iOS Application Protection | Threats

Let's be honest:

Your app is vulnerable.

Apple’s security protections help a lot. But only if they’re configured correctly. Each oversight is another way for attackers to break in. Once they succeed, your intellectual property, user data, brand reputation, and competitive advantage are exposed.

COMMON MISTAKES EXPOSE YOUR APP IN iOS

Public Networks

The classic Man-in-the-Middle scheme.

Attackers use sniffers to passively intercept or actively modify data in transit between your app and your server. Even if you’ve configured TLS properly, an attacker can trick the user into approving a certificate other than yours.

Physical Access

When iPhones go missing.

There’s plenty of forensic acquisition software made for iOS. It’s meant for law-enforcement, but if an attacker gets an iPhone loaded with your app, those tools will help them access your data.

Malicious Apps

Prey on sloppy programming.

Your app may leave data in places where malicious apps can find it. For example, iOS’s UI pasteboard is frequently used to transfer sensitive data. Malicious apps may be able to read your: pasteboard, URL cache, Keyboard cache, app background screenshots, logs, HTML5 data storage, cookie objects, analytics, or one-time tokens.

Desktop Security

Bigger, fatter targets than phones.

Whenever the iPhone connects to iTunes, a new backup is made. By default, these backups are not encrypted. If the user’s desktop gets malware (e.g. BackStab), your app’s data may be at risk.

JAILBREAKS BYPASS iOS ENTIRELY

Even if you have Apple's security measures set properly, your app is still at risk. Attackers can disable iOS’s security mechanisms with exploit code called Jailbreaks. Within days of a new Jailbreak’s release, it will be adapted into an attack. Once they break down iOS’s protections, attackers can study your app’s code and data with reverse-engineering and runtime-tampering techniques. Most of these tools are backed by a dedicated community.

REVERSE ENGINEERING

Attackers study your app’s code when it isn’t running, then patch out security checks.

RUNTIME TAMPERING

Attackers learn how the app works by examining it while it’s running in a debugger

THE END RESULT

Attackers harvest your app’s proprietary data.

FIGHT BACK

Your app has to make optimal use of iOS’s security model, and know when it’s in a vulnerable environment. If your team doesn’t have that expertise –nor the months necessary to learn how- just use MAST.