Home How to Build Secure iOS Apps

How to Build Secure iOS Apps

A new report from Forrester focuses on the topic of building secure applications for the iPhone and iPad. Given iOS’s popularity among enterprise and consumers alike, it’s important for developers to understand the best practices for ensuring that mobile apps handle sensitive data appropriately. This is especially true when building apps for the financial sector.

But the finance and payments industry aren’t the only ones who can benefit from a better understanding of security management – anyone building an app that handles customers’ private data should be aware of iOS’s data protection features and guidelines.

More Security with iOS 4

Report author Chenxi Wang notes that Apple introduced a number of stronger data protection features with the launch of iOS 4, including support for complex, alphanumeric passwords, password-based encryption to improve file protection and file-level encryption to eliminate the flaws of full disk encryption.

What this means is that the iPhone or iPad is that even if a criminal gains physical access to the device, data remains encrypted even if the password isn’t present. It also means that someone can’t take a disk image and perform a brute-force attack on the password, since the device key is only available in the device’s hardware. This transforms brute-force attacks into online attacks only, Wang says, which are easier to handle.

Four Essential Tasks to Protect Data in Apps

According to the report, there are four main steps that developers must take in order to ensure the protection of data in your apps.

  1. Perform a Security Assessment of the Application Architecture: The assessment should be performed by the security team before the application development team begins to implement the architecture design. Questions could include things like “Is it necessary to store user credentials on this device?” or “What authentication protocol should we implement on top of JSON/REST?” This is not a practice that just applies to mobile applications, Wang reminds us.
  2. Declare the right protection class for the data: Choose “ProtectionComplete” if iOS should always encrypt the file and only decrypt it when the user enter their password. Choose “ProtectionNone” if the file protection is not tied to the password and become available as soon as the device is booted up. This latter option is how iOS 3 works.
  3. Put Credentials on the Keychain: The keychain is a specially protected object that has three protection classes available: “AvailableWhenUnlocked,” “AvailableAfterFirstUnlock” and “AvailableAlways.” For credentials needed in background tasks, “AvailableAlways” should be used. “AvailableWhenUnlocked” is like the above “ProtectionComplete,” but for file system objects. “AvailableAfterFirstUnlock” keeps data encrypted after boot up until the user enters their password.
  4. Purge Data Properly: Data needs to be properly removed from local memory and properly handle data-unreachable exceptions when the device is locked.

The report also lists several best practices for programmers building iOS apps in general. These include ensuring users enable password-based entry, determining what data the app processes and how, deciding whether to store credentials (only if absolutely necessary, Wang recommends), determining the authentication component for the app, using the strongest data protection class and not accessing private phone data like the phone number, IMEI number and ICCD without permission.

More details about these steps and more can be found in the full report, available here.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.