At present, many iOS apps do not take any security precautions, resulting in many security risks and accidents. Today, let’s talk about how iOS developers can be safer at ordinary times.
The data of the mobile phone communication interface can be captured by using the bag capturing tool. Take Charles as an example, Charles can obtain all the plaintext data of http. After configuring its certificate, it can simulate man-in-the-middle attack and obtain the plaintext data before https encryption.
1.1 Man-in-the-Middle Attack
First, let’s briefly say what is man-in-the-middle attack:
(1) client: “I am the client, give me your public key”-> server (intercepted by middlemen).
So now it is:
(2) and then the middleman to transfer the message to the server, that is:
(3) The server sends the information with the public key to the client, but it is intercepted by the middle. So it is:
Server-[public key of server]-> middleman
(4) The middleman replaces the public key of the server with his own and sends it to the client, claiming to be the public key of the server:
Man in the middle-[man in the middle’s public key]-> client
(5) The client encrypts with the obtained public key, which is actually encrypted with the public key of the middleman, so the middleman can decrypt with his private key to obtain the original data, and then encrypt the original data (or modify the content of the original data) with the public key of the server and send it to the server.
In this way, the middleman can obtain the communication data of both parties and make false data.
1.2 How to Prevent Man-in-the-Middle Attacks?
Here’s how to prevent:
1.2.1 SSL Pinning
The principle of SSL Pinning is that the public key of the server is stored in the client, and the client will check whether the certificate returned by the server is consistent with the certificate saved by the client, thus avoiding the attack of replacing the certificate by the middleman.
The implementation of SSL Pinning is relatively simple, just need to put the CA certificate into the project, and implement SSL Pinning on NSURLSession through the Security framework. If you are using AFNetworking, the code is simpler:
In this way, if Charles catches the bag, he will make a mistake.
The certificate verification can only verify the public key (AFSSLPinningModePublicKey) or can completely verify the certificate (AFSSLPinningModeCertificate).
However, there is a serious problem with SSL Pinning. If there is a problem with the certificate, it can only be solved by issuing a new version. If the new version is not approved all the time, the app’s network communication will all hang up.
For example, the Symantec certificate is not trusted by google and iOS12. If the app has a certificate built in, it must be reissued.
1.2.2 Encryption of Interface Content
Many app interfaces only encrypt and verify the requested parameters, and the data returned by the interface is plaintext. If SSL Pinning is not used to prevent man-in-the-middle attacks, the data returned by the interface can also be encrypted, so that the packet grabbing tool can still not crack the packet after it is caught.
For example, Wechat, the interface in Wechat uses http protocol, but the content is all encrypted.
At present, symmetric encryption is commonly used, and the encryption efficiency is relatively fast. If some data in app is especially important, asymmetric encryption is still needed. Asymmetric encryption is safer, but the efficiency will be slower.
2.1 Swift log
The syntax for printing logs in Swift can be either print or NSLog. But try not to use NSLog, because NSLog is used in Swift and can be found in the system log. You can view the system log through the pp assistant, iTools, or Xcode’s Devices and Simulators.
If you print the log with Print, it will not appear in the system log.
2.2 OC log
Do not output NSLog logs in a release environment. Generally everyone will use macro definition to solve, as follows:
III. Storage of Information
Most programmers like to put keys directly into macros or constants.
For example: # definaes _ key @ “aaa123”
This can be easily decompiled. Security is poor. The following methods can be used to strengthen security and increase the difficulty of cracking.
After encrypting the key (A), it is defined as macro (B), and when it is used, it is decrypted to obtain the key (A). Where the key that encrypts key a is c.
Because when macro is defined, if we define it as a string, there will be a data segment directly, so that the cracker can easily get it. It is safer to define c and b as uint8_t arrays so that each character is placed in each individual instruction in the text segment. Generates a string after the instruction is executed. It will be safe.
Use a long text to extract the secret key according to the rules. The secret key is random.
A long text is defined at the server and the client. The app terminal randomly generates the starting position and length, shifts the starting position and length to generate corresponding numbers, Base64 codes the numbers, and transmits the generated character string to the server. The server can analyze the relevant key according to the character string.
The code is as follows:
This only increases the difficulty for the cracker to obtain the key, but it cannot completely prevent the cracker from obtaining the key.
The escaped iPhone can view the information saved by the exported Keychain. The contents of Keychains are stored in sqlite at: /private/var/Keychains. The contents stored in the keychain can be viewed through keychain-dump.
Therefore, the data stored in Keychain must be encrypted.
Plist and sqlite can be obtained directly from ipa installation files, so do not store important information in these files. If you want to save them, encrypt them and then store them.
Iv. app reinforcement
4.1 Code Confusion
Code obfuscation means replacing readable class names and method names with names that are not easy to read. Common methods include macro replacement and script replacement.
For example, the original method is named:-(void)loadNetData; After code obfuscation, after exporting the header file with class-dump, it will be displayed as the modified method name:-(void)showxhevaluatess;
4.2 use c language
The core code is written in C language, but functions in C language can also be hook, such as fishhook. Developers can use static inline functions to prevent hock, and crackers can only understand the logic of the code.
4.3 testing tweak
It can be detected whether the plist file under/library/mobilesubstrate/dynamic libraries contains the bundle id of its own app. If it does, it can restrict the function of app, prompt that the mobile phone is unsafe, etc.
Author: He Jichang