Secure coding is the practice of writing programs that are resistant to attack by malicious or mischievous people or programs. Secure coding helps protect a user’s data from theft or corruption.
Talk at @GoJek. Posted all slides at slideshare.net or you can download from GIT
- Avoid cached application
- Caching of HTTP Request/Response, the default behavior will cache it into cache.db file
- Drain sensitive data from device memory.
- Prevent the backup for Keychain data and files with in document directory because if you take back up using iTunes it will sync it.
- Detection device compatibility use above mentioned
Objective Cfile for verifying.
- (float) firmwareVersion;
- (BOOL) isDeviceJailbroken;
- (BOOL) isAppVersionCracked;
- (BOOL) isAppStoreVersion;- Detection Debugger Use above mentioned
Objective C
- (bool) AmIBeingDebugged;- User and Application data stored securely. If storing sensitive data on the device is the application requirement, you must add an additional layer for verification, third-party encryption.Whenever encrypting user data, you must encrypt it using a randomly generated master key. iOS implements standard crypto libraries such as AES that can be used to secure data.
- SQLCipher
- Keychain
- Decryption key generation – Use iOS AES Crypto library
- Proper use of Keychain
- Remove back up policies.
- Use of protection classes
- Prevent insecure ways of deletion the Data
- Use of Authentication Token if making an HTTP request
- Always Obscure sensitive value in UI
- Certificate Pinning must be there, Please review blog for more about SSL/Certificate Pinning)
- Sensitive data in Query string
- Disable logs if your using
NSLOGorprint
public class Logger {
public static func debug(_ message: String? = nil, file: String = #file, function: String = #function, line: Int = #line ) {
#if DEBUG
NSLog("DEBUG: \(getBody(file: file, function: function, line: line, message: message))")
#endif
}
- handle Request/Resource timeout properly
- Insecure Backup, if taking back up of data/files/request make it secure.
- Implement Anti tempering technique.
- Detect the debugger attached or Trace checking
- Use of UIWebView to prevent framing.
- Avoid cached application snapshots
- To protect sensitive data, application must block caching of snapshots using API configuration/Code. When
applicationDidEnterBackground:returns, the snapshot of the iOS application UI is taken, and used for transition animations, stored in the file system. This method should be overridden, all the sensitive information in the user interface should be removed before it returns.