Is it possible for an app to be decompiled? - iphone

I need to code in authentication information for specific parts of my website into my app. Is it at all possible for the app to be "decompiled" and the username and password exposed?
NSURL *url = [NSURL URLWithString:#"https://predefinedUsername:predefinedPassword#www.website.com"];

Yes, it is possible. Assume that if you have anything compiled into your app, it can [and will] be discovered by someone somewhere. Even if it isn't possible today, you are creating a frozen record of such information that will be vulnerable to any future attacks, known or unknown.
You really need the user to perform some task that authenticates them. There are a million and one ways to do that, and for every one of those, a million and two ways to do it wrong. :)
Without knowing more about your specific requirements, it is impossible to really say much more outside of "keep it simple and don't store or send anything in clear-text".

As #Hyperbole said, If you store the username and password in plain text it will be visible in the executable. It is extremely trivial to examine the executable for strings, and it's usually the first thing someone with malicious intent will try.
Right click on any app you've downloaded in iTunes and select show in finder. Make a copy of the app on your desktop and rename the app from AppName.ipa to AppName.zip. Double-click to unzip it, and look inside the folder. Navigate to the folder Payload and then right click on the (probably only) file in there called AppName that looks like an application but has a big circle with a cross through it for the icon. Select show package contents. Scroll through until you find a file called AppName with no extension and a blackish rectangle with the green word "exec" as an icon. Open that file in text edit or another text editor. You'll find that most of this ends up being random symbols and other crap, but you should occasionally see some plain text. The compiler takes string constants and embeds them directly in the app when you compile it in most cases.
You asked about what magazine apps and others do to access content - There are a ton of different ways to do it but off the top of my head, after the server verifies your in-app purchase receipt, the server would record an identifier specific to your iTunes account, saying that you've purchased a specific issue of the magazine. Then your app can request that file from the server, adding the identifier to the request in the process. The server would respond with the file once it looks through the database and determines that you've purchased the content.
Other solutions include signing/hashing a unique key.

Your example would expose the username and password without the need to decompile as you send it via plain text in a URL request. Anyone with a sniffer or MITM service yould snatch it out of the air. A better approach would be to make use of SSL via the http*s* protocol. You could go a step further and either prompt at runtime for the credentials and/or store an encrypted version within the app.

This is very bad because it is trivially easy to recover these credentials just by running 'strings' against the app binary without needing to decompile it.
Can't you pop up a dialogue box asking the user to enter the credentials when they first start the app ? Alternatively you could store them encrypted in a file and then ask the user for an alternative credential e.g. Passcode that derives the key but even this will not survive a determined attack unless the Passcode is long.

Related

Is it possible to hide certain files from "show package contents"?

I have a MacOS app coded in swift, and when someone right clicks > show package contents there is a file that reveals some information I do not want the user to see. Is it at all possible to hide that file?
There's no way to secure data on the client (mac) side. If your program can read something, so can a hacker. You can do 3 things about it:
Make it obfuscated enough to make it annoying to deal with, hoping that bad actors would get discouraged.
Make the reward of reading the sensitive data lower, so there's less incentive to do so
Make the sensitive data be black boxed by a server you control and have secured, and have all the sensitive operations be out-sourced to computation on that secure server.
No, you can't hide files in a meaningful way.
If you name the file starting with a dot (".") they are not shown in the Finder by default, but that's very easy to get around.
Better to encrypt the file and decrypt it in your app. That way nosy users can see the file but can't make any sense out of the contents.

Prevent application cache from extracting files on iOS

I have an iOS application, which stores all downloaded *.pdf files in its cache. Is there a way to prevent this data from extracting? Encryption or something else? Thanks in advance.
There are quite a few ways to encrypt files, and I'm sure everyone will have an opinion on the best way to do so.
In a project I've recently been working on, we've been using CommonCrypto (https://github.com/AlanQuatermain/aqtoolkit). Just take any NSData, encrypt it, and save it to a file, and vice versa. You can even write an easy Transformer by subclassing NSValueTransformer, which abstracts all of the encryption to one spot and you will never have to worry about it again.
You can protect PDF files with a password. I assume you create the PDF files not within the application but externally. For example you can use Preview.app in Mac OS X to secure existing PDF files with a password (Hit Cmd-P, then select PDF in the print menu and there you can set security options. Or even more simple: in the menu choose Export...).
In iOS you can then open the PDF files like this:
CGPDFDocumentRef documentRef = CGPDFDocumentCreateWithURL((__bridge CFURLRef)[NSURL fileURLWithPath:filePath]);
if (!CGPDFDocumentIsUnlocked(documentRef))
CGPDFDocumentUnlockWithPassword(documentRef, password);
...
There are actually 2 Documents folders in which your app can store content. One can be extracted, and one is private. Check the accepted answer in this ticket.
Access files in "private Documents" folder transferred with iTunes
Assuming you want the PDF files from getting extracted on jailbroken devices, the most straight forward approach would be along the following lines:
generate a random string during the first launch of the app
save the random string either in NSUserDefaults in state file inside your own app's sandbox
using this random string create a secret key using a deterministic but hard to figure out algorithm
use this secret key, which you don't store anywhere but always generate on demand, symmetrically encrypt your buffer with AES or something similar
You would probably find the source code here very helpful.

iOS App-to-App Trasnmission of Data using new Document Support API

Problem:
Building Enterprise Applications of a Suite Nature, and need to be able to pass data from one application to another. Example: App1 is a barcode reader that produces and inventory list. App2 needs a "fresh" copy of the same inventory list information that App1 just produced in order to accomplish its goal of producing purchase orders. The two apps and databases are two large to squeeze together in single app, plus the suite will continue to grow with more and more apps.
Understanding:
I fully understand that "Each" application is in it's own sandbox. However, in reading through the documents regarding the new UIDocumentInteractionController API, it appears that an application can dip outside of the sandbox just a little to "Read-In", "View", or "Open-In" a document that was not apart of the bundle or created within the application.
Data Flow:
I'm trying to keep it simple. I have been using the DocInteraction sample application downloaded from Apple, and another application...called App1 to try and work with a simple text file. In App1, I create a simple txt file, and save it to the documents folder. (But this is still inside the app's sandbox?). in the DocInteraction modified sample, I have been trying to figure a way to "View", "Open-In", or better yet "Read-In" the created txt file. If I can pass a simple txt file between the two, I can include a CSV structure to update the databases on each side when ever the applications are opened.
I have tried to utilize the Launch Options Keys with no luck.
In short, I just can't seem to get my head around:
Where App1's data needs to go?
How to find the data in the other App, say App2?
How do you "Open" the file that exist inside another application's sandbox?
End Result:
I have tried to stay away from the
The Document Interaction docs outline:
Previewing a Document or Presenting Options
Registering Your Support of File Types
Opening Files From Other Apps
Displaying and Printing Quick Look Previews
It is the "Opening Files From Other Apps" that I am most interested with. It directs me to utilize the application:didFinishLaunchingWithOptions: method by passing in dictionary values for the keys. This is where I get lost?? How do I set the keys so that it knows "WHERE" and "WHAT" to look for? And I'm still not clear the proper director that App1 should be saving information to in order for the keys to point to the correct place?
Opening email file attachments and opening pdfs in iBooks can't be the only places where you can utilize this API or else Apple wouldn't have went through all the work, they are already allow to talk from App-To-App.
Note: I'm not trying to get App1 to directly transmit data into App2's files. I don't think that would be allowed by Apple at all! I'm trying to get App1 to zip up its data, save it in proper location, so when user decides to use App2, the data can then be available to App2 by "reading-in" the data.
If someone has a sample application, tutorial, or even a solid idea how to get this working I would really appreciate the help.
-Thanks!
P.S. Somebody with 1,500 or higher reputation please create a "UIDocumentInteraction" tag for stackoverflow!
I got it working last month. Here's my mental model:
App1 creates a file anywhere in its sandbox.
App1 calls docinteraction to display the "Open In" GUI for that file
User picks "Open in App2"
The iOS copies the file from one sandbox to the other and launches App2.
App2 implements didfinishlaunchingwithURL and loads the supplied URL (which is the copy in its sandbox)

is it possible to download a file in my iphone throuh email

I am working on an application in which i write to an xml file and then send it through email and at the reciever end the receiver recives it in his/her inbox and download the file to the iphone and then open the same app on his phone and browse to this file and by clicking sync button the progra should parse the tags in the xml file.
Everything is cler but i am not sure whether we can download a file to our iphone and browse thru it our app.
Thanks, i appreciate. :)
No, I don't believe you can download a file from mail and pass it to your app to open and read. This would be for security reasons.
I think the only way to achieve this would be to not use an XML file, and instead construct a URL with parameters.
There are a few drawbacks here, though. Depending on how much data you need to pass, the url could get pretty large. You would have to take considerations to make sure that each parameter value is properly URL escaped. And you could have to write code to parse the data in the parameters.
This is how other apps pass data between apps, an example would be the iPhone's Phone app. You can make it call a number by using a tel:// URL.
You can register a URL scheme in your app and use it to pass data around.

Launch my app using email attachement

I want to bind my app to some file extension so when I receive an email with an attached file with the correct extension, clicking on it will launch my app and pass it the attached file.
Is it possible ? How ?
Thx
--G.
As iPhone applications are not allowed to share files on the file system, what you're looking for is not immediately possible (not with the published APIs that I know of, anyway). You might still have a couple of options though.
Either way you'll have to use a custom URL scheme, which is associated with your app, and paste that into your email. This URL might point to some external location, which your app can download the file from.
Or it might contain the actual file contents if it's fairly small. URLs are 'just text' (some restrictions apply), so you're free to put any data you want to in it, as long as it is URL-encoded.
You still need to get the URL into the email though, which might or might not be as easy as attaching a file.
It's not possible to simply associate a file extension with an application on the iPhone.
You could create a custom URL scheme that would launch your app, but probably that won't help you.
This is actually possible, I'm working on this exact same problem and this great tutorial has really helped me.