Basic iOS Application Security Check

March 12, 2018 Joanna Gajewska

Technical skills and awareness of IT possibilities have reached a very high level. There are plenty of opportunities for developers to create great applications. However, hackers have enormous power as well and they use the “holes” in the apps to their benefit in order to extort money or data.

Have you ever wondered how valuable your data is and how you “sell” yourself on the Internet? Many times, if you have to choose between a free or paid application, you choose the first option. This way you create the opportunity for your data to be collected.

The OWASP (Open Web Application Security Project) organisation offers many helpful projects and tools, which can be used during development and testing. The “Top 10 Mobile Risks” is a list, which contains the most important areas of application security

However, how can a person who has no access to the application code or no knowledge of penetration testing verify the basic points of application security?

The security of the application should be ensured by the developers during the implementation phase and verified during a review conducted by another developer in static tests. There are also certain other ways to check security by testers in dynamic tests.

Now, let’s take a look at mobile apps designed for iPhones and iPads.

Insecure Data Storage

Devices collect a vast amount of data during app usage. It’s crucial to find out which data points are saved and whether they are encrypted correctly.

Local Storage

Many apps need to save user credentials and keys to make it easier to use the application, to collect information about the session, to make the app up-to-date with the state of the backend, or to simply store the user’s preferences. The data is stored in files. In iOS apps, the following folders should be checked:

  • AppName.app
  • Documents/
  • Library/
  • Library/Caches/
  • Library/Application Support/
  • Library/Preferences/
  • tmp/

Data in the Keyboard Cache

All of the data entered by the user can be saved in the Keyboard dictionary and stored in a directory/private/var/mobile/Library/Keyboard/.

The test should check if any sensitive data is stored in the file: dynamic-text.dat.

Communication With the Server

Most mobile apps are connected to the Internet so communication should be secure in order to avoid risking exposure. Sensitive data should be sent via security channels and all requests should be sent using the SSL socket or HTTPS (instead of HTTP).
It is very important to verify logs when a user enters any sensitive data into the app as well as to check whether it is visible in the logs or sent to a server as unencrypted strings.

Authentication

There are a few areas, which should be verified to check the authentication.

User Credentials

Firstly, verify whether users are correctly authenticated by the server. Try different login/password combinations and check whether the server returns an appropriate error.
After a few login failures, the account should be blocked (but this should be specified in the requirements).

Changing the Password

Secondly, regarding the change and reset password options, make sure that after the users change their password, they are automatically logged out by the server and can’t access the data before they enter a new one.

Session Management

The next point is to verify if the session had been terminated. This can be executed in two ways: after logging out and after a session timeout. Next, try to send a request to the server using the token or session ID of the previous session to check if the error has returned.

One Time Passwords

If multi-factor authentication is in place and the user needs to enter a code received via SMS, check if the code is random or can be guessed somehow.

Push Notifications

If the app is configured to receive push notifications, it is important to check if the content of the message doesn’t contain any sensitive data, which shouldn’t be visible to everyone. If the app is in the background and the user is logged out, after tapping on the notification, he should be redirected to the login page and have no access to the data without logging in.

Insecure Authorisation

The authorisation checks user access. The test should verify whether the user has access to appropriate content. In addition, you can try to lower the authorisation level to verify whether a part of the app will become unavailable after you have done so.

It is important to check whether any of the files or available settings can be edited or manipulated by anyone with the user’s permissions.

Improper Platform Usage

The tester should verify whether the permissions and access controls in the app are correct and whether or not the application requests unnecessary access permissions.

Summary

Security is a crucial area of mobile applications. As you can see, it can be verified on the foundation level without any special knowledge. Start to test the basic elements during your everyday work activities to try to find any potential security loopholes. There are many tools, which can automate the verification process. You can also just check your skills as a white-hat hacker – that would be the next step on your journey to committing yourself to conducting penetration testing.

Last posts