the data gathered by the app needs to be secure if the user data is sensitive. If the app requires sensitive data to function (financial information), it is absolutely necessary to encrypt the data on the app and provide a login feature so that users have to login first to access the data on the device.
In iOS, the keychain is a container that’s encrypted and primarily used to store passwords and sensitive data. Apple has taken steps to keep this secure by providing each app with its own keychain that only the app can access. This helps to keep the information secure from third-parties that might be trying to access the data. Having said that, app developers need to be aware that the keychain can only be used to store tiny bits of data (like passwords). This is miles better than app user databases that store information in plain text without any encryption.
There are two types of encryptions that you hear about often:
- Symmetric encryption
- Asymmetric encryption
Symmetric encryption uses a shared key to encrypt or decrypt data. Asymmetric encryption uses one key for encryption and another related (but separate) key for decryption. But at the end of the day, nothing is perfect and developers need to be aware of how (even) secure keychains are getting hacked.
Secure the App from Misuse
When developing an app, it is important to consider how it could be misused. This is not easy to do as a lot depends on the iOS as well the type of app. For example, iOS sandboxes apps so that your app runs in its own secure environment. So your app theoretically has no access to data or information from other apps unless explicitly allowed in some way. Now this is supposed to be already accounted for by Apple, but some issues come up from time to time.
On the flipside, users also need to become more diligent as there is always room for human error. Even though iOS apps go through a review process, some rogue apps manage to get through. It’s just not humanly possible to thoroughly test each app when thousands come through each week. Further, most developers are not very experienced when it comes to reverse engineering and as a result are completely unaware of the outcomes. Programs like Clutch can easily break into self-encrypted binaries and tools such as IDA can allow the experienced hacker to view the files within the app.