to move user funds • Apps, that stores sensitive user information on device • Apps, that need to protect in-app purchases on device • Games • Apps, that need to protect Intellectual Property
FileManager or fopen(), stat(), access() 2. Path permissions with FileManager or statfs() 3. Process forking with fork() or popen() 4. Check dynamic libraries currently loaded into memory via _dyld_image_count() & _dyld_get_image_name() Check for Jailbreak
tools can fool your app into thinking root access is not available. • Tools like Xcon https://www.theiphonewiki.com/wiki/XCon help to bypas all f ile checks. • Replacing the Boolean value, retuned from isJailbroken(), disables all checks. Reverse engineering and hooking such function is trivial.
impossible. • Make it harder and time consuming to bypass jailbreak detection using random checks. • Avoid ObjC. (Easy to reverse engineer) • Avoid straight-forward naming. func isJailbreak() -> Bool { //... } + BOOL isDeviceJailBroken { //… }
private api keys, authentication details, etc that you store locally in the app. • Use the same credentials to gain access to the server, exhaust usage limit or generate millions in AWS bills. • Run the strings command on your binary and extract all this information.
locally and name them “not-obvious”. cocoapods-keys will be effective here. • Store the credentials on remote server and connect to your server for information instead of the third parties directly. • You can implement SSL pinning (understanding all the risks) to make sure that the server you are talking to is the one you expect.
your app by using the same URLScheme (your implementation doesn’t matter). • Make your app perform malicious actions (depends on how you are handling app input).
a URL coming from other app. • Your URLSchemeHandler, parses the received URL and opens up the WebView using that URL. • A malicious app passes you a URL for a page that looks exactly like a banking app, your customer’s credentials gets stolen by your app!
3rd party cocoapod for networking. • A security researcher f inds that the pod has been logging all information on the console. • Pod owners quickly patch it. • Your users are vulnerable till your update is rolled out and adopted.
code are you adding to your project. • Subscribe to the mailing list or twitter feeds of the third parties to stay updated. • Minimise the number of third parties.
at Mobile Application Security Veri f ication Standard (MASVS) to understand which ones you need to implement a check against. • Use the OWASP Mobile Security Testing Guide to understand those vulnerabilities and know how to test your app against them.
mobileflock
yutadayo
bitkey
shift_evolve
akkiesoft
mk2taiga
akuwano
shin1988
supportflight
taishin
i35_267
aaguide
inoutk
brad_frost
morganepeng
quramy
kevinliebholz
jeffersonlam
mza
marcduiker
mclloyd
lauravandoore
3n
maltzj
addyosmani
