Security in mobile apps is nowadays a major concern as it can result in confidential data theft. In this article, i’d like to present you quick tips that are easy to apply and that can help you make your iOS app more secure.
Keychain provides secure storage, it is the best place for storing data that are critical to your app such as secrets and passwords. User Defaults are fine, when you’re dealing with preferences, but you should never store sensitive or personal data in them. Keychain may seem to be difficult, but using a wrapper will for sure make it much easier.
Keep in mind that Keychain use two levels of encryption. The first level uses the lock screen passcode as the encryption key. The second level uses a key generated by and stored on the device. On devices with no passcode Keychain can be compromised.
Introduced as part of iOS 9, ATS transfers app data over HTTPS connections instead of HTTP. ATS is turned on by default, though developers can disable it easily. That’s fine if the app is during development and your server doesn’t offer SSL yet, but an App Store build should never call HTTP requests and ATS should be enabled.
HTTPS is effective, but bear in mind it doesn’t protect you from couple of attacks like Man in the Middle.
Api Keys or any other critical data shouldn’t be stored clearly in app repository. Instead you can for example use cocoapods-keys that can obfuscates them. An obfuscation is probably not a big deal for a professional app cracker, but at least your raw secret values are not a part of Git history.
You should be aware that 3rd party frameworks might be vulnerable. To protect the app, the easiest way not 100% effective is to keep them updated to the latest stable version.