Security Guidelines and best practices for iOS apps | Hindi tutorial
Переглядів 4,793
День томуIn this session we will discuss iOS security guidelines and best practices for iOS app. We will be taking about various guidelines of security for the iOS app development to ensure that attackers are not able to sniff out sensitive information about the user
Given are the chapters in the video
0:00 introduction
0:17 sensitive and non-sensitive user data
2:00 encrypt everything is bad
2:26 mobile dev assumptions on data security
5:10 mobile dev is not responsible for
5:52 guideline 1: avoid storing sensitive data in plain text or has format
6:35 codecat15 opinion: against storing sensitive information in keychain
8:02 codecat15 recommendation to store sensitive data
9:41 guideline 2: implement face id and passcode
10:30 guideline 3: encrypting the mobile database
11:52 is core data encrypted by default
13:23 guideline 4: apis must implement OAuth flow
14:25 encrypt request body only if it contains sensitive data
14:39 guideline 5: SSL pinning
17:01 guideline 6: testing security implementation
17:37 key take away
18:06 thank you for watching
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
✅ Subscribe to the channel and stay ahead of everyone by following the right way for writing clean code in swift. 🔥🔥🔥🔥🔥
🔗Click on the link to subscribe: ukposts.info?sub...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----------------------------------------------------------------------------------------------------------------------
Documentation link mentioned in the video are as follows:
Encrypting your app's file:
developer.apple.com/documenta...
Apple on jailbroken device:
support.apple.com/en-us/HT201954
OWASP guideline on jail broken device:
owasp.org/www-project-mobile-...
Implementing face id and touch id in your app:
developer.apple.com/documenta...
Keychain dumper:
github.com/ptoomey3/Keychain-...
SSL kill switch 2:
github.com/nabla-c0d3/ssl-kil...
Core data is encrypted by default from iOS 5 onwards:
developer.apple.com/library/a...
SSL pinning code examples:
Configure server certificates: developer.apple.com/news/?id=...
Implementing ssl pinning: www.kodeco.com/1484288-preven...
Store private keys in Secure Enclave:
developer.apple.com/documenta...
############################################
Connect with me on social media
Instagram: codecat15
📧: codecat15@gmail.com
🐦: / codecat15
Facebook: / code.cat.792
Github: github.com/codecat15
###########################################
#iosSecurity #mobilesecurity #iosSecurityGuideline
@CodeCat15 11 місяців тому
Documentation link mentioned in the video are as follows: Encrypting your app's file: developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files Apple on jailbroken device: support.apple.com/en-us/HT201954 OWASP guideline on jail broken device: owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage Implementing face id and touch id in your app: developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id Keychain dumper: github.com/ptoomey3/Keychain-Dumper SSL kill switch 2: github.com/nabla-c0d3/ssl-kill-switch2 Core data is encrypted by default from iOS 5 onwards: developer.apple.com/library/archive/releasenotes/General/WhatsNewIniOS/Articles/iOS5.html#//apple_ref/doc/uid/TP30915195-SW1 SSL pinning code examples: Configure server certificates: developer.apple.com/news/?id=g9ejcf8y Implementing ssl pinning: www.kodeco.com/1484288-preventing-man-in-the-middle-attacks-in-ios-with-ssl-pinning Store private keys in Secure Enclave: developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/protecting_keys_with_the_secure_enclave
@poojakadam8160 Місяць тому
Thank you so much for making videos on the iOS concept. Please make more videos like this with real time scenarios for iOS apps.
@Mehulb1900 Місяць тому
thank you for making this video to understand possible security concerns while making app more secure. 💎
@rameshK-yx8nz 11 місяців тому
Your explanation on iOS application is the best ..Please do video on CI/CD pipeline using Jenkins
@NikunjJadav 9 місяців тому
Awesome Video Ravi. Very well explained with details.
@kirangurung596 11 місяців тому
This is the exact video i'm looking for. Found useful. Thank you Ravi.
@CodeCat15 11 місяців тому
I am glad this video was helpful Kiran, please feel free to ask questions and do share the video with your iOS group.
@mdfaizashraf487 9 місяців тому
Thanks Ravi, after a long wait finally this video is here.😇
@CodeCat15 9 місяців тому
Most welcome 😊
@farooqueazam8579 10 місяців тому
Nice video Ravi. Got to know lot of things thanks
@CodeCat15 10 місяців тому
Glad it was helpful, please do ask questions on this video and do share it with your iOS group
@dharmendrasinha8806 11 місяців тому
Once again we found useful video from Ravi 😀. Wanted to know security advises on Reverse Engineering.
@CodeCat15 11 місяців тому
When we create an ipa, Xcode obfuscates the app, and if the hacker is able to reverse engineer it then apple needs to strengthen its process than us having to do something about it. However swift code is hard to reverse engineer than objective c so it’s safe to say that objective c was more prone to such attacks than swift You can take a look at SwiftShield for more protection for RE github.com/rockbruno/swiftshield
@ankit76004 11 місяців тому
One of the best videos on iOS security guidelines .. Thanks Ravi for doing this 👍. Now waiting for the next videos on SSL
@CodeCat15 11 місяців тому
Thank you iOS dev, more to come on data security.
@pratapapptunix3512 11 місяців тому
Great Video.. Learned so much from this video.!! Keep inspiring us.
@CodeCat15 11 місяців тому
Thank you Pratap, I am glad this was helpful
@mohdrahib7006 11 місяців тому
simply awesome 👍
@CodeCat15 11 місяців тому
Thanks a lot 😊 I am glad this video was helpful.
@bhanu2603 11 місяців тому
Before watching this video i don't know about security and y for security But you make very easily to understand what needs to be secured and why also the ways thaks alot bro 😊
@CodeCat15 11 місяців тому
Thanks Bhanu, I am glad this video was helpful in clearing all your doubts about iOS security.
@siddharthkothari007 10 місяців тому
Thanks for another informative content Ravi. Your step by step approach to tackle any topic is just amazing. Keep up the good work.
@CodeCat15 10 місяців тому
Glad it was helpful 👍
@ombhagwan859 11 місяців тому
Very useful video
@CodeCat15 11 місяців тому
Glad you liked it 👍
@subhadeepchakraborty4638 11 місяців тому
Hi Ravi, Thanks for this informative video. It will be helpful if you create videos on each topic discussed today with some code examples.
@CodeCat15 11 місяців тому
I am glad that this video was helpful, i will drop videos one at a time on the mentioned topics that were discussed in the video along with some good practices.
@subhadeepchakraborty4638 11 місяців тому
@@CodeCat15 Thanks Ravi.
@UmairKhan-tq1hq 11 місяців тому
This guy is brilliant
@CodeCat15 11 місяців тому
Thank you Umair, for your kind words
@rasinsahaji5296 11 місяців тому
Humble as well ❤
@CodeCat15 11 місяців тому
Thank you Rasin 🙏
@paonej4033 5 місяців тому
Is it possible to check whether the app is running on jail broken or non jail broken devices. If app is running on jail broken devices what security measures we should take apart from SSL pinning and encrption of data. As i saw the video ssl pinning also breaken by jail broken devices
@iosdev7613 9 місяців тому
Thanks bro, is there way which we can use to protect the reverse enginneri Ng of ipa.
@CodeCat15 9 місяців тому
One of the things I have emphasized in the video is to avoid storing any kind of sensitive information in the app, avoid bundling any kind of API secret keys etc with your app that's risky business. You can start with something simple like detecting if your app is running on a jailbroken device and prevent the app from running on jailbroken devices and use code obfuscation. Code obfuscation is the process of transforming the source code in a way that makes it more difficult for reverse engineers to understand, decompile, or modify. You can use several paid third-party tools to do so, please get them verified by company security architects because different companies have different guidelines for data security. Here are some of the tools that I know of 1. SwiftShield 2. ProGuard 3. Dotfuscator (this is for xamarin projects not native swift but worth mentioning) 4. GuardSquare Remember that no method is foolproof, and determined attackers may still find ways to reverse engineer an app. Therefore, combining multiple protection techniques offers the best defense against reverse engineering attempts.
@iosdev7613 9 місяців тому
Thanks 😊
@anweshannu2518 11 місяців тому
Hi Ravi, We can implement SSL pinning using the public key hashes present in response headers, we should hard code the public key hashes received in response headers in app code and compare the hash of the certificate on runtime with these array of hashes. This will work without changing the certificate for every 90days. We implemented a year ago working fine without issues, because if the certificate changes the next certificate hash will be in public key hashes.
@CodeCat15 11 місяців тому
By public key hashes you mean the public keys that's send from the server during the handshake process? And you have a set of stored hashes that match this public key in your app bundle? Did I get that correct? Also are you speaking of public key pinning? or just using the public key hashes because in public key pinning we have to extract the public key from the certificate than having hardcoded hash, please let me know If you are just using the hashes then here's my opinion (Note: I have not used the said approach by you in any of my apps as I like to pin certificate as it does more to validate the authenticity of the server) These public keys are freely available to anyone even the hackers. If public key hash changes and the hard coded hash is not present in your app code then your app will fail to respond any api requests, and it's very common for the public keys to change Example: 1. If someone resets the server key. 2. If there's a change in how the public key generation is done and now you have a mismatch in the stored hash on your app 3. The keys could also change if the ssh gets compromised and in this case a new public key needs to be formed which is different from the old ones although this may work in your case, but it's prone to failure if the key hash changes. If the key hash is the only thing that you are checking, then what would happen if a hacker gain access to the freely available public key and intercept the message? because all your app would do is just check the public key hash and say yeah this is good to go and starts communicating with the bad server (try testing this use case with help of a penetration tester) It's the certificate that's installed in the bundle that does a in-depth check and validates the signature and avoids communicating with the bad server Such public key based hashes are done to avoid having to install the certificate every year, but I am a little spectical of this approach to just rely on the public hash which can change and in your case if the hacker gets public key and impersonates the good server. In the video I didn't suggest to change the certificate every 90 days it was just to add a reminder 90 days before the certificate expires, I think what you ment here was the free certificates which encrypt for only 90 days but if you have paid certificates then you can get the validity for 1 year or 2 year.
@anweshannu2518 11 місяців тому
@@CodeCat15 Hi Ravi, What I meant is we hard code the 4 public key hashes from the response and for the very first API call we get the server certificate and its hash dynamically and check it is one of the hardcoded public hashes. We used it for our macOS product which relies on Okta IDP, okta changes the certificate every year. If the certificate changed the new cert hash will be within the hardcoded public hashes. This way we avoid releasing the build whenever the certificate changes and we release the build for every quarter. What you suggest is also a good approach. I'm just saying my approach may be helpful for someone.
@renukapandey3295 10 місяців тому
Awesome video Ravi. Just to add, SSL Public Pinning are also being used these days than certificate pinning, just to avoid expiration of certficates. Can you please elaborate more on Apple CryptoKit? Best wishes 🙏
@CodeCat15 8 місяців тому
Thank you for your insightful comment! SSL Public Pinning is indeed gaining popularity for avoiding certificate expiration issues. Apple CryptoKit is a powerful framework used in iOS development for cryptographic operations. It offers secure and efficient ways to handle encryption, decryption, and other cryptographic tasks, ensuring data protection and privacy in apps. I'll consider creating a video that elaborates on its features and usage. Stay tuned for more content!
@renukapandey3295 8 місяців тому
Thank you 🙏
@rachitsharma8829 11 місяців тому
Very useful content ... Super cool ☺ Also i have question, Apple already have keychain wrapper and cryptokit to encrypt sensitive data then, Why SSL pining is needed to encrypt and validation ?
@CodeCat15 11 місяців тому
With APIs you are sending information outside the iOS ecosystem and hence SSL pinning is needed to be implemented to ensure you are talking with the good server and not with an imposter Apple has those keychain wrappers but don’t assume that your app will run on only non-jail broken devices You must encrypt the data first and then save it in the keychain, and use a different encryption than what is used by apple for keychain which I think is AES
@rachitsharma8829 11 місяців тому
@@CodeCat15 Point ... awesome .. thanks 👍
@mepolob 11 місяців тому
Hi Ravi I have one question. How to encrypt / decrypt the request body and json response of the API call ? Thanks in advance.
@CodeCat15 11 місяців тому
It depends on what encryption strategies the api is using and expecting, depending on that you can talk with your security team and implement the same, also include penetration testers to test this implementation. It's a wide topic because the security impelmentation varies, but surely I can spin something up to demonstrate this.
@suryabhan1000 10 місяців тому
I have one question, as you shared CoreData by default implements security in disk.. that means... shouldn't we encrypt data just before storing it ? @CodeCat
@CodeCat15 10 місяців тому
Encrypt if and only if your database has user sensitive information, do not force add encryption just for the peace of mind. Better not to store any user sensitive information in the database at all to begin with. Having said that, as per the docs of apple, on a non-jail broken device where we have apple security layer it seems that core data does encrypt the user data. One thing you can do is use the complete file protection level with core data than default to add more secure layer You may also add your own encryption but as explained in the db encryption chapter of the video, you may face latency issues since the data needs to be encrypted/decrypted for read write operations.
@mdrashidiqubal813 5 місяців тому
Complete until user first authentication is by default.
@GulshanKumar-nf4wo 9 місяців тому
What is CROS ?
@CodeCat15 9 місяців тому
I made a spelling mistake there that's on me, it's CORS stands for Cross-Origin Resource Sharing. its a security mechanism implemented in web browsers that controls how web applications on different domains can interact with each other.
@VirenderDall 11 місяців тому
Data encryption k liye key kaha rakhe code me?
@CodeCat15 11 місяців тому
Couple of ways to do this 1. Aap aapke code mai ek file mai store kar sakte ho, aur us file ko gitignore mai add kar sakte ho, private key kabhi commit nahi hogi server pe 2. Point 1 mai flaws hai coz koi bhi private key ko read kar sakta hai, to you can use Secure Enclave that’s provided by iOS and is encrypted developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/protecting_keys_with_the_secure_enclave Again the issue with point 2 is that it uses keychain and you need to maintain the private key in plan text format to compare 3. You can use sqlcipher for your private keys 4. There’s another approach which am aware but have not used which is using cocoapod-keys In some cases I have used approach 1 and 2, in approach 1 we change the keys in every major release it’s a part of our security checklist. Hope it helps.
@VirenderDall 11 місяців тому
@@CodeCat15 Thank you for the suggestions. On that note aap Jail Break bhi detect karte ho? I read multiple articles and no one described full proof method to make your application fully secure. We can make hacker life difficult but not impossible. Aap ka kya kahana hai is bare m?
@CodeCat15 11 місяців тому
That statement is correct; aur isliye maine video mai baar baar yahi kaha hai ki agar aap sensitive information app pe store karne se avoid kar sakte ho, to fir hacker k pass koi sensitive info nahi jayegi it goes to the saying The best secret is having no secret at all. Lekin agar aap kuch sensitive info store kar rahe ho to usko encrypt zaroor karna coz is information ko decrypt karne k liye private key chaiye hogi jo sirf aapke pass hogi na ki hacker k pass. But as I said, don’t store any sensitive information in the app to begin with
@geetamsinghkushwaha8323 11 місяців тому
I'm outside so abhi like krke chala jata hu baad me aake dekhunga 🗿
@CodeCat15 11 місяців тому
Thank you it means so much 🙏
@ankurpanwar1092 11 місяців тому
Efforts should be appreciated 👏👏
@CodeCat15 11 місяців тому
@@ankurpanwar1092 Thank you Ankur.
Code Cat
Переглядів 12 тис.
ВПИСКА
Переглядів 2,8 млн
iOS Interview Preparation
Переглядів 1,1 тис.
Code Cat
Переглядів 19 тис.
Code Cat
Переглядів 29 тис.