Best practices for iOS applications security


#1

Hi, would like to ask/consult the ff.

1.) What are the best ways to add security in an app and protect it from hackers? (need to store username and password)

2.) could create our own Keychain class or what keychain you could recommend (will just save/retrieve/delete) //Thank you

Edited: Fixed format.


#2

Hi Francis!

  1. If you’re connecting over APIs, make sure your webserver has an SSL certificate. Para encrypted ung data on the network.

  2. For saving sensitive data, if you need so save it locally you can use Apple’s keychain storage. You can You can check this out https://github.com/soffes/SAMKeychain.

Found this just now. Haven’t read thoroughly pero mukhang useful.

  1. Make sure you’re not logging sensitive data on your app production builds.

#3
  1. Keychain could be broken in JB environment, so still need encrypt it ur data.
  2. Search about SSL Pining, this prevent from man-in-the-middle attack.
  3. Take a look at Reverse-engineering-ios-apps.
  4. Custom Protocols between App and Service.

I don’t really much dig into every list I list above, but those are the way I think could be help.


#4

and do not store usernames and passwords in the app, store the token which represents the user credentials that can expire at some point. It is the current best practice for online connected apps. If it is not dependent on any online service then just encrypt the data you store in the DB or file to make it difficult for “hackers” to read it.

Encryption just makes it difficult to decipher but not totally protect your data since it is just a matter of TIME to decipher your data if the attacker is willing.