iOS/Android Developer Security Basics
5 (4)

Click to rate this post!
[Total: 4 Average: 5]

I couldn’t find a single place that covers the mobile developer security (must know) basics, this will be again like a chat between two developers (Lulu πŸ‘©πŸΌβ€πŸ’») and (Sam πŸ¦–)

πŸ‘©πŸΌβ€πŸ’»: What are the risks of not having good security precautions? I can see we spend big money on security.
πŸ¦–: There are over 500 reported incidents of data-breach each year, It’s estimated that each incident costs 3.5M~5.0M USD on average.
If you look at statistics, you can see that remote jobs increased these costs by 15%, since attackers would have more opportunities of attacking a target that is spread on different locations.

πŸ‘©πŸΌβ€πŸ’»: When people talk about security, the server is being presented as the main defense line, why would a mobile developer be concerned with security if the server/website is secure?
πŸ¦–: Even if a website is securely developed and maintained, mobile apps still need to implement security best practices, while the server plays an important role, the client-side code in a mobile app can potentially expose users to risks if not developed securely, if the client is poorly written, you should expect a lot of attacks on the server.

Mobile apps have direct access to users’ sensitive data like location, contacts, files etc. on their devices, if an app is compromised, it could leak private user information, unlike browsers, mobile apps run locally on devices without the same protections of a browser sandbox, so vulnerabilities in app code could allow malicious actors to directly attack the device.

Many mobile attacks happen by exploiting vulnerabilities in how apps download and execute code. Developers need to ensure app updates and payloads come from verified, untampered sources.

As users spend more time in apps than browsers, mobile presents a larger attack surface. Security needs to be a priority throughout the development and deployment process on both frontend and backend.

πŸ‘©πŸΌβ€πŸ’»: But you are an iOS developer, and I develop for Android, would your tips and hints be applicable to Android too? oh, I almost forgot that both are based on Linux.
πŸ¦–: wait, they are not both based on Linux, iOS is aΒ Unix-like Operating SystemΒ which isΒ based on Darwin(BSD)Β operating system, while Android is Linux-based Operating SystemΒ and is an open source mobile operating system, there are a lot of precautions that are applicable on both OSs.

πŸ‘©πŸΌβ€πŸ’»: I was asking myself in the past, why not rely on HTTPS and that’s it?
πŸ¦–: HTTPS protects your data in transit between your client application to the server, but only if you can validate the TLS certificate has not been compromised.

πŸ‘©πŸΌβ€πŸ’»: What are the mobile weak points? what can be hacked?
πŸ¦–: Network , Disk, USB Port, etc…

πŸ‘©πŸΌβ€πŸ’»: That looks like a lot of terminology, can you explain the basics?
πŸ¦–: You will be good to go if you know these as a start.

TermBasic Explanation.
Authentication establish a user’s identity
Authorizationgrant a user an access to a resource, look up the difference between Authorization and Authentication
Cryptographythe study of concepts like Encryption, decryption.
Encryptionmeans of securing digital data using one or more mathematical techniques, along with a password or “key” used to decrypt the information
Decryptionthe conversion of encrypted data to its original form.
Hashinga hash function is any function that can be used to map data of arbitrary size to fixed-size values, used mainly for fingerprinting.
Forensicsa branch of digital forensic science pertaining to evidence found in computers and digital storage media.
Sniffingprocess of monitoring and capturing all data packets passing through given network
HTTPSHypertext Transfer Protocol Secure, a web protocol
SSLSecure Sockets Layer
TLSTransport Layer Security (TLS)
IP SpoofingIP spoofing is the creation of Internet Protocol (IP) packets which have a modified source address in order to either hide the identity of the sender
Reverse Engineeringis a process in which software, machines, aircraft, architectural structures and other products are deconstructed to extract design information from them.
MITMMan in the middle, it’s a type of a cyber attack where they secretly relay and possibly alter the data between two parties.
XSSCross Site Scripting (XSS)
SQL Injection:Read About it here.
OWASPOpen Web Application Security Project (OWASP)
MASVSMobile Application Security Verification Standard, it’s a sister project of OWASP Mobile Security testing guide.
Binarya non-text encoded file
Mach-O binaryUnder NeXTSTEP, OPENSTEP, macOS, and iOS, multiple Mach-O files can be combined in a multi-architecture binary
Basic Terminology

πŸ‘©πŸΌβ€πŸ’»: Why would people with a jailbroken device be a threat on the app itself, a jailbreak only make the user hackable, right?
πŸ¦–: No, The best practice, is to prevent people with Jailbroken devices from running your app, see my x04_checker repo, iOS Developers can use it to prevent jailbroken devices from running their applications.

Jailbreaking is the process of exploiting the flaws of a locked-down electronic device to install software other than what the manufacturer has made available for that device. It allows the owner to gain full access to the root of the operating system and access all the features, you must know that 100% jailbreak detection is not possible, we need to make (bypassing jailbreak detection) time-consuming, because an attacker can steal the developer info, and thus steal the app info.

Say a banking app has insufficient security on a jailbroken phone that is compromised, it could result in costly consequences for the banking app operator. For instance, if a user’s money is stolen due to their mobile banking app being hacked as a result of the jailbroken phone, the bank may need to reimburse the user even though it was not necessarily the bank’s fault.

This is because banks often guarantee protection of users’ money from theft, so a breach of security on the mobile app that enables theft could trigger the bank’s reimbursement responsibilities regardless of the root cause being the jailbroken phone.

Similarly, social media or other apps with user accounts could face defamation lawsuits if inadequate security on a compromised mobile app allows hackers to use a user’s account without their consent due to the jailbroken phone.

In such scenarios, the app operator may have to bear costs due to reputational or legal risks, despite the primary vulnerability being the jailbroken phone.

πŸ‘©πŸΌβ€πŸ’»: They say debugging and print statements can be a security vulnerability, is this true?
πŸ¦–: Print normally only works on development builds, print will still send the data to the usb interface.

As you mentioned print, It’s a heavy command though, even if your debugging device is not connected in debug mode with Xcode, leaving print statement of heavy objects might make your app slower during development, but anyway, this is not our topic.

Keep in mind, NSLog will be left even in Distribution builds, any normal user can see the logs using the macOS console app, I used them when debugging opening the app using a notification when it’s terminated, this is not easy to do in Xcode directly, anyway, just use NSLog carefully, and treat the error log files with care, don’t log sensitive data, or leave trace of code symbols.

With regards to logging on mobile apps, a common security concern is the potential leakage of personally identifiable information (PII) about users. Sensitive data like users’ names, financial account details, physical locations and other personal information could inadvertently be written to log files if not properly scrubbed or encrypted.

This exposes the risk of PII being accessed and misused by unauthorized parties who gain access to the device’s logs. Such access could occur either after the fact if the device is stolen, or even in real-time if a hacker manages to achieve remote access. Proper handling of logging is important to prevent such PII leaks that can negatively impact users’ privacy and security.

πŸ‘©πŸΌβ€πŸ’»: What about certificate pinning?
πŸ¦–: Certificate pinning simply prevents people from having the victim installing an incorrect certificate and making altered requests.

When implementing TLS pinning, bundling the certificate within the mobile app may not be the most suitable approach on its own. While including a default certificate is reasonable, the app should also incorporate the ability to dynamically update the pinned certificate if the server’s certificate expires or needs revocation. Any bundled certificate would also need to be encrypted in a way that prevents attackers from simply replacing the file on the device.

This is to ensure the certificate can be refreshed securely over time, while an attacker cannot tamper with the pinned certificate to circumvent TLS validation. A more robust TLS pinning implementation would account for eventual certificate changes on the server through a secure update mechanism within the app.

πŸ‘©πŸΌβ€πŸ’»: What about sensitive static strings?
πŸ¦–: Never have your sensitive strings inside plist or any asset file, this is the most basic tip you should never miss.
πŸ‘©πŸΌβ€πŸ’»: Wait Sam, I downloaded a facebook apk online, and ran a simple command to scan the binary for strings that look similar to google api keys, that begin with AIz, and I can see this, any explanation why this is not hidden in the binary?

Β strings targetFile | grep "targetString"

using the strings command on macos

πŸ¦–: There are multiple ways google makes sure that a request is authentic, from comparing hashes, to domain binding to bundle ids etc… again, you need to have your sensitive data hidden, this is not an excuse.

πŸ‘©πŸΌβ€πŸ’»: Why is it said to be risky to use 3rd party libraries when developing sensitive apps like banks?
πŸ‘¨πŸ»β€πŸ’»: In normal cases, libraries are fine, just make sure that they are being audited, NPM libraries had a lot of these, for sensitive apps, it’s better to avoid them altogether.

πŸ‘©πŸΌβ€πŸ’»: If I follow all of these tips, I will be completely secure?
πŸ¦–: The sad news is, No, there are a lot of other attacks, like URL-scheme attacks, when you define a url scheme, your app responds to that scheme, so for instance, you create a scheme myapp://. all links starting with your scheme will directly launch your app. A universal link doesn’t include your scheme in the url but they will still launch your application, apple allows other apps to the register the same url.
πŸ‘©πŸΌβ€πŸ’»: the alternative is universal links?
πŸ¦–: correct!

πŸ‘©πŸΌβ€πŸ’»: That was a huge amount of info for a starter, any final thoughts?
πŸ¦–: 100% Security for any Application is not possible but we can try to make the attacking/cracking of iOS App as much harder as possible.

Security is not always about “make accessing the data impossible”. sometimes it is about cost and likelihood of retrieval versus importance of the data.

More tips on top of my head:

  • Avoid Objective-C if possible, it’s very easy to reverse engineer.
  • Don’t write sensitive data into logs.
  • Disable Keyboard caching (3rd party keyboard)
  • Password/Pin should not be exposed during user interaction – Don’t include sensitive data in backup.
  • User Credentials should be stored in (keystore, keychain…).
  • App Transport Security – Certificate Pinning.
  • Integrity Check.
  • Prevent Running on rooted devices.
  • Detect JailBreak, (Jail Monkey library).
  • Use WebView carefully.
  • Securing Data on disk.
  • Securing Data across a network connection.
  • Secure application logic.
  • prevent Reverse Engineering (even if there is no sensitive data, if your app is novel, you don’t want people to see the code)
  • Don’t share sensitive data with 3rd party
  • Avoid keywords like (β€œjail”,”security”,”cydia”,”apt”) in variable & function names
  • Hide the JB check deep in the app, not in appdelegate…
  • Some Jailbreaks are permanent, and are done by exploiting security flaws in hardware.

GPS Hardware basics for mobile developers.
4.7 (3)

Click to rate this post!
[Total: 3 Average: 4.7]

Mobile software engineers (iOS and Android), are normally not familiar with how GPS works, instead of just getting Lat/Lon readings, and doing geo operations with it, why not become familiar with how GPS works? πŸ€“

This will not be a lengthy article, it will be a chat between an iOS developer (Alex πŸ‘¨πŸ»β€πŸ’») and an electrical engineer (Sarah πŸ‘©πŸΌβ€πŸ’»).

πŸ‘¨πŸ»β€πŸ’»: So what does GPS stand for?
πŸ‘©πŸΌβ€πŸ’»: It stands for (Global Positioning System).

πŸ‘¨πŸ»β€πŸ’»: Who created it? and what for?
πŸ‘©πŸΌβ€πŸ’»: The GPS project was launched in the USA back in 1973 due to limitations of old navigation systems.

πŸ‘¨πŸ»β€πŸ’»: I know it works without internet, but do I need cellular service to use GPS?
πŸ‘©πŸΌβ€πŸ’»: No.

πŸ‘¨πŸ»β€πŸ’»: How come it works without internet or cellular service?
πŸ‘©πŸΌβ€πŸ’»: You get readings from satellites, there are about 24 artificial satellites in 6 orbits.

πŸ‘¨πŸ»β€πŸ’»: So a mobile needs to connect to all of these?
πŸ‘©πŸΌβ€πŸ’»: Of course not, when you are stationary, you need to be exposed to 3 of them, when you are moving, you will need to be exposed to 4.

GPS Satellites animation (Wikipedia)

πŸ‘¨πŸ»β€πŸ’»: So how come it identifies me? and send me data?
πŸ‘©πŸΌβ€πŸ’»: The Satellites don’t identify you, they only emit synchronous pulses all the time everywhere.

πŸ‘¨πŸ»β€πŸ’»: And how does my mobile give me back the (latitude, longitude, and altitude)?
πŸ‘©πŸΌβ€πŸ’»: It compares the receive time of these pulses from each satellite, and use calculations to determine a point on earth, since the distance between these satellites is constant, and they have atomic clocks, the calculations will not be difficult.

πŸ‘¨πŸ»β€πŸ’»: The service is totally free, and I don’t have any subscription for GPS, how?
πŸ‘©πŸΌβ€πŸ’»: GPS is not the only service for (Global Navigation Satellite Systems), there are many like (GLONASS, BeiDou, Galileo…), there are other commercial solutions that I don’t know much about, there are a lot of details, I heard retail GPS receivers are designed to not work if the tracked object is moving fastly, you get the idea 🧐?
πŸ‘¨πŸ»β€πŸ’»: ah! yes.

BeiDou doesn’t have full earth coverage.

πŸ‘¨πŸ»β€πŸ’»: What is the error margin?
πŸ‘©πŸΌβ€πŸ’»: It’s variable, but you can say between 15 to 50 meters, some commercial systems use other inertial systems to give more accurate estimations.

πŸ‘¨πŸ»β€πŸ’»: What is the minimum detectable value?
πŸ‘©πŸΌβ€πŸ’»: You mean the resolution? theoretically, as far as I know, it’s one inch, but practically it’s about 3 meters.

πŸ‘¨πŸ»β€πŸ’»: I once tried to use the GPS inside a big hospital, it didn’t serve any purpose, the readings were not accurate.
πŸ‘©πŸΌβ€πŸ’»: GPS does not work indoors.
πŸ‘¨πŸ»β€πŸ’»: But I saw some readings on my maps application.
πŸ‘©πŸΌβ€πŸ’»: it’s the last point that was read, some devices like Huawei also augment (Accel/Gyro) sensor data, to mimic a basic INS to give your readings inside buildings, but it’s not reliable.

πŸ‘¨πŸ»β€πŸ’»: And what is used for indoor navigation systems?
πŸ‘©πŸΌβ€πŸ’»: They use beacons and Bluetooth and other technologies, read about apple air tags!

πŸ‘¨πŸ»β€πŸ’»: You mentioned sensors, why can’t we use the basic sensors like accelerometer/gyroscope of the mobile to calculate the position?
πŸ‘©πŸΌβ€πŸ’»: when you “integrate” the acceleration twice, the error will explode fastly, and it will become useless in a short time of movement, even if this works, this will not give you an absolute position, and you have to deal with drifting and gimbal lock and a lot of complexities.

πŸ‘¨πŸ»β€πŸ’»: That was a lot of information, thank you.
πŸ‘©πŸΌβ€πŸ’»: Welcome!, see you soon.

Swift (Set Data-Structure) Basics, With Practical Example : Pizza Cooking
5 (1)

Click to rate this post!
[Total: 1 Average: 5]

Swift provides three main collection types, Arrays, Sets, and Dictionaries..

A set is a collection of unique and unordered data, simply, the data elements has no order. and it’s guaranteed to have non-duplicate values.

You use a set instead of an array when you need to test efficiently for membership and you aren’t concerned with the order of the elements in the collection, or when you need to ensure that each element appears only once in a collection.

Swift Source Code.

Asking about the importance of sets is like asking about the importance of the alphabet, set theory is the basic to so much math, any practical application of anything in math is normally an application of set theory.

a Venn diagram, showing the intersection of two sets (Wikipedia)

The basic operations on sets are Union, Intersection, Difference, isSubset, isSuperset.. but swift provide a lot of functions, you can perform set operations with another set, an array, or any other sequence type 🧐, you can use higher order functions like map and filter… etc.

func filter
func isSubset
func isSuperset
func isDisjoint
func subtracting
func isStrictSuperset
func isStrictSubset
func intersection
func map<T>
func dropFirst
func dropLast
func drop
func prefix
func suffix
func split
func firstIndex
func shuffled<T>
func shuffled
func flatMap<ElementOfResult>
func forEach
func first
func withContiguousStorageIfAvailable<R>
func enumerated
func min
func max
func starts<PossiblePrefix>
func elementsEqual<OtherSequence>
func lexicographicallyPrecedes<OtherSequence>
func contains
func allSatisfy
func reduce<Result>
func reversed
func flatMap<SegmentOfResult>
func compactMap<ElementOfResult>
func sorted
func index
func formIndex
func distance
func randomElement<T>
func randomElement
func makeIterator
func isSubset<S>
func isStrictSubset<S>
func isSuperset<S>
func isStrictSuperset<S>
func isDisjoint<S>
func union<S>
func subtracting<S>
func intersection<S>
func symmetricDifference<S>
func hash
func joined
func joined<Separator>
func encode
func mapValues<T>
func compactMapValues<T>
func merging<S>
func merging

let’s start with a simple example

// Data
var myKitchenItemsSet: Set = ["Mozzarella","Mushrooms","Pineapples","Tomatoes","Mushrooms","Garlic"]
let shoppingListItemsSet: Set = ["Olives", "Tomatoes","Sourdough"]
let pizzaIngredientsSet: Set = ["Sourdough","Mozzarella","Mushrooms","Tomatoes","Olives"]

// the order of union operator is not important, even union1 and union2 show up differnlt when printing!
let union1 = myKitchenItemsSet.union(shoppingListItemsSet)
let union2 = shoppingListItemsSet.union(myKitchenItemsSet)

// union1 and union2 show up differently when printed, but keep in mind that they are equal

print("areUnionsEqual",(union1 == union2))

let itemsNeeded = shoppingListItemsSet.subtracting(myKitchenItemsSet)
print("What I need to buy:",itemsNeeded)

// Buy the needed elements

let canMakePizza = pizzaIngredientsSet.isSubset(of: myKitchenItemsSet)

Defining a set is straightforward, you can explicitly define the type to be a Set, notice how you can’t have multiple types directly, you can’t mix integers with strings for example, in the example the type was inferred though.

Next we created two unions to proof that the order of the union has no value, it’s like addition, even though the union sets get printed with random order in the terminal.

Then we used Subtraction to look up the items that we need to have on the shopping list, in other words, remove items already in the kitchen even if they are in the pizza recipe.

We can add the items needed into my kitchen items, notice that how duplicate items are ignored, lastly we check if the kitchen items “has” all the items in the pizza recipe.

Say you want to make a pizza for Justin Bieber?

var pizzaIngredientsForJustinSet: Set = ["Sourdough","Mozzarella","Tomatoes","Olives","Amanita phalloides"]

print("can I make Pizza for the Justin?",pizzaIngredientsForJustinSet.isSubset(of: myKitchenItemsSet))

myKitchenItemsSet.insert("Rotten Mushrooms")
myKitchenItemsSet.insert("Amanita phalloides")

print("can I make Pizza for the Justin Bieber?",pizzaIngredientsForJustinSet.isSubset(of: myKitchenItemsSet))

Yes, this will not work until you add “Amanita phalloides” πŸ‘

Bridging between Set and NSSet

You can bridge between Set and NSSet using the as operator, For bridging to be possible, the Element type of a set must be a class, or a type that bridges to a Foundation type.

Swift Source Code.


Sets are in general faster to process, but due to their restriction of non-repeated values, and having no order, they are not often used.