new report from Forrester focuses on the topic of building secure applications for the iPhone and iPad. Given iOS's popularity among enterprise and consumers alike, it's important for developers to understand the best practices for ensuring that mobile apps handle sensitive data appropriately. This is especially true when building apps for the financial sector.A
But the finance and payments industry aren't the only ones who can benefit from a better understanding of security management - anyone building an app that handles customers' private data should be aware of iOS's data protection features and guidelines.
More Security with iOS 4
Report author Chenxi Wang notes that Apple introduced a number of stronger data protection features with the launch of iOS 4, including support for complex, alphanumeric passwords, password-based encryption to improve file protection and file-level encryption to eliminate the flaws of full disk encryption.
What this means is that the iPhone or iPad is that even if a criminal gains physical access to the device, data remains encrypted even if the password isn't present. It also means that someone can't take a disk image and perform a brute-force attack on the password, since the device key is only available in the device's hardware. This transforms brute-force attacks into online attacks only, Wang says, which are easier to handle.
Four Essential Tasks to Protect Data in Apps
According to the report, there are four main steps that developers must take in order to ensure the protection of data in your apps.
- Perform a Security Assessment of the Application Architecture: The assessment should be performed by the security team before the application development team begins to implement the architecture design. Questions could include things like "Is it necessary to store user credentials on this device?" or "What authentication protocol should we implement on top of JSON/REST?" This is not a practice that just applies to mobile applications, Wang reminds us.
- Declare the right protection class for the data: Choose "ProtectionComplete" if iOS should always encrypt the file and only decrypt it when the user enter their password. Choose "ProtectionNone" if the file protection is not tied to the password and become available as soon as the device is booted up. This latter option is how iOS 3 works.
- Put Credentials on the Keychain: The keychain is a specially protected object that has three protection classes available: "AvailableWhenUnlocked," "AvailableAfterFirstUnlock" and "AvailableAlways." For credentials needed in background tasks, "AvailableAlways" should be used. "AvailableWhenUnlocked" is like the above "ProtectionComplete," but for file system objects. "AvailableAfterFirstUnlock" keeps data encrypted after boot up until the user enters their password.
- Purge Data Properly: Data needs to be properly removed from local memory and properly handle data-unreachable exceptions when the device is locked.
The report also lists several best practices for programmers building iOS apps in general. These include ensuring users enable password-based entry, determining what data the app processes and how, deciding whether to store credentials (only if absolutely necessary, Wang recommends), determining the authentication component for the app, using the strongest data protection class and not accessing private phone data like the phone number, IMEI number and ICCD without permission.
More details about these steps and more can be found in the full report, available here.