Shulou(Shulou.com)06/03 Report--

This article focuses on "how to avoid security risks in iOS development". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to avoid security risks in iOS development.

First, the network aspect

You can grab the data of the mobile communication interface with the bag grabbing tool. Take Charles as an example, all plaintext data of http can be obtained with Charles. After configuring its certificate, it can simulate man-in-the-middle attack and obtain plaintext data before https encryption.

1.1 Man in the middle attack

Let's talk briefly about what a man-in-the-middle attack is:

① client: "I am the client, give me your public key"-> server (intercepted by the middleman).

So now it's:

Client-> middleman

② then the middleman transfers the message to the server, that is:

Middleman-> server

The ③ server sends the information with the public key to the client, but it is intercepted in the middle. So it is:

Server-[public key of server]-> middleman

The ④ middleman replaces the server's public key with his own public key and sends it to the client, claiming to be the server's public key:

Middleman-[middleman's public key]-> client

The public key encryption obtained by the ⑤ client is actually encrypted with the public key of the middleman, so the middleman can decrypt the original data with his own private key, obtain the original data, and then encrypt the original data (or modify the original data content) with the public key of the server and send it to the server.

In this way, the middleman can obtain the communication data of both parties and create false data.

1.2 how to prevent man-in-the-middle attacks?

Here's how to take precautions:

1.2.1 SSL Pinning

The principle of SSL Pinning is to store the public key of the server in the client, and the client will verify whether the certificate returned by the server is consistent with that saved by the client, so as to avoid the attack of replacing the certificate by the middleman.

The implementation of SSL Pinning is relatively simple, only need to put the CA certificate into the project, through Security framework to achieve SSL Pinning on NSURLSession. If you are using AFNetworking, the code is simpler:

In this way, if you grab the bag through Charles, you will report an error.

Certificate verification can either validate only the public key (AFSSLPinningModePublicKey) or fully verify the certificate (AFSSLPinningModeCertificate).

But there is a serious problem with using SSL Pinning, that is, if there is a problem with the certificate, it can only be solved by releasing a new version. If the new version is not approved all the time, the network communication of app will be dead.

For example, Symantec (Symantec) certificates are not trusted by google and iOS12. If app has a built-in certificate, it must be reissued.

1.2.2 encrypt the contents of the interface

Many app interfaces only encrypt and validate the requested parameters, and the data returned by the interface is plaintext. If you do not use SSL Pinning to prevent man-in-the-middle attacks, you can also encrypt the data returned by the interface, so that the packet grabbing tool still cannot crack the packet.

For example, Wechat, the interface in Wechat uses the http protocol, but the content is all encrypted.

Now symmetrical encryption is commonly used, and the encryption efficiency is relatively fast. If some data in app is particularly important, it is still necessary to use asymmetric encryption. Asymmetric encryption is more secure, but less efficient.

2. Log

2.1 Swift Log

The syntax for printing logs in Swift can be print or NSLog. But try not to use NSLog, because the use of NSLog in Swift can be found in the system log. You can view the system logs through the pp Assistant, iTools, or Xcode's Devices and Simulators.

Printing logs with print will not appear in the system log.

2.2 OC Lo

Do not output NSLog logs in a release environment. Generally speaking, people will use macro definition to solve the problem, as follows:

III. Storage of information

3.1 key

Most programmers like to put keys directly into macros or constants.

For example, # define AES_KEY @ "aaa123"

In this way, it can be decompiled easily. The security is poor. The following methods can be used to enhance security and increase the difficulty of cracking.

The key (A) is encrypted and defined as a macro (B). When used, the key (A) is obtained by decrypting it. Where the key An is encrypted by C.

Because when defining a macro, if we define it as a string, there will be a data segment directly, so that the cracker can easily get it. It is safer to define C and B as uint8_t [] arrays so that each character is placed in each separate instruction in the text section. Generates a string after the instruction is executed. It'll be safe.

Use a long piece of text to extract the key according to the rules, and the key is random.

Define a long text on the server and the client, randomly generate the starting position and length at the app end, shift the starting position and length, generate the corresponding numbers, encode the numbers with Base64, and pass the generated string to the server. The server can parse the relevant key according to this string.

The code is as follows:

This only makes it more difficult for the cracker to obtain the key, but it does not completely prevent the cracker from obtaining the key.

3.2 Keychain

The jailbreak iPhone can view the information saved by the exported Keychain. The contents of Keychains are stored in sqlite and the directory is: / private/var/Keychains. You can view the contents of the keychain through keychain-dump.

So the data saved to Keychain must be encrypted.

3.3 plist 、 sqlite

Plist and sqlite can be obtained directly from the ipa installation files, so do not store important information in these files. If you want to save them, encrypt them and then store them.

IV. App reinforcement

4.1 Code confusion

Code confusion is to replace easy-to-read class names and method names with names that are not easy to read. The common methods are macro replacement and script replacement.

For example, after the original method name is:-(void) loadNetData; for code confusion, the header file will be exported with class-dump and displayed as the modified method name:-(void) showxhevaluatess

4.2 in C language

The core code is written in C, but functions in C can also be used by hook, such as fishhook. Developers can use static inline functions to prevent hock, and the cracker can only understand the logic of the code.

4.3Detection of tweak

You can check whether the plist file under / Library/MobileSubstrate/DynamicLibraries contains the bundle id of your own app. If included, you can limit the function of app, remind the phone is not safe, and so on.

At this point, I believe you have a deeper understanding of "how to avoid security risks in iOS development". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.