Recently we developed and published a mobile banking app on the app store, for a big banking organization. The bank hired a security firm to perform ethical hacking over the app to see if it, in anyways compromises confidential data.
We recently received the hacking report from the firm, which in-spite of saying that no serious security issues are present, contains a list of all the class files, method names and the assembly code of the project.
Now the client insists that we fix these security loop holes and republish the app. However we don't have any idea how did they manage to get all these details from the application's IPA. I searched this over SO and found a particular post mentioning this link, which states that you can't save your app from being hacked.
Please help me how to fix these security vulnerabilities , or if not possible, how to convince the client.
Edit:
Recently came across this page. Seems like EnsureIT from Arxan can prevent app IPAs from reverse engineering. Anyone experienced with this?
There's always a risk involved. Even if you don't introduce vulnerabilities yourself, the platform may allow for exploits which in the end may offer an entry point for a malicious attacker.
As to your question: It is not safe to assume that a hardcoded URL, even if obfuscated beyond belief, can't be peeled out of your product. Always design your apps such that safety of user data is guaranteed (as far as possible) even if built in ressources get compromised. If the knowledge of that URL alone poses a security threat, then your whole approach and your clients API is inherently insecure. Remember that such information could possibly be captured by a man-in-the-middle attack (and other modes of attack) as well.
Avoid security by obscurity. Store sensitive data only on disk if it is necessary. As a rule don't allow PIN / TAN storage.
Some thoughts which may (or may not) convince your client that your app is as safe as it can be:
As long as the app runs on a non-jailbroken device, it is unlikely that an attacker, even with knowledge of your apps internals is able to get to any user data, because the iPhone normally doesn't offer opportunities to interfer with your app
If the attacker is able to get to your users data, and provided you have been protecting that data with all means available under iOS (-> keychain -> crypto chip ->...), then it's not your fault. It means the device is either jailbroken or there are vulnerabilities to the system itself which have been exploited, you just can't do anything about either possibility.
It is impossible to prevent reverse engineering of your app. Even if you had put more effort into obfuscation, an attacker with strong motivation would still be able to get what he wants. Your client needs to get used to this as it's a fact.
Other platforms suffer from similar vulnerabilities, yet on the iPhone at least you have a somewhat closed environment and a reduced risk of being attacked with trojans and the like.
The governments and security firms get hacked on a regular basis, although they should now how to protect themselves. This means life is inherently insecure, cope with it.
I was recently researching over this and I found this article helpful, especially the part quoted:
The code for a native app is stored in the form of a binary executable file, which is further encrypted; its decryption is performed only when the executable file is loaded by the processor into the random access memory and the whole decryption process happens at the hardware level. That is why it is very hard to create offline decryption tools. The only way to decrypt encrypted binary data is on a jailbroken device with a few special tools installed.
Security in iOS: Protecting .ipa File Content by Stoyan Stoyanov
Related
App Store Review Guidelines says: "Apps that download code in any way or form will be rejected."
I'd like to make an app using Challenge-Response for authentication. The app has a set of basic algorithms such as SHA-1, SHA-256, MD5, DES, AES and so on. The challenge server makes contains an array of the algorithms' name with random arrangement and a string names A. Client uses the algorithms and the sequence that challenge indicates to manipulate string A, and returns it to the server as the response.
Although all I transfer between server and client is a bunch of strings, but they indeed change the behavior of my app. Should I consider them a form of code? If not, why downloading shell code to execute is forbidden by Apple? I mean, shell code is also a bunch of strings and interpreted by running environment. Where is the essential difference?
Forgive my English :)
What Apple is worried about and wanting to prevent is applications that get through the approval process (disguised as something benign) and later change their fundamental function.
An extreme example would be an application downloading new, malicious executable code after it has been installed on the user's device.
Apple is using broad wording in order to be able to reject any app that in any way tries to be harmful to the user. It would be impossible to specifically describe every technique and specific way this could happen, so Apple keeps the wording loose.
Apps "download code" in some form or another all the time, consider an application that accesses an API that returns JSON formatted responses. Technically that could be considered code, and it can change the apps behavior (which view to show, what options would be available on a certain view, etc). But an app that access an API in this manner would certainly not be rejected.
From what I can gather from your question, it sounds like you don't have to worry about that particular clause in the guidelines.
I'm developing an application for iPhone which uses a HTTP request to get quote data from a webserver.
I am working with another developer who is managing the web service. We are using an MD5 encryption (simple xor) to pass the data between iPhone and webserver.
He posed a question to me this morning which is quite frankly way out of my pool of knowledge.
'How safe is the apple binary?'
He is worried about whether someone could obtain the .app bundle via iTunes, and then decode that bundle and access my source code directly, allowing them to obtain the secret key we are using to encode the data.
I personally, wouldn't even know where to begin, but i'm sure there are more knowledgeable/crafty fellows out there.
So, is it possible? if is it, what can I do to try and safe guard my source?
The binary is not even remotely safe. Whether through the iTunes download or on a jailbroken iPhone, there's nothing you can do other than obfuscation, which a determined adversary will always get past. Do not ever rely on the "secrecy" of something embedded in a client application, it is not secret. Ever. On any platform, in any language, with any technique.
If you need to limit who can access your system, you need per-user accounts. There is no other safe mechanism. Apple does provide ways to "authenticate" users via their iTunes accounts, you may want to look into that.
Also, "MD5 encryption" means nothing. MD5 is a hash function with cryptographic applications, but saying you're doing "MD5 encryption" and "simple XOR" is just meaningless. I can use XOR and MD5 to do any number of things, few if any would serve as a meaningful encryption scheme, and would have no advantages whatsoever over a real algorithm designed by experts, such as AES.
Use HTTPS (HTTP over SSL). There is no reason not to, the iPhone fully supports it. If you need to, you can get free SSL certificates for your server from at least http://www.startssl.com/ . There are lots of cheap SSL certificate providers out there these days, too. Google a bit.
I'd strongly recommend you and your co-developer start reading up on information security, both in theory and practice, because it appears you have very little grounding in the subject, and probably several significant misconceptions that will lead to easily-broken systems.
I've searched the web for this bit to no avail - I Hope some one can point me in the right direction. I'm happy to look things up, but its knowing where to start.
I am creating an iPhone app which takes content updates from a webserver and will also push feedback there. Whilst the content is obviously available via the app, I don't want the source address to be discovered and published my some unhelpful person so that it all becomes freely available.
I'm therefore looking at placing it in a mySQL database and possibly writing some PHP routines to provide access to my http(s) requests. That's all pretty new to me but I can probably do it. However, I'm not sure where to start with the security question. Something simple and straightforward would be great. Also, any guidance on whether to stick with the XML parser I currently have or to switch to JSON would be much appreciated.
The content consists of straightforward data but also html and images.
Doing exactly what you want (prevent users from 'unauthorized' apps to get access to this data') is rather difficult because at the end of the day, any access codes and/or URLs will be stored in your app for someone to dig up and exploit.
If you can, consider authenticating against the USER not the App. So that even if there is a 3rd party app created that can access this data from where ever you store it, you can still disable it on a per-user basis.
Like everything in the field of Information Security, you have to consider the cost-benefit. You need to weigh-up the value of your data vs. the cost of your security both in terms of actual development cost and the cost of protecting it as well as the cost of inconveniencing users to the point that you can't sell your data at all.
Good luck!
I have several plist files in my app, that I want to be non human readable, or editable.
The idea is to encode them using another app, then drop them in the normal iphone app just for decoding and processing.
I have drooped encryption because 1st, I don't need something with strong encryption, and 2nd because of the app store procedure for encrypted apps.
Can anyone suggest me how to proceed? What is the simplest (not the best in terms of encryption) method implement?
Please assist!
iPhone applications are "sandboxed", meaning that applications cannot read each other's data; each application has associated with it its own username and group, along with its own set of folders that it owns. An application cannot access the folder or data of another iPhone application. Therefore, the requirement doesn't really make sense. You should simply use NSDictionary -writeToFile:atomically, and NSDictionary -initWithContentsOfFile to read/write the data to/from a PLIST. If you need to add encryption (because you are worried about two people sharing the iPhone, or something like that), then I suggest you encrypt the individual entries before placing them in the dictionary.
Edit
Based on your comment below, it appears that you are trying to prevent people from pirating your application, rather than trying to protect user data as the question implies. Unfortunately, it is always possible to pirate an application. Anything ranging from obfuscation to using certificates to asymmetric encryption to running a checksum over the application binary can all be bypassed or defeated. The best way to deter piracy is to have a quick iteration cycle and to place most of your data in the cloud, where it is frequently changed and updated, as doing so diminishes the value of any pirated snapshot of the application. That said, it is generally a good idea to consider software piracy as simply a cost of doing business. Most users will not pirate the application, and since all the various methods for protecting your application can (and will) be defeated, the costs of implementing such things is generally not worth it.
Take a look at the NSDataWritingOptions of NSData. There is built in encryption for binary plist files. I've never used it so I don't know how easy it is for someone with developer's tools to defeat it. It should however provide protection against casual thievery.
However, if your worried about about other developers stealing your content, your best protection will be copyright. Copyright protects content, that's what its for. Make sure to include a copyright in the actual plist as part of the data. Stick a copyright in every resource file e.g. images.
Is there a way to decompile the binary from an IPhone app.
I jailbroke my IPhone and was surprised to find other app's dbs wide open to be copied.
So I exported my most important table and hardcoded it into code.
Instead of loading table into array from a db I just generated code to fill the array and kept only the most basic DB info so relationships still work.
Took a while but now works fine.
I was just wondering am I safe, could someone decompile the binary for the app easily and extract the data. In Java its easy to decompile *.class files though thats bytecode where I presume iphone apps are more low level.
I know IPhone sdk 4 can mark files as secure. Anyone know can this be overridden by jailbreaks or is this an unix lock?
Short of encrypting that data, you are really only protected by peoples lack of motivation. If someone with enough motivation wants to look at the data, they can. Even if you encrypt the data, if they key is in, or generated by, your code they can find that too.
To be honest Apple couldn't secure a brick. The iPhone has been almost continuously jail-breakable seance the beginning. Users (read hackers:) have more control over the device than developers. There is no way that you can truly secure content on the device. If encryption is used, there is nothing keeping the attacker from obtaining the key. (He has control over all libraries and can hook any function call he wants.)
It is common to see developers fall back on Security Though Obscurity, and I'm not going to entertain these ideas. If there is data on the device, a hacker can and will make a copy of it.
I jailbroke my IPhone and was
surprised to find other app's dbs wide
open to be copied.
No. There is nothing wrong with this. It has to be stored somewhere.
So I exported my most important table
and hardcoded it into code.
Bad move.
A jailbreak from a priviledge domain is a vulnerability in the phone and is not your problem. There is nothing you can do about that, and even encrypting your data will not save you because all privileged code on the phone will be able to access the encryption keys.
In other words:
Code will not normally be hostile and steal your goods. The only reason it would is because the user downloaded bad code onto the phone or a remote exploit took place.