iOS security guidelines

Preventing sensitive data leaks

Use the following methods for managing sensitive data in the application life cycle:

applicationWillResignActive: To clear the display on the screen and to encrypt the displayed sensitive data. To clear the display, the following code can be used to hide the displayed content:

iOS example: clear display

UIApplication.shared.keyWindow.hidden = true

applicationDidBecomeActive: To display and decrypt sensitive data.
UIScreenCapturedDidChangeNotification: To detect the screen recording. The application should clear display of and encrypt any sensitive data.

Remove symbols from Xcode output

The application has to remove all symbols from the final release binary.

The following settings are recommended to be set in the Xcode project in order to remove debug information and other symbols:

Xcode settings

DEPLOYMENT_POSTPROCESSING = YES
GCC_GENERATE_DEBUGGING_SYMBOLS = NO
STRIP_INSTALLED_PRODUCT = YES
STRIP_STYLE = all
COPY_PHASE_STRIP = YES

Manage sensitive data in Swift

The application has to ensure that all sensitive data are properly managed. As the value type of Data is Swift, additional pointers assigned to the data will result in a new copy of the allocated bytes.

Such practices should be minimized to mitigate the number of sensitive bytes allocated.

Allocated bytes can be passed as an inout argument to pass by reference and to be wiped once its usage is completed.

The following code snippet demonstrates how to pass the allocated bytes as an inout argument:

Swift example: pass Data by reference

func helloWorld(_ data: inout Data) {
	...
}

var data = Data()
helloWorld(&data)

The following code snippet demonstrates how to wipe a Data variable:

Swift example: wipe Data

extension Data {
    internal mutating func wipe() {
        guard count > 0 else {
            return
        }
        let length = count
        withUnsafeMutableBytes { ptr in
            if let mutableRawPtr = ptr.baseAddress {
                memset_s(mutableRawPtr, length, 0, length)
            }
        }
    }
}

Disable auto-correction cache for sensitive input

The application must disable the auto-correction cache for inputs that request sensitive data. This prevents an attacker with access to the device from using the autocomplete suggested strings to view the sensitive text input data.

The application may perform one of the following actions to disable the auto-correction cache:

Set the secureTextEntry field to true.
Set the autoCorrectionType field to UITextAutocorrectionType.no.

Disable data copy/paste for sensitive data

The application must disable the copy/paste menu for sensitive data. This prevents an attacker with access to the device from pasting and viewing the copied data. The following sample code disables the copy/paste menu:

Swift example: disable copy/paste menu

override func canPerformAction(_ action: Selector, withSender sender: Any?) -> Bool {
    let menuController = UIMenuController.shared
    menuController.isMenuVisible = false
}

Manage app versions in the App Store

It is possible for end users to re-download previous app versions that are already purchased or installed, allowing end users to use apps on older devices that may no longer be supported by the current version of your application. If you do not wish to make these versions available, you can manage the availability of your apps' previous versions in the Rights and Pricing section of the Manage Your Apps module in AppStore Connect.

For details, refer to AppStore Connect.

From a security standpoint, it is recommended to keep attack surfaces as small as possible. While keeping older versions provides a much wider audience, it can also expose the solution to old firmware whose security may have already been compromised. It is best to use one version of your application (the latest one) available at one time, and configure your build settings to support wider iOS versions, instead.

Disable the app’s “Simulator” in deployment target

The deployment target should only include iOS devices.

Disable the app’s “Apple Silicon Mac availability” in App Store Connect

Running an iOS application on Mac M1 is much less secure because it is easier to access to both issuer application binary and the sandbox data.

Disable App’s “Apple Silicon Mac availability” in App Store Connect to disallow it from installing on the M1 Mac to reduce the risk.

For details on how to disable “Apple Silicon Mac availability”, see the Apple document here.

Prevent tampering of the application

To prevent malicious hacking into the application code, it is recommended to verify the integrity of the issuer application’s binary at runtime. This can be implemented in the issuer application by calculating the checksum of the __text section of __TEXT segment.

For implementation details, refer to github link. A strong obfuscation is required to protect the code calculating checksum.

For the risks associated with tampering attacks, check out the OWASP link at OWASP link.

Use Xcode compiler security and obfuscation options

The application must use Xcode options that increase the security and provide obfuscation by making disassembly more complex.

The following settings are recommended to set in the Xcode project:

Xcode settings

GCC_UNROLL_LOOPS = YES
GCC_OPTIMIZATION_LEVEL = 3
OTHER_CFLAGS = -fstack-protector-all -finline-functions
CLANG_ENABLE_OBJC_ARC = YES
GCC_DYNAMIC_NO_PIC = NO
LD_NO_PIE = NO
RUN_CLANG_STATIC_ANALYZER = YES
CLANG_ANALYZER_SECURITY_FLOATLOOPCOUNTER = YES
CLANG_ANALYZER_SECURITY_INSECUREAPI_RAND = YES
CLANG_ANALYZER_SECURITY_INSECUREAPI_STRCPY = YES
CLANG_ANALYZER_SECURITY_INSECUREAPI_GETPW_GETS = YES
CLANG_ANALYZER_SECURITY_INSECUREAPI_MKSTEMP = YES
CLANG_ANALYZER_SECURITY_INSECUREAPI_VFORK = YES

PreviousAndroid security guidelines NextSecurity countermeasures

Last updated 3 months ago

Was this helpful?