Play smartphones play a major role is increasing daily in our lives. The app version of it city become a matter of urgency to protect the users, and the security experts have an important role in determining the behaviors are undesirable, such as leaking data, or allowing errors to applications installed on devices, or generate unexpected costs, or to refuse a particular service to a user of the phone.
In an article written by Dennis Giusto Belek, researcher in Information Security have ESET ESET, revealed instructions and tips important to discover some of the mistakes made by developers when creating apps for iOS.
(1) put yourself in the place of the programmer
Try to understand the people behind the development of the code that you tested. Discover the programming language that they work with or what is the first language, the markup (the main). The style of the programmers usually be obvious in the structure of the codes of their own, the nature of their mistakes. And your knowledge of these things in the right direction when it comes to the investigation process.
For example, coders who have a background of “Java” Java repeating design patterns, which leads to stripping of the posts over and over again. It is different and mobile developers who rely on web software that provides a drop from jobs deposited in a Web application, and rely heavily on the use of WebKit. All of the quality developers are already familiar with using APIs high level, but they are prone to errors when processing APIs low-level.
(2) get the source code (source code)
Although the source code is not a place available where the attacker typically, the Get it will help you discover the most mistakes in a short time. The penetration tests are usually associated with limited resources regarding time and money, it is best to get the most out of them. And your goal should be to repeat the scenario of a real attack, the goal is to find the largest number of security holes to make the final application more secure.
Work object oriented programming (C-chain / Objective-C) with reverse engineering it is possible to get a clear look to some extent on internal mechanisms to investigate, even without the start of the source code. Can an attacker system – whether in a relative or fully – to what you would get by using the code during unlimited time. It is better to save time and devote your efforts to find those security flaws.
(3) keep in mind the weaknesses in the language
Although Objective-C boasts gives some security errors are repeated in C and C, the use of APIs are serious, such as strcpy and strcat, or weak mechanisms of development, such as categories or swizzling, and can cause behaviors not available lead to errors with serious security. For this reason, make sure to investigate how the effect of these techniques on the application.
(4) determine the possibility of re-use of code vulnerable
A bad habit developed by many programmers in the middle of the consulting software via the internet, which is done by the code without testing how they work, especially when it comes to jobs help low-level, network connectivity, and encryption. There are also, third party integration and development in the key code without the verification of the presence of defects Safety. This can lead to the presence of the code is weak consistent across multiple applications.
(5) the team used two test: one with jailbreak and the other with the source
Will help you having a device with the operating system of the factory to assess how to conduct the application in the user environment-final real with enable all of the security mechanisms and the lack of problems in the registration of push notifications. In contrast, you can use the device with jailbreak to convert the file system in more detail and how the operating system works.
We hope to help you these tips in the Find the views of new analytical investigation you are working on.
The post 5 tips to address the security flaws in iOS apps appeared first on the buckle.