Developing an application involves much more than the written code. Even if it was possible to build an (almost) bug-free code, if the app:
depends on a server anywhere on the internet
stores data in local storage devices
or saves code bases in a repository cloud
there are potential vulnerabilities for a attacker to take advantage, as these interactions go beyond the code itself.
The aim of this post is to expose different techniques in order to minimize the chances for an attacker to break our security, as well as our clients’ and users’ security.
Note: This is not intended to be an extensive guide implementing each technique, however, this is a guide explaining what we can and should manage when developing an iOS application.
Enable Application Transport Security:
With the launch of iOS 9 and OS X El Capitan, Apple has introduced App Transport Security, which enforces developers to use secure network connections. This change implies that every connection the application makes must use HTTPS protocol and TLS 1.2.
In other words, our application cannot communicate with a server using a non-secure connection, such as HTTP, unless it is explicitly indicated. As this was a breaking change, Apple provided an easy way to master this new requirement by adding exceptions or disabling it in the plist file.
Nevertheless, it is strongly recommended not to bypass this restriction, and instead, use secure connections in our apps to avoid potential (and easy) attacks.
Additional Resources:
- Configuring App Transport Security Exceptions in iOS 9 and OS
- 10.11Working with Apple’s Application Transport
- NSAppTransportSecurity Apple’s official documentation
SSL Pinning:
Once ATS is enabled, the second step to increase our apps security consists in enabling SSL Pinning.
SSL Pinning is a technique that allows us to deal with an attack called Man in the Middle. SSL is based on the certificate’s “chain of trust”. When the communication starts, the client checks if the received server’s SSL certificate is trusted by any SSL Certificate Authority.
We can use SSL Pinning to ensure that the app communicates only with the designated server itself. This is done by saving the target server’s SSL certificate inside the app bundle.
SSL Pinning has a visible disadvantage, not related to the security itself: the app must be updated whenever the server’s SSL key is changed, due to expiration and other reasons.