Mobile application security: Part 1

Why software security is needed?

1. In information technology, Information is wealth. If someone steals your information and misused then the results would be worst than we cannot think.
2. Different mechanisms like Attacks by hackers, Improper implementation of Authorization, Data leakage, Insecure data storage.
3. According to my, as much as we build levels of security, the probability of stealing your information is less.
4. Different levels of security techniques needed because of different types of attacks like cross-site attack, SQL injection.
5. Even, sometimes the first level of security break down the second level will keep the information safe.

Let us talk about what securities provided by iOS?

1. System security: The integrated and secure software and hardware that are the platform
2. Encryption and data protection: Protects user data if the device is lost or stolen
3. App security: The systems that enable apps to run securely and without compromising integrity.
4. Network security: Secure authentication and encryption of data in transmission.
5. Apple Pay: Apple’s implementation of secure payments.
6. Internet services: Apple’s network-based infrastructure
7. User password management: Password restrictions and access to passwords from other authorized sources.
8. Device controls: Prevent unauthorized use and enable remote wipe Privacy controls: Capabilities of iOS that can be used to control access to Location Services and user data.
9. Security Certifications and programs: Information on ISO certifications, Cryptographic validation, Common Criteria Certification, and commercial solutions for classified (CSfC).

Still, the developer needs to think about security?

YES! The below snapshot explains what 4 levels of security, that developers should think of.

What are In-Built iOS native features to secure Application?

1. Touch ID
2. Face ID
3. Keychain
4. File protection
5. App transport security

What are common things developers should follow while coding?

1. Check Jailbreak device
2. Restrict Reverse engineering or Runtime debugging
3. Avoid buffer overflow
4. Careful while using third party libraries
5. Do not allow the app to take a snapshot while going into the background
6. Clear pasteboards whenever required
7. Do not pass sensitive data in plaintext in network
8. While communicating with the server, pass sensitive data only in headers.
9. Do not mention or hardcode passwords or sensitive information
10. Avoid misuse of URL schema
11. Use a strong password policy
12. Review settings to avoid javascript injection
13. While login, implement “Remember Me functionality” correctly
14. Don’t use hashing or encoding-decoding for storing sensitive information
15. Avoid sensitive information leakage by console logging
16. No autofill or hardcoded passwords
17. Avoid format string vulnerability
18. Avoid self/insecure authorization
19. Do not send sensitive information in analytics.
20. Do not skip App transport security
21. Always use certificate pinning
22. Do not logout at client only
23. Don’t use weak cipher suites
24. No self-signed or untrusted certificate
25. No request/response cache
26. Use keychain to store sensitive info in apple recommended way, And, avoid NSUserDefults storage.
27. Use correct File protection policy/capability
28. Provide least privileges to user
29. No cache at all
30. No keyboard cache