To understand how to approach iOS mobile app security testing it helps to know the security features that iOS brings to the table and how it is different to Android.
Sandboxing is a security technique that keeps programs in isolation, IOS applies a sandbox to all third party iOS applications. When it comes to iOS mobile app security testing it is important to note that all apps and their resource are contained and run in a unique directory. This stops apps from accessing other applications, their data, or accessing system files and other resources. iOS permissions use classes to interface with device hardware that apps need without the app accessing components directly.
Address space layout randomisation (ASLR)
ASLR is form of data security that randomises data on the RAM to stop exploits. Introduced in iOS 4.3, it provides random stack and heap allocations and page load every time a process starts, and randomises the address where objects are placed. iOS apps use either full or partial ASLR depending on whether it’s compiled as a position independent executable. In the context of iOS mobile app security testing this makes it more difficult for an attacker to predict target addresses.
Code signing is a way to identify the origin of software with all iOS apps signed by a trusted certificate, either by Apple or with a certificate issued by Apple. Apple continues to perform runtime checks to make sure that an app hasn’t had unsigned code injected into it.
This is a key for iOS mobile app security testing, the data encryption is so powerful that, as we saw, the FBI had to get outside help to break it. On iOS data is encrypted at rest using hardware based keys, when the device is unlocked the data is decrypted. The encryption of individual files and keychain items uses the data protection API key derived from the device passcode. When the device is locked the encrypted files are inaccessible unless cached in the memory.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.