The most important aspect of iOS app development isn’t the design, or the features you add or even the user experience. The absolute, most indispensable part of iOS app development is arguably, app security. Data theft is a major threat in today’s digital landscape, and if you don’t believe me, just check out what Mark Zuckerberg has been doing in Washington the last few days. The entire Cambridge Analytica fiasco has indeed opened a can of worms in the context of data theft and cybersecurity, and iOS developers need to tighten up their app security now more than ever.
So today, we are going to talk about the basic iOS security measure every developer needs to be taking to keep their app from being hit by cybercriminals, risking their users. Apple takes security very seriously and hence provides several APIs that keep iOS applications shielded using a set of cryptographic hashing methods and the iOS Keychain. Let us get to know more about these security elements:
iOS Keychain is a specialized database for storing metadata and sensitive user information like encryption keys, passwords, certificates and other small pieces of data. Keychain has been recommended as the best way to store small chunks of critical data. Once an app requests access to a keychain, it can make sure that any other apps it does not trust, cannot access the data stored in its keychain. You can create, add, delete and edit keychains. If you’ve so far been thinking that using simpler solutions like base-64 encoding user password in UserDefaults is adequate to protect your app, you certainly need to reconsider. Hackers can easily break into that level of security and take away important information. When it comes to iOS app security, it is emphatically advisable to use the highest possible iOS tools available to you.
Keychains, in addition to passwords, also store cryptographic keys, text strings and certificates. An entire keychain can be locked, making it impossible for anyone to unlock it without the master password. This ensures that only authorized apps can get access to the data stored therein, which in your case could be, only you. When a user signs in, they are asked for a keychain password, consequently unlocking the data stored in the keychain to be accessed by the user. To make this more convenient for the users, the keychain is unlocked as soon as the device is unlocked, which means that the user has access as long as he/she is there. To make things even more convenient, a single keychain is accessible to all apps in a logically distinct iCloud keychain. As soon as the user signs out, the keychain is cleared out, erasing all data that can be entered again or downloaded from a web server.
Although using keychain in swift could prove to be a slightly tedious task, as always, Apple does a bang on job of making things conducive for its developers. You can avoid using low level APIs and security frameworks written in C, by using a Swift wrapper from Apple’s sample code GenericKeychain.
Now, while keychain is a way to securely store sensitive data, you are by no means, done with iOS security. Even when storing data in a keychain, you need to encrypt it really well. Storing passwords directly is simply never a good idea. Just in case an attacker managed to hack Apple’s keychain, he could find your passwords and other sensitive information lying bare right there. That is why you need to use a strong encryption method.
There are a few ways of doing this. Firstly, you could use Apple’s CommonCrypto framework to do this. It provides low level C support for encryption and decryption. However, CommonCrypto can be a little difficult to interact with, especially if you are working with Swift. It is however observed that despite the level of security and flexibility, keychains do add a layer of complexity to the iOS developers. Alternatively, you could go for CryptoSwift, a popular and growing collection of standard and secure cryptographic algorithms implemented in Swift. CryptoSwift is open source and provides comprehensive support for most of your app security concerns.
A cryptographic hash is a one-way algorithm which takes all your data and transforms it into a fixed size output value. A really good hash function is supposed to be impossible to reconstruct or invert. It must also be unique, making sure that no other input value could produce the same output.
In Swift, there exists a protocol called Hashable, which requires that every element that is compliant with Hashable must have a hashValue. This hashValue is an integer that is the same
SHA-1 is the most commonly used hash function. It is an algorithm developed by the US Government. SHA-1 produces a 160-bit hash from any data up to 2**64 bits long. Alternatively, you may also use SHA-2, MD5 or elliptic-curve-based algorithms among others.
Salting is the other part of hashing, to make your data even more unreadable even if a hacker does manage to breach it. Salt is random data that is input into your data, thus hashing it into undecipherable alphabet soup for anyone who doesn’t have the key. Using a Salt hence increases the complexity of the hash, making a hacker’s job even more difficult.
There are a ton of other security practices to keep your iOS app development in sync with the latest security protocols, but keychain and hashing may very well be called as the basic touchstone of iOS security. This article serves as a starting point for drawing your attention towards iOS app security. With the amount of information we share about ourselves on the internet, especially apps, today, developers have a mammoth task on their code-wielding hands. Thankfully, there are some fantastic tools, algorithms, APIs and libraries in place that will help you do your job well. Now is a great time to be an iOS developer and I hope you enjoy every minute of it, and never miss a beat on keeping your apps secured.
So what are your biggest iOS app security concerns? Which is your favorite hashing algorithm? Do let us know in the comments section.