Article in Apple category.
Basic Security Practices For iOS Applications
Adhering to some principles can greatly limit the chance of having your data stolen by hackers.
When developing any mobile application that processes user data, it is important to pay attention to security. This issue is particularly acute for applications where full names, phone numbers, passports, and other personal information appear. Every year there are new technologies and opportunities, and with them new behaviors and vulnerabilities. In this article, we discuss the main points of security for iOS applications that are relevant in 2019.
iOS has always been famous for its security and attention to information security. Nevertheless, during the existence of this OS, several serious vulnerabilities were identified that caused user data leaks. This once again reminds us that too many security measures do not exist and one cannot hope for everything in the system. The lesser the information that remains on the disk after using the application, the better.
Therefore, it is recommended to store only those data that you cannot do without.
Biometric authentication greatly simplifies logging into mobile applications. Apple cites statistics according to which the chance of a user's fingerprint coinciding with another person's fingerprint is 1 to 50,000, while the chance of face scans coinciding is 1 to 1,000,000. All related calculations are performed on the Secure Enclave coprocessor, which is completely isolated from the operating system. Because of this, it is impossible to access or use the user's biometric data, so the top app development companies don’t have to worry about it. However, there are some interesting points related to these technologies.
For example, an attacker could find out the pin code from the phone itself, add his or her fingerprint to the list of prints known to the system, and log in using it in the application without knowing the pin code. To solve this problem, the operating system provides a hash which describes the current fingerprints set. This hash can be saved to disk during the first successful authorization in the application and during subsequent authorizations to check whether the current value differs from the saved one. If they are different, the fingerprint database has been changed, the Touch ID input is disabled, and the user needs to re-enter the application PIN code to save the new hash value. The same applies to Face ID.
You can have different attitudes towards Apple’s policy of restricting user rights to control a smartphone, but the fact remains: if the user chooses to put Jailbreak on, most aspects of iOS security can be forgotten. Any installed application can potentially access all stored information.
Currently, Jailbreak has become less common due to the fact that with the release of each new version of iOS, it is becoming increasingly difficult.
When a Jailbreak is detected, you can impose hard restrictions like blocking access to certain parts of the application or even prohibiting its use.
It is important to ensure security, including when entering information on the application.
For example, it is recommended to disable the autocomplete feature in most text fields. If this is not done, the input data (which may be personal) will be indexed by the operating system and will appear as options for auto-completion in other applications and all text fields in which passwords are entered are, of course, masked and do not support the ability to copy/paste.
To bypass the keyloggers that are possibly on the device, the pin-code entry during authorization is not performed using the system keyboard, but using the number buttons on the screen.
Even if the attacker has received full access to the phone or user account, there must be ways to block his ability to perform operations in the application. To do this, when authorizing, it is important to send information about the device to the server (ID, model, iOS version) - if the user has lost access to his phone, the device can be added to the blacklist on the server.
Also, when using the app, you can send data about the user's geolocation to the server (provided that he has given access to it). If operations are performed from atypical places, it is possible to pause the service until the user confirms that the actions are actually being performed by him.
All important changes to the settings and operations must be confirmed using the SMS code. The number of attempts to enter the code should also be limited.
The OS takes a screenshot of the screen when the user minimizes the application, which is then displayed in the list of minimized apps. This screenshot is saved in a folder on the smartphone, and it is important to provide an option in which the screenshot may contain personal data. This can be done in different ways: to block the screen contents or to put a “curtain” on top of it when the application is minimized, the main thing is that you cannot view the contents of the screen in the screenshot.
A serious application in most cases is only part of some service, in which besides the mobile client there is a server and a connection with it. To ensure full protection of the service, all its components must comply with information security requirements. However, the guarantee of security can never be one hundred percent. The possibility of an attack always exists, and all the above points only reduce the risks or increase its cost. Therefore, the only thing that can be done by the top app development companies is to adhere to these principles: all application code is considered public, the best place for logic and data is on the server, and any protection should be comprehensive.