Kenneth van Wyk: Making safer iOS apps
There still seem to be a lot of security flaws in iOS apps, but new tools could help fix that
Computerworld - When it comes to developing secure apps for the iOS operating system, there's both good and bad news.
Let's get the bad news out of the way first. There are a lot of apps out there, including ones developed by various businesses for their customers to use, that have egregious and easy-to-avoid security vulnerabilities. I haven't done anything like a scientific survey of the apps that are available, but just among the ones that I have casually come across for my own use, I've found that major airlines, healthcare providers and financial services companies have produced apps that contain some extremely elementary exposures with the potential to put their users at risk.
Perhaps the biggest of these exposures involves the storing of sensitive data locally on the iOS device without any encryption to protect it. I've found account credentials in properties (.plist) files; I've found regulatory protected data stored in plaintext files with nothing more than Base64 encoding to protect it; I've found account balances stored in files left behind by programming frameworks, stored in simple caching files in plaintext. I'm not naming names here, but I -- and no doubt others -- have notified the companies behind these apps about the problems.
Big deal, you say? Anyone who locks his device with a strong passcode doesn't need to worry about those sorts of things, right? That attitude is a big mistake. As I've described previously in this column, files that are protected using nothing more than iOS's AES-256 encryption can be trivially retrieved by a miscreant who has physical possession of an iOS device, a USB cable and some readily available software. Indeed, the number one risk cited in the draft OWASP Top 10 Mobile Risks project is a lost or stolen device.
Clearly, the developer community needs to step things up a notch and take secure local storage more seriously.
But I promised good news, and here it is. Plenty of tools and frameworks are available to help a security-minded app developer avoid these fundamental mistakes. OK, you say, but you've had good reason not to use them. Well, there's good news there as well.
Let's take Apple's crypto library and the encryption hardware that's built into iOS devices. While we can't rely on users to use strong passcodes, developers can directly AES-encrypt their data files with encryption keys that are managed by the developer. But since that obviously isn't being done in many cases, I have to assume that developers have found these tools to be too daunting to use. The good news here: Some open-source efforts are under way that can help developers safely store data locally on an iOS device.
More by Kenneth van Wyk
- Kenneth van Wyk: We can't just blame users
- Kenneth van Wyk: If you want developers to give a hoot about security, take a lesson from the squirrels
- Kenneth van Wyk: Looking beyond Heartbleed
- Kenneth van Wyk: Where mobile apps go wrong
- Kenneth van Wyk: Apple's big fail
- Kenneth van Wyk: After Snowden
- Kenneth van Wyk: Target breach underscores how backward U.S. payment tech is
- Kenneth van Wyk: Enjoy your trip, but protect the data you take with you
- Kenneth van Wyk: Lingering faults with security by default
- Kenneth van Wyk: High hopes for iPhone's Touch ID
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Adobe Creative Cloud FAQ The following are answers to common questions about Adobe® Creative Cloud™ for teams membership, purchasing, security, and storage.
- What's coming to Adobe Creative Cloud Editing and video content creation workflows are about to get easier and more exciting, with major updates coming soon to Creative Cloud, bringing...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All App Development White Papers | Webcasts