Checks
- No Non-SSL connections (http only)
- Black-box check with proxy, e.g. Charles Proxy
- Enable Apple Transport Security (ATS) to enforce SSL
- Make sure all used backend services use TLS v1.2+ and do not allow TLS v1.0 or v1.1 any more
- Deprecation of TLS 1.0 and TLS 1.1
- Make sure to use secure Cipher-Suites (see BSI recommendations)
- Make sure servers do not support SSLv3 protocol any more!
- Make sure your ePrivacy/GDPR and Apple Tracking Transparency (ATT) implementation reacts correctly on opt-outs of tracking
- Consider public key pinning/certificate pinning for additional security vs. man in the middle attacks
- Make sure all used libs have the latest patches/versions - and are still maintained
- Make sure to request required permissions only!
- Make sure no hard-coded client secrets are present
- See also Secret Management on iOS, Tim Dolenko swift-secrets
- Use KeyChain for storing data securely and check File Data Protection
- Avoid screen recording and capturing in production app
- Make sure to disable compromising logs in production
- Check for Jailbreak
- Make sure WebViews do not set isHTTPOnly = false or isSecure = false cookies
- Third party WebView content is hard to check - especially dynamic content
Additional Checks
You think iOS apps are sandboxed and need to pass the Apple review and therefore you are on the safe side? Think again...
- Enable ATS in mobile apps
- SSL Cert Pinning
- Storing info in KeyChain rather than NSUserDefaults
- Avoiding confidential info as part of code repository
- Jailbreak Detection
- Debug Logs Only
- Third Party Library Usage
- File Data Protection
- Screen Recording & Capturing
Details from Shashank Thakur@Medium.com
Tools
Comments
Post a Comment