Securing Your iOS App with ABPadLockScreen. Introduction Security is becoming a bigger and bigger concern in the mobile space. As iOS developers, there are plenty of things we can do. We ensure sensitive information is saved in the keychain instead of plain text. We make sure content is encrypted before it's sent to a remote server. All this is done to make sure that the user's information is secure. Sometimes, however, we need to add an extra layer of protection at the user interface level. Unless the user's device is enrolled in a mobile device management (MDM) solution, you cannot force your application's users to set up and use a passcode lock at the device level. 1.
ABPadLockScreen is available on GitHub, but I recommend installing it using CocoaPods. If you prefer to install ABPadLockScreen manually, then that's fine too. 2. The library includes two UIViewController subclasses. The ABPadLockScreenSetupViewControllerDelegate protocol has one required method, which is invoked when the pin is successfully set. 3. 4. Conclusion. Penetration Testing for iPhone Applications – Part 1. This article focuses specifically on the techniques and tools that will help security professionals understand penetration testing methods for iPhone applications.
It attempts to cover the entire application penetration testing methodology on a physical device (running with iOS 5) rather than a simulator. Background: Since the introduction of the iPhone, Apple has sold more than 110 million iPhones. The smartphone platform has created a new business and companies want to make their services available on mobile devices in order to reach out to users very quickly and easily. The iPhone has enough power and performance to do most of the stuff you can do on a laptop and span a range of categories from education and productivity to games and entertainment. The iPhone provides developers with a platform to develop two types of applications.
Web based applications – which uses JavaScript, CSS and HTML-5 technologiesNative iOS applications- which are developed using Objective-C and Cocoa touch API. How to Break Into a Mac (and Prevent It from Happening to You) How to Think About OAuth. I’m not a deep OAuth 2.0 expert yet; at this point that label is reserved for the (substantial number of) people who wrote the specs. But I’ve worked with a few implementations and talked it over with smart people, and I have opinions.
Summary: It’s a framework not a protocol, it has irritating problems, and it’s really very useful. Real Internet Protocols · I mean things like HTTP and SMTP; plug a client and a server into each other and if it doesn’t Just Work, that’s surprising. ¶ OAuth 2.0 isn’t one of those; the language of the spec is full of “Out of scope” and “At the discretion of the implementor”. It’s not that a generic OAuth2 client might not interoperate with a generic server; it’s that there’s really no such thing as a “generic OAuth2 client” or “generic Oauth2 server”. So, is it really a “Standard” in any useful sense? For example, Google has an authorization protocol for accessing its APIs that’s totally OAuth2. Another example would be OpenID Connect, OIDC for short. LumberBlog: Why app developers should care about SSL pinning. In February, Arun Thampi discovered that Path was uploading users' address books to its servers.
The resulting kerfuffle served users well: Many apps–with Path leading the charge–are now much more careful about how they handle sensitive contact information and how they inform users of their intentions. However, there's another useful reminder to draw from this episode: SSL is not a security panacea. Path's app communicated with its servers over SSL, yet third parties were able to intercept and read its traffic.
How? The app wasn't pinned. What is SSL pinning? By default, when making an SSL connection, a client checks that the server's certificate:has a verifiable chain of trust back to a trusted (root) certificatematches the requested hostname What it does not do is check that it is your certificate, the one you uploaded to your server. This is known as SSL pinning. You don't want anyone executing such an attack on your users, ever. What apps does this affect? The vast majority. But... In this last chapter we will look at the security aspects of HTTP, including how to identify users, how HTTP authentication works, and why some scenarios require HTTPS (secure HTTP).
Along the way, we are also going to learn a bit about how to manage state with HTTP. The Stateless (Yet Stateful) Web HTTP is a stateless protocol, meaning each request-response transaction is independent of any previous or future transaction. There is nothing in the HTTP protocol that requires a server to retain information about an HTTP request. All the server needs to do is generate a response for every request. Every request will carry all the information a server needs to create the response. The stateless nature of HTTP is one of the driving factors in the success of the web.
However, most of the web applications and services we build on top of HTTP are highly stateful. A banking application will want a user to log in before allowing the user to view his or her account-related resources. Setting Cookies. Our password hashing has no clothes. In the beginning, there was password hashing and all was good. The one-directional nature of the hash meant that once passed through a hashing algorithm the stored password could only be validated by hashing another password (usually provided at logon) and comparing them. Everyone was happy. Then along came those pesky rainbow tables.
Suddenly, huge collections of passwords could be hashed and stored in these colourful little tables then compared to existing hashed passwords (often breached from other people’s databases) at an amazing rate of knots thus disclosing the original plain text version. Bugger. So we started seasoning our passwords with salt. Adding random bytes to the password before it was hashed introduced unpredictability which was the kryptonite to the rainbow table’s use of pre-computed hashes. But now there’s an all new threat which has turned the tables on the salted hash – Moore’s law. A quick hashing recap A quick password practices recap The ASP.NET membership provider. Banking apps: insecure and badly written, say researchers.
Security researchers IO Active are warning that many smartphone banking apps are leaky and need to be fixed. Testing 40 iOS-based banking apps from 60 banks around the world, the research summary is pretty nerve-wracking: 40 per cent are vulnerable to man-in-the-middle attacks, because they don't validate the authenticity of SSL certificates presented by the server; 20 per cent lacked “Position Independent Executable (PIE) and Stack Smashing Protection enabled”, which IO Active says is used to help mitigate memory corruption attacks; Half the apps are vulnerable to cross-site-scripting (XSS) attacks; Over 40 per cent leave sensitive information in the system log; and Over 30 per cent use hard-coded credentials of some kind. Most worrying, however, are a couple of 90 per cent statistics: the number of apps that included non-SSL links, and the number that lack jailbreak detection. This UIWebView implementation allows a false HTML form to be injected.
Source: IO Active. OTP (One Time Password) Demystified. Download source - 18.6 KB Introduction At the beginning of 2004, I was working with a small team of Gemplus on the EAP-SIM authentication protocol. As we were a bit ahead of the market, our team was reassigned to work with a team of Verisign on a new authentication method: OTP or One Time Password. At this time, the existing one time password was a token from RSA that was using a clock to synchronize the passwords. The lab of Versign came with a very simple but I should say very smart concept. The OTP that you may be using with your bank or Google was born. This is this algorithm and authentication method I describe in the following two articles. The One Time Password Generator This OTP is based on the very popular algorithm HMAC SHA.
A HMAC SHA uses a key to transform an input array of bytes. The secret key must be 20 bytes at least; the challenge is usually a counter of 8 bytes which leaves quite some time before the value is exhausted. Why is the OTP a very strong authentication method? iPhone/iPad App Code Obfuscation - Is it Possible? Worth it? App Security 101: List of top 10 vulnerabilities. App development is becoming more and more popular, as web and software developers are migrating to the mobile industry. Apps have become a part of mainstream culture and entered our everyday lives – at increasing levels. The app economy is comprised of approximately 2 million apps and is expected to continue growing in the years to come. Secure development on mobile applications, however, has not shown the same level of growth or maturity. As an Information Security firm, we’ve seen quite a few apps suffer from vulnerabilities that are linked to development bad practices, mainly due to lack of awareness.
Secure development guidelines do exist in the community, while organisations like OWASP have accumulated a lot of experience in the field and are now offering much of this knowledge for free. In this article we’ll sum up the best practices and show you the best ways to build secure apps. So, let’s go through the list of the top 10 mobile app vulnerabilities and how to avoid them. 1. 2.