1. iOS Development - Tips & Tricks iOS Development - Tips & Tricks Software Development Lead - iOS Galin Kardzhilov Software Development Manager - iOS Stefan Tsvyatkov

2. iOS Development - Tips & Tricks Agenda Why iOS Some challenges iOS Security 3. iOS Development - Tips & Tricks About Me Started with 4. iOS Development - Tips & Tricks About Me 5. iOS Development - Tips & Tricks Why iOS? -(NSString *)generateReasonsWhyiOS { NSMutableString *reasons = [[NSMutableString alloc] init]; [reasons appendString:@"It's new"]; [reasons appendString:@"It's challenging"]; [reasons appendString:@"It compiles to native"]; [reasons appendString:@"You have to deal with hardware limitations"]; [reasons appendString:@"You have to provide responsiveness"]; [reasons appendString:@"You have to provide usability"]; [reasons appendString:@"You have to provide security"]; [reasons appendString:@"0ften craftsmanship is required"]; [reasons appendString:@"Your code runs into people's pockets"]; return reasons; } 6. iOS Development - Tips & Tricks Table view Background image Custom drawn cells flipped 7. iOS Development - Tips & Tricks 8. iOS Development - Tips & Tricks Scroll View Custom View 9. iOS Development - Tips & Tricks 10. iOS Development - Tips & Tricks Security in iOS Local Storage Communication with the server Binary analysis and manipulation 11. iOS Development - Tips & Tricks Local Storage Security NSUserDefaults Convenient Not encrypted by default Keeps the data in a plist file CoreData Not encrypted by default Keeps the data in sqlite db 12. iOS Development - Tips & Tricks Local Storage Security Keychain Access Encrypted by default A bit more complex for use Insecure on jailbroken devices Data encryption Crypto API Obfuscate the encryption key Use unique device information String constant [[UIDevice currentDevice] identifierForVendor] Custom algorithm Secure encryption key 13. iOS Development - Tips & Tricks Server Communication Security Use SSL Dont accept self-signed certificates Client and server side data validation 14. iOS Development - Tips & Tricks Runtime Manipulation #import "AppDelegate.h" #import "ptrace.h" int main(int argc, char * argv[]) { #ifndef DEBUG ptrace(PT_DENY_ATTACH, 0, 0, 0); #endif @autoreleasepool { return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); } } ptrace Deny a debugger to attach Can be patched from binary Put it in multiple places 15. iOS Development - Tips & Tricks SEC_IS_BEING_DEBUGGED_RETURN_NIL () Check if a debugger is attached Hard to be patched from binary Make the check regularly and in critical parts Doesnt work against Cycript Runtime Manipulation #ifndef DEBUG SEC_IS_BEING_DEBUGGED_RETURN_NIL(); #endif 16. iOS Development - Tips & Tricks Conclusion Keychain Access for storing SSL for transporting Check for debuggers 100% security does not exist 17. iOS Development - Tips & Tricks Thank you! Galin Kardzhilov @gravera Stefan Tsvyatkov @stsvyatkov