Shulou(Shulou.com)06/03 Report--

This article mainly introduces the key points of iOS development to avoid security risks. The introduction in the article is very detailed and has certain reference value. Interested friends must read it!

I. Network aspects

Use the packet capture tool to capture data from the mobile phone communication interface. Take Charles as an example. Charles can obtain all plaintext data of http. After configuring its certificate, it can simulate man-in-the-middle attack and obtain plaintext data before https encryption.

1.1 man in the middle attacks

Let me briefly describe what a man-in-the-middle attack is:

Client: "I am client, give me your public key" -> Server (intercepted by middleman).

So now it's:

Client-> Intermediary

Then the middleman forwards the message to the server, that is:

Middleman-> Server

The server sends information with the public key to the client, but it is intercepted by the middle. So:

Server-[Server's public key] -> Intermediary

④ The middleman replaces the public key of the server with his own public key and sends it to the client, claiming to be the public key of the server:

Intermediary-[Intermediary's Public Key] -> Client

The client encrypts with the public key obtained, which is actually encrypted with the public key of the middleman, so the middleman can decrypt with his own private key to obtain the original data, and then encrypt the original data (or modify the original data content) with the public key of the server and send it to the server.

In this way, the middleman can obtain the communication data of both parties and can create false data.

1.2 How to prevent man-in-the-middle attacks?

Here's how to prevent:

1.2.1 SSL Pinning

The principle of SSL Pinning is to store the public key of the server to the client, and the client will verify whether the certificate returned by the server is consistent with the certificate saved by the client, so as to avoid the attack of replacing the certificate by the middleman.

SSL Pinning is relatively simple to implement, just need to put CA certificate into the project, through the Security framework to implement SSL Pinning on NSURLSession. If AFNetworking is used, the code is simpler:

This way, Charles will report the wrong bag.

Certificate verification can be done by verifying only the public key (AFSSLPinningModePublicKey) or by fully verifying the certificate (AFSSLPinningModeCertificate).

However, there is a serious problem with SSL Pinning, which is that if there is a problem with the certificate, it can only be solved by releasing a new version. If the new version has not been approved, the app's network communication will all hang up.

For example, Symantec certificates are not trusted by Google and iOS12. If the app has built-in certificates, it must be reissued.

1.2.2 Encryption of interface content

Many app interfaces only encrypt and verify the parameters of the request, and the data returned by the interface is plaintext. If you don't use SSL Pinning to prevent man-in-the-middle attacks, you can also encrypt the data returned by the interface, so that the package capture tool still can't crack the package after catching it.

For example, WeChat, the interface in WeChat uses http protocol, but the content is all encrypted.

Symmetric encryption is now commonly used, encryption efficiency is relatively fast. If the data in the app is particularly important, it is still necessary to use asymmetric encryption, which is more secure, but the efficiency is slower.

Log 2.1 Swift Log

Swift print log syntax can be used print, can also be used NSLog. But try not to use NSLog, because Swift uses NSLog, which can be found in the system log. System logs can be viewed through pp Assistant, iTools, or Xcode Devices and Simulators.

Printing logs with print does not appear in the system log.

2.2 OC Journal

Do not output NSLog logs in the release environment. Generally, everyone will use macro definitions to solve the problem, as follows:

Storage of information 3.1 Keys

Most programmers prefer to put keys directly into macros or constants.

#define AES_KEY @"aaa123"

This can easily be decompiled. Safety is relatively poor. The following methods can be used to enhance security and increase the difficulty of cracking.

Encryption of the key (A) is defined as macro (B), and decryption is performed to obtain key (A) when used. where the key encrypting key A is C.

Because when we define macros, if we define them as strings, there will be data segments directly, so that it is easy for hackers to obtain them. It is safer to define C and B as uint8_t[] arrays, so that each character is placed in a separate instruction in the text section. Command execution generates a string. It'll be safe.

Take a long piece of text and extract the secret key according to the rules. The secret key is random.

Define a long text on the server and client, randomly generate the starting position and length on the app, shift the starting position and length, generate the corresponding number, encode the number Base64, and transmit the generated string to the server. The server can parse the relevant key according to this string.

The code is as follows:

This only increases the difficulty of obtaining the key for the cracker, but it does not completely prevent the cracker from obtaining it.

3.2 Keychain

A jailbroken iPhone can view information saved by the exported Keychain. The contents of Keychains are stored in sqlite under/private/var/Keychains. You can view the contents of the keychain via keychain-dump.

Therefore, the data stored in Keychain must be encrypted.

3.3 plist、sqlite

Plist and sqlite can be obtained directly from ipa installation files, so do not store important information in these files. If you want to save them, encrypt them before storing them.

IV. App Hardening 4.1 Code Confusion

Code obfuscation is replacing readable class and method names with unreadable ones. Common methods are macro substitution and script substitution.

For example, the original method name is: - (void)loadNetData; after code obfuscation, the modified method name will be displayed after exporting the header file with class-dump: - (void) showxhevaluation;

4.2 in C language

The core code is written in C, but C functions can also be hooked, such as fishhook. Developers can use static inline functions to prevent hocks, leaving hackers to understand the logic of the code.

4.3 Tweak detection

You can check whether the plist file under/Library/MobileSubstrate/DynamicLibraries contains the bundle id of your app. If included, you can restrict the app's functions, prompt that the phone is not safe, etc.

The above is "iOS development to avoid security risks what are the points" all the content of this article, thank you for reading! Hope to share the content to help everyone, more relevant knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.