Many iOS app developers may mistakenly assume the default security protections from Apple are good enough. Apple has designed a comprehensive security architecture to create a secure ecosystem, mostly to protect the end-user. This has paid off, since the number of malware exploits are relatively few. However, there are still key areas where hackers can infiltrate applications, tamper with their source code, access sensitive data, and more.
For example, in 2019, several prominent iOS jailbreak exploits – such as checkra1n and Checkm8 – gained popularity. These security exploits increased the likelihood of jailbroken phones and gave hackers even more opportunities to infiltrate apps running on such devices.
In a world where time to market is paramount to success, many iOS app developers may not be aware that they’re making security tradeoffs to ship applications faster, potentially leaving their customers and organizations at risk. However, there are simple ways to protect applications against tampering and reverse-engineering.
In this post, we share three iOS security tips developers can implement today.
1. Implement Code Hardening
Because Apple encrypts the code of applications submitted to the App Store, developers could assume their applications would be protected. However, all applications must be decrypted before they can be executed on a local device. As a result, hackers can use jailbroken devices to dump the decrypted code from memory and analyze it using common tools, or tamper with it. It is also important to note that Apple only encrypts app code and not the resources or assets that are part of the IPA file.
Implementing a range of code-hardening techniques—including encryption and obfuscation—can prevent such reverse-engineering attacks from happening to your iOS apps.
There are several types of obfuscation developers should look to implement, including:
- Name obfuscation shields the names of important classes, functions, and variables in Swift or Objective-C code by changing them to meaningless alternatives.
- Control flow obfuscation alters the structure of a mobile app’s code, preventing manual and automated analysis of the code.
- Arithmetic obfuscation replaces all arithmetic statements with much harder-to-understand mathematical equivalents.
In addition to these techniques, developers can also hide API calls and encrypt sensitive strings, as well as asset and resource files. A combination of these techniques ensures that code is effectively hardened from static analysis methods.
2. Use Runtime Application Self-Protection
In addition to applying code hardening techniques to the source code, it is essential to shield apps and SDKs against dynamic analysis and live attacks.
Runtime application self-protection (RASP) mechanisms monitor the integrity of the applications and the environment in which they are running in real time. When a threat is detected, the applications react in a pre-programmed way, by terminating the application or user session, restricting the provided functionality, displaying a security message, etc.
RASP can detect and prevent attempts by hackers to:
- run applications on jailbroken devices
- use debugging tools to analyze critical application functionality
- use hooking frameworks or binary instrumentation tools to extract sensitive data or modify the application’s behavior at runtime
- repackage and redistribute iOS applications
- and more...
Protection against dynamic analysis and attacks is an integral part of an effective mobile security implementation. It complements and reinforces the protection provided by the application of code hardening techniques.
3. Monitor threats in real-time
App developers rarely have any insight into the actual threats facing their applications. This lack of visibility gives attackers all the time they need to perfect their attack methods.
To effectively protect mobile apps, developers need real-time threat monitoring. This can help teams to:
- Identify real-world threats as they happen
- Build effective strategies to respond to these threats
- Determine the most vulnerable parts of their applications
- Enforce security measures against common attack vectors
- Detect suspicious activity and take appropriate countermeasures, such as suspending user accounts or restricting access
- Implement additional application protection without impacting time-to-market, and
- Optimize release cycles for security.
Layering iOS app security
iOS mobile application security is complex and constantly evolving. Developers should take a layered approach to security to protect themselves and end users against common attacks caused by reverse-engineering and tampering. A combination of code-hardening, RASP and real-time threat detection can address mobile app security throughout the development lifecycle.
With a proactive approach to security, development teams can ship airtight applications quickly—protecting both consumers and their organizations alike.