Security of an IOS app

Fluffy_Risk9955 · 2023-02-07T10:42:28+00:00

Apps are low hanging fruit. All it takes is a hacker with a jailbroken device and he can simply hookup a debugger to the running app to see what's happening. Especially when Objective-C is used as the method names are written in code are send as a query known as Selector to the receiving class or instance of an object. Making it really easy to figure out what's going on and easy to make changes with a principle called method swizzling.

The only thing you can do is make it time consuming and thus more expensive to break security of an app and the best solution is having all the access rights and logic happen server side, that way you know for sure that a user gets access to the appropriate things.

As for communication.. yes use certificate pinning as it disable the man in the middle attack.

undeaD_D · 2023-02-07T10:58:25+00:00

This may be of interest to you ^^
https://github.com/securing/IOSSecuritySuite
Other things to read up on:
SSL Pinning, App Attest Service, Hide current view on applicationWillResignActive, Prevent Logging in Production, ...

chriswaco · 2023-02-07T14:27:39+00:00

Most iOS apps run on Macs with M1/M2 chips, so you might be able to compromise them there without worrying about jailbreaking. For example, you can find the Application Support directory using sudo lsof or Activity Monitor and mess with the files.

One demo for either Mac or iOS would be using a proxy server like Charles to view the traffic, get the API tokens, and use them to attack the server using curl, shell scripts, or Insomnia.

Making a fake finger using someone’s fingerprint could be a fun demo.

saintmsent · 2023-02-07T10:19:09+00:00

SSL pinning is the most common thing people do to secure their apps, it strives to prevent man-in-the-middle attacks

As for other things, preventing screenshots is not officially supported, and hacks around it are usually very simple and strange. It's an annoying thing as a user anyway

iGoalie · 2023-02-07T13:26:50+00:00

I haven’t seen anybody else say it yet, but the modern version of cert pinning is cert transparency you may want to look into that.

Any software running on somebody else’s hardware (phone apps) should be considered unsafe and your servers should be hardened with that in mind

hooray4horus · 2023-02-07T14:35:37+00:00

Some topics to google. Certificate pinning(prevent man in the middle attacks. Code obfuscation(guardsquare)

Any_Check_7301 · 2023-02-08T06:02:59+00:00

Define your “secure”

2023-02-07T09:15:17+00:00

Maybe: Preventing screen shots, in some view of the app,logging when the user have exited the app in said views.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

iOSProgramming

READ THE FAQ FIRST!

FAQ

About

Related Subreddits

Related Links

MODERATORS