CODEWITHSUNDEEP
iossecurity
Sergei Basharov
Sergei Basharov

Reputation: 53850

Test an iOS app security

I am working on an app. Say, it should be secure and safe for the end user, to the degree of a matter of life and death, in the most extreme case. In reality, it's not so hard but, let's assume it.

Thus, I want to make sure, that if serious bad guys get this iPhone and do their tricky work to disassemble it, jailbreak, whatever to get the data from the app, then they get as least clue as possible.

I want to build, test the app and its environment the safest way.

The questions are:

  1. Are there official tools from Apple or other sources to test not only the app itself but all the security stuff?
  2. How much should I be worried about bad guys gaining access to the filesystem? How can I prevent data revealing?
  3. How reliable, e.g. backdoorless are existing encryption libraries?

Upvotes: 1

Views: 1218

Answers (1)

MrWerbenjagermanjensen
MrWerbenjagermanjensen

Reputation: 386

For help with security testing an iOS app, I would recommend checking OWASP's Mobile Security Project. There are a lot of resources about common vulnerabilities in mobile applications, but also guidance on the steps to test a mobile application.

For your specific questions:

  1. XCode has a built-in Analyze feature that looks for problems within the source code of your application. This is a form of static analysis. There are third-party tools that help with dynamic analysis, testing the running application. OWASP ZAP and Burp Suite are examples of tools in this category.

  2. If a user has a jailbroken phone, they'll like have access to the whole filesystem. It's also not possible to protect completely against reverse engineering. This post from the Information Security community might be helpful in that regard. You can however limit the sensitive information you store on the device. Be careful about what information is stored in log files, cached files, plist files, basically anything stored on the device. If the information is very sensitive, it might be better to store it on the server rather than device, since you own the server and don't have direct control over a user's device.

  3. I would consult the Developer's Guide to Encrypting and Hashing Data as well as the iOS Security Guide. I don't know about specific encryption libraries, but in general the most common problem is poor implementation of encryption libraries rather than problems with the libraries themselves. Also, generally using existing libraries is a better practice than trying to create your own.

I'd also consult the Information Security Community, they'll have more guidance on how to security test iOS applications.

Upvotes: 1

Related Questions