Kenneth van Wyk: Making safer iOS apps

There still seem to be a lot of security flaws in iOS apps, but new tools could help fix that

When it comes to developing secure apps for the iOS operating system, there's both good and bad news.

Let's get the bad news out of the way first. There are a lot of apps out there, including ones developed by various businesses for their customers to use, that have egregious and easy-to-avoid security vulnerabilities. I haven't done anything like a scientific survey of the apps that are available, but just among the ones that I have casually come across for my own use, I've found that major airlines, healthcare providers and financial services companies have produced apps that contain some extremely elementary exposures with the potential to put their users at risk.

Perhaps the biggest of these exposures involves the storing of sensitive data locally on the iOS device without any encryption to protect it. I've found account credentials in properties (.plist) files; I've found regulatory protected data stored in plaintext files with nothing more than Base64 encoding to protect it; I've found account balances stored in files left behind by programming frameworks, stored in simple caching files in plaintext. I'm not naming names here, but I -- and no doubt others -- have notified the companies behind these apps about the problems.

Big deal, you say? Anyone who locks his device with a strong passcode doesn't need to worry about those sorts of things, right? That attitude is a big mistake. As I've described previously in this column, files that are protected using nothing more than iOS's AES-256 encryption can be trivially retrieved by a miscreant who has physical possession of an iOS device, a USB cable and some readily available software. Indeed, the number one risk cited in the draft OWASP Top 10 Mobile Risks project is a lost or stolen device.

Clearly, the developer community needs to step things up a notch and take secure local storage more seriously.

But I promised good news, and here it is. Plenty of tools and frameworks are available to help a security-minded app developer avoid these fundamental mistakes. OK, you say, but you've had good reason not to use them. Well, there's good news there as well.

Let's take Apple's crypto library and the encryption hardware that's built into iOS devices. While we can't rely on users to use strong passcodes, developers can directly AES-encrypt their data files with encryption keys that are managed by the developer. But since that obviously isn't being done in many cases, I have to assume that developers have found these tools to be too daunting to use. The good news here: Some open-source efforts are under way that can help developers safely store data locally on an iOS device.

(By the way, I'm sure you know that on-device storage should be a last resort. It's always preferable to keep sensitive stuff on the server.)

When local storage couldn't be avoided, one tool that I've found helpful is SQLCipher, which adds encryption via OpenSSL to any existing SQLite apps. It doesn't address the issue of key management, but it's a great starting point.

Relatively new is an open-source programming security framework from the folks at MITRE called iMAS. The iMAS library provides iOS developers with a set of easy-to-use tools to accomplish various security tasks in their apps.

Not sure how to use these things? Dive in and read the docs, and start trying them. And if you're looking for a safe learning environment to explore how to implement some of the above remediations, consider looking at OWASP's iGoat tool. iGoat is a deliberately flawed app with a series of exercises in which an iOS app developer learns how to implement security fixes to common security problems like the ones I've described above. (Full disclosure: I'm the iGoat project leader, but iGoat is open source and free for all to use.)

Without a doubt, the iOS app community needs more tools and frameworks like iMAS, but I think the new open-source developments give us good reason to believe more will be emerging. Keep your eyes open for more; the toughest hurdle to clear is often just making your iOS development team aware of the tools available to them.

It looks to me as if we're going in the right direction. Here's hoping we continue that way.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Read more about app development in Computerworld's App Development Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags App Developmentsecurity

More about AES EnvironmentalAppleCarnegie Mellon University AustraliaCERT AustraliaMellonPara-ProtectTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth van Wyk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place