Last week, we did a pretty long checklist of some Android checks that should necessarily be done while building and launching your mobile applications. It is important to note that this is not an exhaustive list and threat vectors might still exist. The intention is to make it really difficult for hackers to try and break into your app.
As you build your app and work on your mobile strategy, it is essential to test your application across various parameters - Performance, Usability, Functionality, Compatibility, Load, Security, etc. Since time to market is essential, most businesses often neglect the security testing part. Ensuring the safety of the information of your customers and your business is very crucial.
Here's a list of different tests to take care of before you launch your iOS app, and even if you already have, it might be good to revisit:
1. Observe the application behavior and data states and sensitivity
2. Identify - access methods, what frameworks are in use, server side APIs that are in use, what protocols are in use, other applications or services with which the application interacts
3. Locate the PIE (Position Independent Executable) - an app compiled without PIE (using the “–fPIE –pie” flag) will load the executable at a fixed address. Check this using the command: otool –hv
Use of Privilege
1. Reduce privileges whenever possible
2. Use elevated privileges sparingly, and only in privileged helpers. If you must run code with elevated privileges, here are some rules:
3. Never run your main process as a different user. Instead, create a separate helper tool that runs with elevated privileges.
4. Your helper tool should do as little as possible.
5. Your helper tool should restrict what you can ask it to do as much as possible.
6. Your helper tool should either drop the elevated privileges or stop executing as soon as possible.
7. Minimize the amount of code that must be run with elevated privileges
8. Never run a GUI application with elevated privileges
Authentication between Client-Server
1. Do not store, validate, or modify passwords yourself. It is a terrible idea to store, validate, or modify passwords yourself. OS X and iOS provide secure facilities for just that purpose and will ensure better security.
2. Never send passwords over a network connection in cleartext form. Never assume that an unencrypted network connection is secure.
3. Always perform server authentication even though it is optional in the SSL/TLS protocols. Otherwise, an attacker might spoof your server, injuring your users and damaging your reputation in the process.
4. Use password policies wherever possible, like password strength, password expiration, limitations on password length, password retrieval methods, etc.
5. Do not store unencrypted passwords and do not reissue passwords
Usage of Cryptographic Algorithms
1. Do not attempt to generate your own random numbers. Use trusted random number generators.
2. Use TLS/SSL instead of custom schemes.
3. Do not try to implement your own crypto algorithms. It is very difficult to implement a secure cryptographic algorithm, and good, secure cryptographic functions are readily available.
Installation and Loading
1. Don’t use custom install scripts.
2. Don’t install components in /Library/StartupItemsor/System/Library/Extensions. Code installed into these directories runs with root permissions. Therefore, it is very important that such programs be carefully audited for security vulnerabilities.
3. Load plug-ins and libraries only from secure locations. If your application loads plug-ins from directories that are not restricted, then an attacker might be able to trick the user into downloading malicious code, which your application might then load and execute.
The above list is not an exhaustive list, but a good one to start off and ensure you have some basic security checks in place for your applications. It might be a challenge fixing everything at once, but you should keep revisiting this list till you've checked each one off.
Security testing tools, like Appknox, can be very helpful as a good starting point. Even the automated test can give you a quick glimpse of where you stand in terms of security. You can get access to a prioritized list of issues to look at, something that is essential for your business currently.