iOS Application: Development with a Secure Background
Living in a modern civilized society makes us constantly think about different security measures. Getting out of the house, we close the door with a key, leaving the car, prefer to use a garage or car park, paying in a store, pull out the card rather than a bunch of cash.
What are we afraid of? Before everything else, we want to protect our private space and prevent from any strangers to get in.
The same reason makes us set the passwords on electronic devices, follow security recommendations on virtual sources, use the latest antiviruses to protect the software, etc.
The security on a high technology level plays an important role in the life of modern people. We want to be sure that our personal data, whether messages of a personal nature or access to the bank accounts, won't be obtained by anybody.
See also: What to expect from Apple in 2016
Apple Security System
iOS Security Guide provides a detailed description of different sides of the security establishing and iOS secure coding. We have arranged them into five groups. Let's consider each group in details.
1. System organization implies a secure interaction between hardware and software components. The process is built the way that subsequent step can't be done if the previous one is not verified. It consists of the following components:
Secure Boot Chain guarantees that each move of the starting process passes through Apple cryptography mechanism.
System Software Authorization ensures that devices do not have the ability to downgrade to the latest OS versions where there are security issues fixed in the latest version.
Secure Enclave supplies the cryptographic operations used for Data Protection key management. It also keeps Data Protections integrity even though the kernel has been damaged.
Touch ID provides a high security by using a fingerprint recognition system. Such system deploys long compound passwords which are almost impossible to detect.
- Encryption and Data Protection make sure that only secure applications and trusted code run on the device. They include hardware security features, files protection, passcodes, data protection classes, keychain data protection, security certifications, and others.
Data protection classes take care of the protection with the key obtained from the user's password and phone's UID, encrypting data written while the device is locked by means of asymmetric elliptic curve cryptography, protecting data from the attack caused by the device restarting, etc.
Security programs act on the basis of adaptability to Information Processing Standards.
3. iOS App Security ensures that users' data is protected establishing safe signing, verifying, and sandboxing of iOS applications.
App code signing is executed via the Apple-issued certificate.
Runtime process security is organized so that the existed apps cannot be harmed by the newly coming applications.
iOS Software Development Kit provides developers with the pack of APIs helping to establish the full security for apps created for Apple devices.
- Network security is in charge of protecting data during the transmission. It includes VPN capacity, iOS Internet security by means of encoded Wi-Fi, secure Bluetooth connection, and the safety of Transport Layer.
- Device blocking refers to the setting up different levels of protection to make the iOS device unavailable for the third parties. It mainly refers to th Passcode adjusting, Auto-lock timeout, and Touch ID policies.
Thus, iOS Security System takes care of the safety at all the stages of the interaction with the operating system. Apple team is constantly working on the improvements of certain security components. Recent updates are to make them even more reliable and proven. Let's make a brief overview of their peculiarities.
Recent Changes and Improvements
HTTPS instead of HTTP
This is a major change concerning the data transmission concept. It involves deeper TLS configuration and directly affects security for iOS apps. In particular, compliance with the following is required:
- TLSv1.2 free from insecure cryptographic elements, such as RC4 encryption and SHA-1 certificate signatures, and basic size requirements of 2048 bits for RSA and 256 bits for EC.
You can make the exceptions by launching a complete overriding or referring to the Info.plist if you want to do it not on the on-going basis.
Disabled access to the other apps
Apple had a serious issue when another application had the ability to detect which apps were already installed on the device. It was fixed by making the following:
- Denying access to the other processes which run on the device for the sandboxed apps (by means of modifying sysctl() );
- Making all the apps to clearly list all the URI schemes in their Info.plist file;
- Preventing the sandboxed apps from accessing the icon cache.
Using universal links
It means that communication with other apps is going to be handled through the universal links rather than URI schemes. In simple words, an app can list the web domains it is related to.
Along with the device passwords, using the application passwords is now available. Both serve for the encryption of the keychain items. The change opens the possibilities for applications to control when the data becomes available.
Extra protection for private keys
The private key can be now used 'right of the bet'. It means that leaving Secure Enclave of the device is no longer needed. This is achieved by means of configuring SecGenerateKeyPair() to make it place the generated private key into Keychain of the device.
New extension points are added in order to implement the client sides which are in charge of a custom VPN tunneling protocol and transparent network proxy protocol, as well as organize dynamic, on-device network content filtering.
Along with the strengthening of the security system, Apple's decided to give developers more freedom and limit them only through Apple ID to run any code on the device. No additional ID verifications are required any longer. You are even not obliged to join the program. This innovation, however, led to the conflicting reactions.
On the one hand, the developers have more opportunities for introducing their creations on the iOS devices, on the other - the risk of getting a malware increases significantly. Actually, obtaining a fake ID opens a way to the device and reduces the security of iOS apps. Malware developers can easily launch their applications or even replace the legal ones.
Malware is near
Malware is a serious problem both for the users and owners of the legal software. Hacking and securing iOS applications keep pace. The intention of illegal software is to gain access to the restricted data, publish an uncontrolled advertisement, and ruin the device operations in general.
iOS malware makes quite a long list. We have arranged some of the representatives below:
AdThief/Spad - directs the advertising revenue from the legal recipient to the Malware owner;
FindCall - steals personal data and sends it to the remote server;
Ikee/Eeki - this is a so-called 'worm' which gets into the jailbroken device and spills the SMS data to the third party server;
KeyRaider - makes it impossible to unlock the device either locally or remotely by stealing Apple certificates of push notifications and private keys;
LBTM - is in charge of displaying illegal ad content;
MobileSpy/RetinaX/BopSmiley - a spyware which listens to your calls, reads SMS, tracks the URLs you follow and identifies your location. All the data goes to a remote server;
XcodeGhost - malware created on the basis of a malicious Xcode version. It negatively affects legal iOS applications via the HTTP protocol. The data to be hacked includes UUID of the device, bundle ID of the application, type and title of the device, type of network, etc.
How to protect
Keep your weather to protect the data. The simplest things you can do are as follows:
- use only official updates of the operating system and keep the OS up-to-date as older versions may contain security gaps fixed in the new ones;
- read carefully which data is requested by an app when being installed (for example, a place searching app does need an access to the device GPS but gaming app doesn't);
- download the apps only from the official app store;
- avoid jailbreaking as it refers to the wiping out all the operating system security 'shells' which opens the direct access to applications data.
For the developers we would recommend the following:
- encrypt all the sensitive data which you keep in the phone's memory;
- do not use HTTP to access the server; HTTPS is strongly recommended, though;
- do not deploy the third party libraries; if it is impossible, try to find open source library with a source code provided, check the source code, include source code into your project (not pre-built library file);
- enable a reliable file-sharing service for your clients, so that they do not deploy unknown and insecure sources;
- do not open the access to the corporate network for the devices which do not meet security requirements;
- use iOS app security testing which includes such components as application mapping, client attacks, network attacks, server attacks.
As can be seen from the above, iOS security architecture covers nearly all the possible risks of dangerous third party attacks. It refers not only to a single side of applications data protection but provides solutions for the secure data transmission, safe interaction between software and hardware components, high level of channels and information encryption, etc. Apple continues working on the elimination of the existed gaps and improvements of present mechanisms.
It should be noted that along with the increase of the security system quality, the skills and abilities of hackers and malware developers also grow. Therefore, unauthorized access to various kinds of data still takes place. Unfortunately, malware creations are quite 'smart' and can spread into the different corners of OS and applications data. That is why both users and developers should approach with a great care to the question of establishing security for mobile apps.
The information above is essential for a person who intends to invest in a mobile application development. If you want to entrust a remote team with your project, consider choosing only top professionals in order to make an app of a great user experience and security level.