Mobile application security: Part 1
2 min readOct 19, 2021
Why software security is needed?
- In information technology, Information is wealth. If someone steals your information and misused then the results would be worst than we cannot think.
- Different mechanisms like Attacks by hackers, Improper implementation of Authorization, Data leakage, Insecure data storage.
- According to my, as much as we build levels of security, the probability of stealing your information is less.
- Different levels of security techniques needed because of different types of attacks like cross-site attack, SQL injection.
- Even, sometimes the first level of security break down the second level will keep the information safe.
Let us talk about what securities provided by iOS?
- System security: The integrated and secure software and hardware that are the platform
- Encryption and data protection: Protects user data if the device is lost or stolen
- App security: The systems that enable apps to run securely and without compromising integrity.
- Network security: Secure authentication and encryption of data in transmission.
- Apple Pay: Apple’s implementation of secure payments.
- Internet services: Apple’s network-based infrastructure
- User password management: Password restrictions and access to passwords from other authorized sources.
- Device controls: Prevent unauthorized use and enable remote wipe Privacy controls: Capabilities of iOS that can be used to control access to Location Services and user data.
- Security Certifications and programs: Information on ISO certifications, Cryptographic validation, Common Criteria Certification, and commercial solutions for classified (CSfC).
Still, the developer needs to think about security?
YES! The below snapshot explains what 4 levels of security, that developers should think of.
What are In-Built iOS native features to secure Application?
- Touch ID
- Face ID
- Keychain
- File protection
- App transport security
What are common things developers should follow while coding?
- Check Jailbreak device
- Restrict Reverse engineering or Runtime debugging
- Avoid buffer overflow
- Careful while using third party libraries
- Do not allow the app to take a snapshot while going into the background
- Clear pasteboards whenever required
- Do not pass sensitive data in plaintext in network
- While communicating with the server, pass sensitive data only in headers.
- Do not mention or hardcode passwords or sensitive information
- Avoid misuse of URL schema
- Use a strong password policy
- Review settings to avoid javascript injection
- While login, implement “Remember Me functionality” correctly
- Don’t use hashing or encoding-decoding for storing sensitive information
- Avoid sensitive information leakage by console logging
- No autofill or hardcoded passwords
- Avoid format string vulnerability
- Avoid self/insecure authorization
- Do not send sensitive information in analytics.
- Do not skip App transport security
- Always use certificate pinning
- Do not logout at client only
- Don’t use weak cipher suites
- No self-signed or untrusted certificate
- No request/response cache
- Use keychain to store sensitive info in apple recommended way, And, avoid NSUserDefults storage.
- Use correct File protection policy/capability
- Provide least privileges to user
- No cache at all
- No keyboard cache