Nowadays, many iOS apps do not take any security precautions, resulting in a lot of security risks and accidents. Today, we will talk about how iOS developers usually do more security.
First, network aspect
The packet capture tool can capture the data of mobile phone communication interface. Take Charles as an example. Charles can obtain all plaintext data of HTTP. After configuring its certificate, it can simulate man-in-the-middle attack to obtain plaintext data before HTTPS encryption.
1.1 Man-in-the-middle Attack
A quick word on what a man-in-the-middle attack is:
① Client: “I am the client, give me your public key” -> server (intercepted by middleman).
So here it is:
Client -> Middleman
② The middleman then forwards the message to the server:
Middleman -> server
③ The server sends the information with the public key to the client, but the information is intercepted. So it is:
Server -[Server public key] -> middleman
④ The middleman replaces the public key of the server with his own public key and sends it to the client, claiming to be the public key of the server:
Middleman -[public key of middleman] -> client
⑤ The client uses the obtained public key for encryption, but actually uses the public key of the intermediary for encryption. Therefore, the intermediary can decrypt the data with its own private key to obtain the original data, and then use the public key of the server to encrypt the original data (or modify the original data content) and send it to the server.
This allows the middleman to gain access to the communication data of the two parties and create fake data.
1.2 How can I Defend against man-in-the-middle Attacks?
Here’s how to prevent it:
1.2.1 SSL Pinning
The idea behind SSL Pinning is to store the server’s public key in the client and the client will verify that the certificate returned by the server is the same as the one saved by the client, thus avoiding the attack of a middleman replacing the certificate.
It’s easy to make SSL Pinning happen. Just put a CA certificate into your project to make SSL Pinning happen on NSURLSession through the Security framework. If you are using AFNetworking, the code is a little simpler:
This will cause an error when capturing a packet through Charles.
Certificate authentication can only verify the public key (AFSSLPinningModePublicKey), also can complete verification certificate (AFSSLPinningModeCertificate).
However, one of the major problems with SSL Pinning is that if there are issues with certificates, they can only be fixed with a new release. If the new version is never approved, the network communication of the app will all die.
Take the issue of Symantec certificates being distrusted by Google and iOS12. If the app has a built-in certificate, it must be reissued.
1.2.2 Encrypting Interface Content
Many APP interfaces only encrypt and verify the requested parameters, and the data returned by the interface is plain text. Instead of SSL Pinning to prevent man-in-the-middle attacks, you can also encrypt the data returned by the interface so that the capture tool can’t break the packets even after they are captured.
Take wechat for example. The interface in wechat uses HTTP, but the content is all encrypted.
Now commonly used is symmetric encryption, encryption efficiency is relatively fast. If some data in the app is particularly important, asymmetric encryption is still used. Asymmetric encryption is more secure, but the efficiency is slower.
Second, the log
2.1 Swift log
The syntax for printing logs in Swift can be print or NSLog. But try not to use NSLog, because Swift uses NSLog, and you can look it up in the system log. System logs can be viewed via PP Assistant, iTools, or Xcode’s Devices and Simulators.
If you print the log with print, it will not appear in the system log.
2.2 OC log
Do not print NSLog logs in a release environment. Generally, we will use macro definition to solve the problem, as follows:
Third, information storage
3.1 the key
Most programmers prefer to put keys directly into macros or constants.
#define AES_KEY @ “AAa123”
Doing so can easily be decompiled. The security is poor. You can use the following methods to enhance security and make cracking more difficult.
Encrypt the key (A) and define it as macro (B). Decrypt the key (A) when using it. Key C is used to encrypt key A.
Because in the macro definition of the time if we define as a string, will directly exist in the data segment, so that the hacker is easy to obtain. It is safer to define C and B as uint8_t[] arrays so that each character goes into a separate instruction in the text segment. The command generates a string after execution. It will be safe.
Use a long text, according to the rules to extract the inside of the key, the key is random.
Define a long text on the server and the client. The APP side randomly generates the starting position and length, shifts the starting position and length and other operations to generate the corresponding number, and carries out Base64 encoding for the number. The generated string is passed to the server side, and the server side can parse the relevant key according to the string.
The code is as follows:
This only increases the difficulty of the decryptor to obtain the key, but does not completely prevent the decryptor from obtaining it.
3.2 Keychain
You can view the exported Keychain information on a jailbroken iPhone. Keychains /private/var/Keychains /var/Keychains /var/Keychains You can use keychain-dump to view the contents of keys.
Therefore, the data stored in the Keychain must be encrypted.
3.3 plist, sqlite
Plist and SQLite can be obtained directly from ipA installation files, so do not store important information in these files. If you do, encrypt it before storing it.
Iv. App reinforcement
4.1 Code Confusion
Code obfuscation is the substitution of readable class or method names for unreadable ones. Common methods are macro replacement and script replacement.
– (void)loadNetData; – (void)showxhevaluatess; – (void)showxhevaluatess;
4.2 C Language
The core code is written in C, but C functions can also be hooked, such as fishhook. Developers can use static inline functions to prevent hoCK, leaving crackers to understand the logic of the code.
4.3 testing tweak
Can detect/Library/MobileSubstrate/DynamicLibraries included in the file under your app bundle id. If yes, you can restrict the functions of the app or warn that the phone is unsafe.
Author: He Jichang
Source: Creditease Institute of Technology
Develop reading: China: appropriate letter agile | share transcript data middle construction practice