5 security issues detected in the iOS apps

12 Feb 2023 By MORISSARD Jérôme

With the growing number of iOS devices and the increasing use of mobile applications, security has become a critical concern for both developers and users. A recent analysis of 15,000 iOS apps on production revealed a number of significant security issues that need to be addressed in order to ensure the safety and privacy of users and their data.

AppScan maintains a database of 15,000 scanned apps, and we have narrowed our focus to the top 100 in each category in order to identify the most significant security issues present in live production environments.

1. Login & Password in the App Bundle

It is astounding but true. We discovered unprotected server credentials. The information was stored without any form of security within the app’s bundle, leaving it highly vulnerable to potential breaches.

How to store Credentials needed for your App?

A better place is in inside the binary itself, it’s compiled & crypted, protected by the Apple security.

2. API keys and tokens in plain sight within the Info.plist

While many apps follow this practice, it is not a secure method of storage. This is due to the ease with which these credentials can be detected and exploited by malicious actors.

Exposing API keys and tokens in the Info.plist file of an iOS app is a security risk for several reasons:

  • Lack of encryption: When API keys and tokens are stored in plain text within the Info.plist file, they can be easily accessed and read by anyone with access to the app’s code. This makes it simple for an attacker to steal the credentials and use them for malicious purposes.
  • Increased risk of theft: API keys and tokens are valuable assets that grant access to sensitive resources and data. When they are stored in plain text, they become an attractive target for hackers who are looking to steal this information.
  • Unauthorized access: Attackers who gain access to API keys and tokens can use them to access resources and data that they are not authorized to access, potentially leading to data breaches or other security incidents.
  • Lack of control: When API keys and tokens are stored in plain text, developers have no way of controlling how they are used or who has access to them. This makes it difficult to monitor and prevent unauthorized access or misuse.

Overall, it is important for developers to understand the risks associated with exposing API keys and tokens in the Info.plist file, and to take steps to protect this information by implementing secure storage mechanisms. This can include encrypting the credentials or storing them in a secure backend server, among other options.

How to store Api keys & tokens needed for your App?

Same things, the binary itself is a better place. Not a perfect place because it’s still possible to reverse engineer this component.

3. App Transport Security deactivated

It’s too often the case, let’s have a look the previous article Apple Transport Security or not .

App Transport Security (ATS) is a security feature introduced in iOS 9 that helps to ensure that data transmitted by an app is secure. When ATS is enabled, it requires the use of secure communication protocols such as HTTPS and TLS to transmit data over the network.

The risk of having deactivated ATS in an iOS app is that it allows for the use of insecure communication protocols, making the app vulnerable to various attacks. For example:

  • Man-in-the-middle attacks: When ATS is deactivated, an attacker can intercept and modify the data transmitted between the app and the server, potentially compromising sensitive information such as login credentials and financial data.
  • Eavesdropping: Without ATS, an attacker can eavesdrop on the communication between the app and the server and steal sensitive information.
  • Data tampering: When ATS is not in use, an attacker can modify the data transmitted between the app and the server, potentially causing harm to the user or the app.
  • Certificate validation: ATS helps to validate the authenticity of the server’s certificate, ensuring that the communication is secure. When ATS is deactivated, the app may not validate the certificate, making it vulnerable to phishing attacks and other security risks.

Overall, deactivating ATS in an iOS app can have serious consequences for the security and privacy of users and their data. Developers should carefully consider the potential risks and only deactivate ATS when absolutely necessary, and only after thoroughly evaluating the potential security implications.

4. Funky additionnal files

Incredible, the findings on the App Store are beyond belief.

  • .PSD files: some Photoshop files (a they were very big)
  • xcodebuild files : some building informations.
  • .md & .txt files : description of some features, the life of the git repo repository history. Those files are human readdable some they might contain lot of things.
  • .yml and .json : those files are more technic, so less easy to read, but can store lot of strategical informations.

5. Development environments are detectable

Having detectable staging and development environments can be a security risk for several reasons:

  • Sensitive information exposure: Development environments may contain sensitive information such as API keys, tokens, or other credentials that are meant to be kept confidential. If these environments are detectable, they can be easily accessed by attackers, who can steal this information and use it for malicious purposes.
  • Configuration issues: Development environments are often configured differently than production environments, and may have vulnerabilities that are not present in production. If these environments are detectable, attackers can exploit these vulnerabilities to gain access to sensitive data or systems.

Overall, it is important for developers to take steps to protect their development and staging environments, and to make sure that these environments are not easily accessible or detectable. This can include implementing security measures such as firewalls, access controls, and encryption, among others.

Do you want to check your Apps?

AppScan is an essential solution for anyone who is serious about developing secure, high-quality iOS apps. With its advanced scanning capabilities, comprehensive reports, and easy-to-use interface, AppScan is the ideal choice for developers who want to ensure that their apps are secure and reliable.

Scan your Apps