In our busy schedule and tight project deadlines we just want to ignore some basic risks in our app, some people think that Apple environment is close enough to take care of it. Do we are really missing something? yes we are..
These risk increases when we use WebServices, keep files in application folders and don't forget to remove logs while deploying in public domain. Root cause of security holes are:
|WebServices||Publicly-Accessible files||Insecure database|
I am trying to list down basic things that we can keep in mind while coding:
- Use NSTemporaryDirectory or confstr
- Use of higher level APIs like NSFileManager aren't safe enough
- Run static analysis tool frequently. It will not give you all possible issues but it can help with some basics.
- Use preprocessor directives to identify the debug environment
- Avoid using NSLog, use some user define macro for logging
#define Log( s, ... ) NSLog( @"
%@", [[NSString stringWithUTF8String:__FILE__] lastPathComponent], __LINE__, [NSString stringWithFormat:(s), ##__VA_ARGS__] )
#define Log( s, ... )
- Always log with formatted string, passing ID to log can create a potential leak
- Avoid Cross-site scripting
- While opening any URL from a web content check if it is a resource path or a link
- Avoid PhoneGap based environment while security is a concern
- Don't trust document serialization and avoid directly executing from the same
- Be aware of trojan/code injection every time you process a downloaded file or file from local directories
- Use hardening techniques
- Be aware of security properties of APIs you use