Potential security risks in iOS Apps - Part 1

Few days back Apple developer portal hacked by someone, Do we have a leak in our apps? 

In our busy schedule and tight project deadlines we just want to ignore some basic risks in our app, some people think that Apple environment is close enough to take care of it. Do we are really missing something? yes we are..

These risk increases when we use WebServices, keep files in application folders and don't forget to remove logs while deploying in public domain. Root cause of security holes are:

WebServicesPublicly-Accessible filesInsecure database

I am trying to list down basic things that we can keep in mind while coding:
  1. Use NSTemporaryDirectory or confstr 
  2. Use of higher level APIs like NSFileManager aren't safe enough 
  3. Run static analysis tool frequently. It will not give you all possible issues but it can help with some basics.
  4. Use preprocessor directives to identify the debug environment 
  5. Avoid using NSLog, use some user define macro for logging
    #ifdef DEBUGING
              #define Log( s, ... ) NSLog( @" %@", [[NSString stringWithUTF8String:__FILE__] lastPathComponent], __LINE__, [NSString stringWithFormat:(s), ##__VA_ARGS__] )
              #define Log( s, ... )
  6. Always log with formatted string, passing ID to log can create a potential leak
  7. Avoid Cross-site scripting
  8. While opening any URL from a web content check if it is a resource path or a link
  9. Avoid PhoneGap based environment while security is a concern 
  10. Don't trust document serialization and avoid directly executing from the same 
  11. Be aware of trojan/code injection every time you process a downloaded file or file from local directories 
  12. Use hardening techniques
  13. Be aware of security properties of APIs you use 

Useful testing stuffs 
  1. Unit-Testing is your friend 
  2. Crash Wrangler - Fuzzing
  3. Penetration testing

Connecting with iOS

I was just wondering that how to connect with an iPhone, iPod and iPad. The outcome of my research is there are three ways:
An interesting fact is that the antenna for WiFi and Bluetooth is same. To communicate with external accessories there is a ExternalAccessoryFramework.

The architecture of EAF is quite simple, it have a EAProtocol and each span of communication is known as EASession. NSStream helps to carry payload and for input there is NSInputStream and for output there is NSOutputStream

Other core level frameworks like CoreAudio, CoreLocation etc, are also helpful while communicating with an external accessory because they get notification of route change. While we connect or disconnect iOS via dock, EAAccessory notify the app by NSNotificationCenter

  •  EAAccessoryDidConnectNotification
  •  EAAccessoryDidDisconnectNotification

Things to keep in mind
  1. There are no EA events in background we should keep track of application did enter background
  2. Close your EA session as soon as your work is completed 
  3. Antenna arbitration is there
  4. Use accessory change notification generously and be prepared for connectivity loss

Web-Services recapitulate

Now days most of the apps are using WebServices and the good thing is we all know what it is :)

Just adding some notes from my side on things like SOAP, REST and ......., and what? is there anything else do we have in the name of WebService.. really?

Few days ago, a guy who have experience of more then a decade came to me and told me to integrate WebService in an app. I simply asked for WebService summary which I think an usual question while we start working on something. He said to take the reference from an existing website which he pretended that using the same. First I did't get what he wanted to tell but, his steps just gave me heart attack. He just went to Chrome, opened the Website, right clicked for the Inspect element option and while logging in to that website he monitored the Network and said look here is the WebServices just replicate it in your app. After his statement I thought is it worth to ask something anymore?

Okey, letz do a quick recap on what we know:

  1. Charles, Yet simplest tool to monitor a WebService request from an iOS and Mac environment
  2. Each and every resource request to an URI is not a WebService.
  3. One is SOAP and the rest is REST, why do extensive debate
  4. SOAP is XML based definitive object access WebService protocol made for rich guys :)
  5. OAUTH is a two tear authorization framework, ie 

iOS + WS 
  1. Avoid using 3rd party wrappers like ASIHTTP for networking without exploring them
  2. NSURLRequest + NSURLConnection are not an evil
  3. Use event driven APIs
  4. Reachability is our friend
  5. Don't put sync requests on main thread
  6. Your app UI should reflect network reality 
  7. Be prepared for speed latency and packet loss
  8. Be prepared for no network and host not reachable conditions
  9. Always code for insecure connection, use end to end security 
  10. Minimize use of network connections, keep in mind that we also have push notifications 

  1. Always think above $_POST, $_GET, $_REQUEST, $_FILE they are just to help you 
  2. Use and read headers generously
  3. php://input thats what you need 
  4. Don't forget your buddy "MIME types"
  5. Be prepared for Trojan and Injunction
  6. PHP is more related to network, explore its low level possibilities
  7. Take authorization and content distribution seriously

  1. Don't misuse client network and resources :|
  2. Just enjoy with JSON, sometime XML and leave it all for server side :)

Hide blog post from listing based on tags

CSS Part
<b:if cond='data:blog.pageName != &quot;Doodling&quot;'>