All Questions

Tagged with
406 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
10votes
0answers
388views

How to zero out user data in memory (RAM) of WKWebView after dealloc

I would like iOS to zero out user sensitive data from memory (specifically username/password entered in HTML pages) of WKWebView once the user is done with it. Below project depicts the difference in ...
user avatar
  • 6,154
9votes
1answer
1kviews

Is it safe to pass auth token via iOS deep link?

I'm designing a webapp/mobileapp security flow where there are no passwords, only an auth token sent to the phone via sms. Flaws in this? The plan: Phone receives sms link with embedded invite token ...
user avatar
  • 1,508
9votes
2answers
6kviews

How to verify (and require) self-signed certificate in iOS

I'd like to create an SSL connection to my server using self-signed certificates that are shipped with the code in iOS. That way I don't have to worry about more sophisticated man-in-the-middle ...
user avatar
  • 2,646
8votes
1answer
3kviews

Android M - Keychain like storage for username/password

Here's the workflow from iOS that I'm trying to achieve on Android: User starts app for the first time and Logs in successfully with credentials (sent to API for validation). Prompt shows asking to ...
user avatar
  • 3,131
8votes
0answers
2kviews

iOS App Security Best Practices (API Keys, Constants, WS URLs, Credentials)

What are the best practices to add the extra security in iOS App so Attackers/Hackers can not easily find the Secure Private Keys, Constants strings inside the code. P.S: I found some other related ...
user avatar
  • 931
7votes
0answers
4kviews

Crash on launch because app is taking too long - deadlock - keychain

I have a little puzzle to solve... Our app is crashing on launch (the dreaded badf00d error, it's taking more than 5 seconds to launch) but we are not able to reproduce the issue. I was able to get ...
user avatar
  • 3,508
6votes
0answers
497views

Using the private key generated by DCAppAttestService

Apple released a way to attest generated key pairs on the iOS 14 beta, named Device Check App Attestation Service (DCAppAttestService). I've already successfully generated a key pair like it is ...
user avatar
  • 61
6votes
1answer
680views

Design for Mobile Authentication with NodeJS server

I recently struggled with the problem of security and user authentication for an iOS app I'm making, the main problem problem being how does one allow users to sign up with any 3rd party service (or a ...
user avatar
  • 6,560
6votes
2answers
6kviews

What is the most secure way to encrypt data on iphone/ipad's persistent storage?

I need to temporary store images on iphone/ipad during the session. Once session is finished, I need to delete data downloaded during the session. I want to protect the data while it is on iphone/ipad'...
user avatar
5votes
1answer
247views

How to get unique and consistent device id on Apple device

I need to generate a device ID that complies the following criteria: It is universally unique. It is consistent (as much as possible), i.e. it stays the same for the same device. It requires minimal ...
user avatar
  • 747
5votes
1answer
865views

Class-dump-z extraction of classes & methods

I am using class-dump-z for extracting all the class name & methods for reverse engineering of iOS apps. But I want to know that how this application actually work.How this application managed to ...
user avatar
5votes
1answer
2kviews

What's the alternative for kSecTrustResultConfirm in iOS 7?

Our old app uses MKNetworkKit and MKNetworkOperation. Now under iOS 7 kSecTrustResultConfirm is deprecated. In MKNetworkOperation, there is this code: else if(result == kSecTrustResultConfirm) { // ...
user avatar
  • 38.9k
4votes
1answer
593views

How to check if a Certificate is installed and trusted on iOS

I've an app which prompts the user to download and install a Configuration Profile. The profile contains a Root CA embedded inside it. I want to check if the Configuration Profile is installed on the ...
user avatar
4votes
0answers
509views

Is there a way to generate a X.509 Certificate in Swift programatically?

I know this is an old topic, since the very few answers found on the internet are 5 - 8 years old. My requirement is straightforward: I have generated an asymmetric key pair, and I want to send the ...
user avatar
4votes
0answers
785views

How to safely pass user access token (sensitive data) to another iOS app when deep-linking

I am working on an iOS app which will handle user login for other apps. When a login is successful the user will be redirected to user's selected app (if installed) with iOS deep linking using URL ...
user avatar
  • 4,158
4votes
1answer
601views

Security risks tied to iOS push notification certificate

I have a security question related to iOS push notification certificates. When I export the certificate as a p12 and share it with say Google Cloud Messaging, what potential risks are there if ...
user avatar
  • 81
4votes
0answers
516views

Providing Antiforgery Token to Native Mobile Apps

I have an ASP.NET WebApi solution in place with all clients using Forms Auth. My MVC consumers are using the following: @Html.AntiForgeryToken() And then on all of my API endpoints I validate that ...
user avatar
  • 11.3k
4votes
1answer
206views

Generating a PKCS12 key from SecKeyRef on iOS

I'm working on a problem where I need to share a public/private keypair from an iOS app to a Watchkit 2.0 app. Since Watchkit 2.0 no longer allows you to access the keychain on the phone from the ...
user avatar
4votes
0answers
677views

Storing username & password in iOS 8 -- is an ARC-ified KeychainItemWrapper still necessary?

Is an ARC-ified KeychainItemWrapper, as described at iOS: How to store username/password within an app?, still necessary for storing username & password info in iOS 8? Most guidance I see in this ...
user avatar
4votes
0answers
546views

Does iOS built-in security framework support ECC and ECDH?

I could find an answer from 2013 that iOS does not support ECC based encryption and a recommendation to use OpenSSL. I see at the Security Framework Reference some definitions for TLS_ECDH but it is ...
user avatar
  • 479
4votes
2answers
4kviews

Authenticating mobile device

I'm developing client-server application, where client applications will run on mobile devices (Android, iOS) and will communicate with the server via HTTP protocol. Mobile applications will be ...
user avatar
  • 423
4votes
0answers
325views

Can a custom NSURLProtocol be accessed from external code?

My app registers a NSURLProtocol subclass that intercepts one specific URL. The protocol replies to requests with a secret key. @implementation PrivateURLProtocol // ignore everything besides ...
user avatar
  • 8,910
4votes
0answers
590views

How do I get the Security Type of the currently connected WiFi network using either the BSSID or SSID?

While working on a iOS project in xcode, I use the 'CaptiveNetwork' class to retrieve the SSID, BSSID, and SSIDDATA of the currently connected WiFi network. My question is would it be possible to ...
user avatar
  • 123
4votes
2answers
2kviews

How to create private key from file in Objective C?

I have created a public key like this: NSString *pkFilePath = [[NSBundle mainBundle] pathForResource:@"public_key" ofType:@"der"]; NSData *myCertData = [NSData dataWithContentsOfFile:pkFilePath]; ...
user avatar
4votes
2answers
992views

unable to check if a configuration profile exists on the iPhone

I am trying to check if a configuration profile exists on the iPhone , I found the following tutorial on how to do it : http://alex.tapmania.org/2011/09/check_conf_prof_is_installed_ios.html which , ...
user avatar
  • 1,113
3votes
1answer
350views

MobSF: Solve @rpath violation

We tested one of our iOS app with MobSF and the report highlighted that the binary has Runpath Search Path (@rpath) set. In certain cases an attacker can abuse this feature to run arbitrary executable ...
user avatar
  • 31
3votes
0answers
282views

iOS detect connection to unsecured Wi-fi

I know, that similar question has been already asked on SO, but it's pretty old, and doesn't provide the way to solve the problem using public API, only the private one. At the same time, there are ...
user avatar
3votes
0answers
1kviews

Problem with iOS 12 with fullscreen mode on iPad - phishing detection false positive

In iOS 12 Apple appear to have implemented a security feature which detects rapid interaction with the iPad screen when in fullscreen mode and displays a warning message in the centre of the display ...
user avatar
  • 3,859
3votes
0answers
216views

Storing sensitive data in memory taken from keychain

Description Sensitive data is stored into keychain and after application launches data is taken from keychain, stored into variable and used from there afterwards. I don't want to query keychain for ...
user avatar
3votes
0answers
262views

Cross platform compatibility of iOS encryption

I'm using iOS Security framework for encryption. Specifically I'm using the ECIES encryption which seems to be very specific in the selection of key exchange, derivation, hashing and authenticated ...
user avatar
3votes
1answer
1kviews

Storing a token for offline authentication

I am working on an application that requires users to log in before they can use it. Users should only be able to log in when connected to the internet. When a user logs in, a token should be stored ...
user avatar
3votes
0answers
474views

Extract DN (Distinguished Names) from a X.509 certificate using iOS API

I need to extract the DN (Distinguished Names) from a X.509 certificate using iOS native API. Without using any 3rd party libraries like OpenSSL. I need to extract it as a string with the following ...
user avatar
3votes
0answers
333views

Enable complete debug logs for itunesstored on iOS 10, disabling replacing of data with <private>

On iOS 10, how can I make itunesstored not omit information from the console log, replacing it with <private>, as it does by default? With the introduction of Unified Logging in iOS 10, ...
user avatar
  • 31
3votes
1answer
180views

Is it appropriate to encrypt a file using identifierForVendor?

I'm pondering the correct way to encrypt a file in my application. The following applies to the data stored in the file: The data is not very sensitive The data can be recreated if lost (although it'...
user avatar
  • 5,655
3votes
0answers
82views

Authorizing mobile API call in iOS

I am looking for some nice solution to protect a 'sign-up' mobile API call against frauds, e.g. creating new users by spam bots. One possible solution it to put secret API token in the mobile app ...
user avatar
  • 547
3votes
0answers
509views

How do I require a device-level passcode to use my Phonegap app on iOS and Android?

I want to create an app that requires the user to have a lock code set up on the device. For example, when I link up to our Exchange server, it requires me to set a lock code on my Android and iOS ...
user avatar
3votes
0answers
1kviews

Get SecTrustEvaluate to trust my self signed certificate

I am generating a certificate like so: openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem I want secTrustEvaluate to pass when I send in the key. I am converting the cert.pem to a ...
user avatar
  • 1,555
3votes
0answers
240views

Generate iOS codesignature without the codesign(1) binary

I have scoured the internet, and was unable to find much on the specifics of how exactly iOS/OSX .app bundles are signed. I know that the binary's (SHA1?) hash is taken and encrypted with asymmetric ...
user avatar
  • 237
3votes
0answers
800views

Offline and security in iOS App

I am designing offline features for an app which caches data in offline mode and provides them to users. The app also needs to support the login feature in the offline mode. I am seeing Sqlicipher ...
user avatar
  • 11.8k
3votes
0answers
6kviews

How to download a file uploaded to a private Facebook group using Graph API

Facebook now allows us to upload arbitrary types of files to Facebook groups, which is great. I am writing a single-sign-on iOS app, which accesses such a private group the user belongs to, and ...
user avatar
3votes
0answers
2kviews

Convert SecKeyRef (public key) to NSString

I am using Saving SecKeyRef device generated public/private key pair on disk this example, however im keep getting -25300 in sanityCheck.Could anyone please tell me what went wrong or what does this ...
user avatar
  • 35
3votes
0answers
284views

P12 files with iOS keychains

Is there away to store a PKCS#12 file content as keychain item ? seems that keychain items can only be certificates, keys or passwords but not complete stores. Alternatively is there away to store ...
user avatar
  • 621
3votes
2answers
678views

Application-specific data protection on iOS

I've seen some documentation and videos from WWDC about data protection in iOS5 and it seems very nice since it can encrypt all your application data and keep it protected as long as your device is ...
user avatar
  • 2,875
3votes
1answer
481views

Has Apple fixed the security issues with in-app purchase receipt validation?

I am referring to the issues described in this discussion. From reading that discussion, it appears at the time it was not possible to securely allow a user to use an IAP product on multiple ...
user avatar
2votes
0answers
65views

Certificate Transparency check failing in Charles Proxy

I tried sniffing packets on my iOS app using Charles proxy. I added the Charles Proxy certificate on my iPhone trusted certificate store. I have the certificate transparency flag for my app turned on, ...
user avatar
  • 1,644
2votes
0answers
374views

Can anyone explain how to obfuscate codebase using Swiftshield?

I have gone through this post but I am still not able to obfuscate full codebase. I am using this command for the same: swiftshield -automatic -project-root ../TestApp -automatic-project-file ../...
user avatar
2votes
1answer
1kviews

How can I extract IPA file from my iPhone to Mac?

I have one iOS application, which I have downloaded from appstore. Now I want to extract that application to check internal storage. I have tried in macOS catalina, here I am not able to install ...
user avatar
2votes
0answers
62views

How can I generate a certificate at runtime on iOS to use with the SSLSetCertificate function?

I am using the BiAtoms/Socket.Swift library that supports TLS on iOS. Although the library supports importing a .p12 certificate, this is not what I require. I need to generate a new certificate ...
user avatar
2votes
0answers
178views

The below code is working very fine for the detached signature!! How to get attached signature?

The result that I am getting in final is detached signature but my requirement is to get the attached signature.I must sign with my CSR file to get the attached signature using openssl.I have gone ...
user avatar
2votes
0answers
598views

SecAddSharedWebCredential silent error when storing shared safari credentials - failed app review

My app is failing review due to a hang on the login screen. When the user logs in, after the app receives a successful response it tries to store or update the user shared web credential. The app has ...
user avatar
  • 3,471

15 30 50 per page
1
2 3 4 5
9