Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Kenneth van Wyk: Making safer iOS apps

Kenneth van Wyk | April 24, 2013
There still seem to be a lot of security flaws in iOS apps, but new tools could help fix that

(By the way, I'm sure you know that on-device storage should be a last resort. It's always preferable to keep sensitive stuff on the server.)

When local storage couldn't be avoided, one tool that I've found helpful is SQLCipher, which adds encryption via OpenSSL to any existing SQLite apps. It doesn't address the issue of key management, but it's a great starting point.

Relatively new is an open-source programming security framework from the folks at MITRE called iMAS. The iMAS library provides iOS developers with a set of easy-to-use tools to accomplish various security tasks in their apps.

Not sure how to use these things? Dive in and read the docs, and start trying them. And if you're looking for a safe learning environment to explore how to implement some of the above remediations, consider looking at OWASP's iGoat tool. iGoat is a deliberately flawed app with a series of exercises in which an iOS app developer learns how to implement security fixes to common security problems like the ones I've described above. (Full disclosure: I'm the iGoat project leader, but iGoat is open source and free for all to use.)

Without a doubt, the iOS app community needs more tools and frameworks like iMAS, but I think the new open-source developments give us good reason to believe more will be emerging. Keep your eyes open for more; the toughest hurdle to clear is often just making your iOS development team aware of the tools available to them.

It looks to me as if we're going in the right direction. Here's hoping we continue that way.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.


Previous Page  1  2 

Sign up for Computerworld eNewsletters.