How would you securely store private user data offline on a device? What other security best practices should be taken?

-

Again there is no right answer to this, but it's a great way to see how much a person has dug into iOS security. If you're interviewing with a bank I'd almost definitely expect someone to know something about it, but all companies need to take security seriously, so here's the ideal list of topics I'd expect to hear in an answer:
  • If the data is extremely sensitive then it should never be stored offline on the device because all devices are crackable.
  • The keychain is one option for storing data securely. However it's encryption is based on the pin code of the device. User's are not forced to set a pin, so in some situations the data may not even be encrypted. In addition the users pin code may be easily hacked.
  • A better solution is to use something like SQLCipher which is a fully encrypted SQLite database. The encryption key can be enforced by the application and separate from the user's pin code.
Other security best practices are:
  • Only communicate with remote servers over SSL/HTTPS.
  • If possible implement certificate pinning in the application to prevent man-in-the-middle attacks on public WiFi.
  • Clear sensitive data out of memory by overwriting it.
  • Ensure all validation of data being submitted is also run on the server side.

Comments

Post a Comment

Popular posts from this blog

iOS Architecture

-
Image
I am pretty sure that even a few experienced iOS developers would have a hard time defining the iOS SDK in one sentence. The acronym  SDK  stands for  Software Development Kit . The iOS SDK contains the tools and resources to develop native iOS applications, which means that the SDK enables developers to develop, install, run, and test applications in the simulator and on physical devices. The two driving forces powering native iOS applications are Swift (or Objective-C) and the native iOS system frameworks. In the previous articles, we explored the Swift programming language. In this article, I want to explore the frameworks that power native iOS applications. You now know what the iOS SDK is, but what makes an application qualify as a native iOS application? The simple answer is that an iOS application is an application that runs on an iOS device. That's only half the truth, though. What about web applications that run in Safari? An iOS application is a Cocoa application
Read more

Property vs Instance Variable (iVar) in Objective-c [Small Concept but Great Understanding..]

-
Do you use properties or instance variables to store something inside an object? Let’s understand what is better and when. I think the subject is much less arguable if it’s about getting/setting some data from outside the class (right, properties should be used). So in this post we will focus on private and protected class members. Does it matter? It might sound not that important – why can’t we just make a random decision and stick to it? Well, properties / ivars are something that is used all the time. I think it’s a good practice to sometimes pay attention to how we do common tasks. It’s natural, and it’s a good way to increase efficiency as well – even a slight improvement sums up to something quite significant within time.  Performance Obviously, using properties will cost you some CPU because additional methods get called. But this is so insignificant in 99.99% of the cases! And for the rest 0.01% – use ivars, but be aware that the improvement you get is almost nothin
Read more

setNeedsLayout vs layoutIfNeeded Explained

-
Let’s take a look at the difference between  setNeedsLayout  and  layoutIfNeeded . As part of the normal startup process,  UIApplication  in iOS starts the main run loop for an app, which runs on the main thread. The main run loop processes events (such as user touches) and handles updates to view-based interfaces. As events occur, such as touch, location updates, motion, and multimedia control, the run loop finds the appropriate handler for the events, calling appropriate methods, which call other methods, and so on. At some moment in time, all events will have been handled and control will return to the run loop. Let’s label this point where control is returned to the run loop as the  update cycle , since this is how Apple refers to it in some of their documentation. You could use other terminology to conceptualize it, such as a break in the action, the redraw cycle, or a free moment. While events are being processed and dispatched, and as changes to views are requested, they a
Read more