How to audit an iOS app?

11 Nov 2022

Auditing an app is a long and meticulous thing. It requires time and expertise and most of the time you need to own the code and be able to share it.

AppScan has developped a methodology to audit an App and a service to analyze any app faster than anyone and without source code. Discover AppScan offers

How to audit a mobile App?

Why audit an App?

Making an app takes time and money.
No matter what technology you use: Native, Cross Platform or No-Low code, it will result in the creation of an App, which will be submitted as a package to Apple. It will eventually be available on the AppStore, and you will have to maintain it for many years.

Therefore, the reasons for doing an audit can be numerous:

  • πŸ› Presence of too many bugs, we want to understand why,
  • 🀯 Developers have difficulty in producing new features, are there architectural problems? poor code quality? bad technical choices?)
  • 😘 App owners want to be reassured about technical choices.
  • πŸ’° Investors too and maybe they are even interested in the competitors.

The audit of an App with source code:

Someone external is commissioned to analyze the App. The source code of the app will be provided to him and he will apply his own methodology to analyze the application. After a few months, he will provide a report of the audit.

πŸ‘ Pros:

  • It is important to have an objective view of your App
  • A vision of your strengths and weaknesses

πŸ‘Ž Cons:

  • It’s worrying because you have to share your source code, your secrets
  • It is expensive. It requires a considerable amount of time for analysis and interpretation by someone who is an expert in the field.
  • It requires trust, are we sure it is well done?

How to evaluate the technical quality

β—» Development methodology : study how the development of the app is organized. The sources management, the gitflow, the commit messages, the merge of the requests, the peer reviews.

β—» Code organization : analyze how the code is organizd on the sources.

β—» App architecture : study the structures, classes, a good usage of Design Patterns, modules, libraries, dependencies.

β—» Syntaxic rules : check if the code is nice. Styleguides and naming conventions are applied?

β—» Semantic rules : complexity rules, algorithms optimizations

β—» Security : apply audit security checks

The tools to do that:

The security audit without app sources

Someone external is commissioned to analyze the App. After a few months, he will provide a report of the audit. πŸ‘ Pros:

  • It is important to have an expert view for that domain

πŸ‘Ž Cons:

  • It is expensive. It requires a considerable amount of time for analysis and interpretation by someone who is an expert in the field.
  • It requires trust, are we sure it is well done?

Security by Apple

Apple has set the bar very, very high in terms of security. You can have a look to the official guide of Apple (apple platform security guide or review the the OWASP - iOS Platform Overview to undestand.

System & device protection:

App packaging protections:

  • complexity/impossibility to get an ipa
  • binary encryption
  • complex binary decryption

data protection

  • sandbox
  • maximum security on network exchanges by default
  • data access security (permissions)

Evaluate the security

β—» data exchanges : Validate how the data are exchange between the App and the network. β—» securize the storage information : Validate how the data is stored and persisted β—» root detection : Check the risks of reverse engineering.

This can be summarized as :

  • securing data exchanges,
  • securize the storage information
  • limiting the risks of reverse engineering.

In reality, it is complex to implement because it requires an excellent knowledge of the platform and existing flaws.

Audit tools

Testing Guide The OWASP Mobile Security Testing Guide

Decrypt ipa frida-ios-dump Clutch

All in one tool MobSF

Discover the AppScan solution

AppScan has developped a methodology to audit an App and a service to analyze any app faster than anyone and without source code. Discover AppScan offers