Vulnerabilities and Threats in Local Authorization on iOS Devices — Securing We present potential threats of performing local authorization on iOS. You will learn how to protect your resources against unauthorized access. TL;DR All checks done on the device can be bypassed Move access control logic to the server If you support in-app purchases always verify receipt server-server Context As the “mobile-first” slogan became a truth, the market moved the crucial functionalities to the mobile applications. It is natural that complicated applications restrict access to information, data ..read more

Secure implementation of WebView in iOS applications — Securing TL;DR Do not use UIWebView. Make sure your Info.plist doesn’t contain App Transport Security Exceptions. Follow the least privilege principle. Consider disabling JavaScript. Code JavaScript-ObjC/Swift bridges carefully. Follow good mobile application development practices -> see our Guidelines on mobile application security — iOS edition . Context Recently I had a chance to observe a lot of new WebView applications, so I decided to create this article. A few years ago, if someone wanted to create a multiplatform applicat ..read more

Key aspects of secure networking on iOS — Securing TL;DR Stop using HTTP, use HTTPS. App Transport Security exceptions shouldn’t be set on production environments. If you use third party networking libraries, verify the secure connection. For high risk applications, use certificate pinning. Always follow good mobile application development practices -> see our Guidelines on mobile application security — iOS edition. Context Most applications on our mobile devices talk with a backend. Offline applications are rarely used and even if there is no need to login, there is usually a n ..read more

5 security tips for your macOS environment Nowadays, Macs cannot be treated as a niche platform in companies. We meet Macs in all sized companies — from startups to big companies with thousands of employees. It’s not a big surprise that this fact was also noticed by attackers. During the security assessment, SecuRing team observed that usually Mac environments are in most cases quite immature and stand out from widely adopted Windows environments. This article will give you 5 tips that radically improve security of your MacOS infrastructure. Tip #1: Enroll your Macs into MDM We observed ..read more

The secure way to store secrets on iOS devices TL;DR Whenever possible, avoid storing secrets on the device. Keychain is the right place to store your small app’s secrets. Entries saved in the Keychain can be additionally protected by setting proper accessibility and authentication flags. Watch out what you synchronize with iCloud. Files stored in the application container can also be additionally protected. Always follow good mobile application development practices -> see our Guidelines on mobile application security — iOS edition . Background During the last fe ..read more

What is the Keychain? Keychain is essentially the safest place on your phone in terms of storing data. It is used by developers to store passwords, certificates, identities, or other keys in many forms. It is quickly adopted and many developers already understand how important it is to keep the most sensitive data in a place that was made exactly for this purpose. As good as it sounds, this doesn’t mean that using a keychain makes your application 100% safe. (Not so) Commonly made mistakes during the development process like using a deprecated API or not updating the app for a long time may le ..read more

MacOS infrastructure Apple devices have been present in the companies for a long time. Wherever there is a need to deploy iOS applications, testers and programmers have to use Macs. UX/UI designers and movie editors use Macs for apps that have only Apple versions. It is also worth noting that Macs are introduced to companies as the managers and directors want to use them as well. While Windows infrastructure in big companies is usually mature and well-tested, Macs infrastructure is usually no man’s land. After digging in some huge networks we observed a lot of ugly hacks and bad scripting expo ..read more

Why is jailbreak detection important? — COVID apps case Some time ago I got stuck in the USA because of the COVID-19. After coming back to Poland with the “evacuation flight” I had to undergo mandatory quarantine for 14 days. Every day the Polish Police was visiting me and checking if I’m sitting at home and don’t go outside. As we all expected it was a big overhead to the Police since they had to visit every day each quarantined person. My friends told me that I can install an official government app that reports my location everyday. After the installation, the user has to complete an ..read more

Using iOS biometrics features like Touch ID and Face ID is a really convenient way to authenticate a user before performing sensitive actions. These actions, of course, depend on apps’ features. Usually, we test apps that use TouchID/FaceID to log in and to confirm financial actions (e.g. wire transfer). But, do these checks can be treated as 100% secure? The answer is of course not. Biometrics checks are performed on your device, and like any others ‘client-side checks’ can be bypassed if attacker can control the application/device. In this blog post, I want to show you how easy that ha ..read more

Security is a topic that should be considered also by iOS developers. Since the platform cannot be treated as 100% secure, devs and security division need to create a separate threat model for mobile applications. For all the years when iOS exists, many different types of application vulnerabilities have been discovered. They can result in a real risk and should be covered at first! After it is done, in most cases, the fire has been extinguished. https://medium.com/media/35a54d5bd412a04994a8947de71a915a/href However, if you are responsible for developing high risk application you will be proba ..read more