close search bar

Sorry, not available in this language yet

close language selection

Secure Programming for iOS

Course Description

The Apple iOS platform provides a comprehensive set of features for creating versatile mobile applications. The platform’s specific architecture and security model sets it apart from other mobile operating environments. This distinction introduces specific risks from a mobile application security perspective. This course teaches defensive programming techniques to mitigate common risks in iOS applications. It gives special emphasis to describing key security controls provided by the platform and how to use them correctly.

Learning Objectives

  • Understand the security benefits of each language and which may be the better solution to select
  • Identify security concerns with IPC (basic) and what to do to prevent issues
  • Identify and use secure communication techniques to protect data in transit
  • Identify and use WebView components securely
  • Understand how to authenticate and authorize users
  • Understand the downsides of common local storage options and how to protect sensitive data

Details

Delivery Format: eLearning

Duration: 1 Hour

Level: Advanced

Intended Audience:

  • Architects
  • Back-End Developers
  • Development Managers
  • Enterprise Developers
  • Front-End Developers
  • Mobile Developers
  • QA Engineers

Prerequisites: 

Course Outline

Secure Development Introduction

  • Introduction to iOS Development Languages
  • Introduction to Objective-C
  • Variables
  • Constants
  • Messaging
  • Pointers
  • Introduction to Swift
  • Variables
  • Constants
  • Optionals Chaining and Unwrapping
  • String Interpolation
  • Pointers
  • So Which Is Safer, Objective-C or Swift?
  • Other Non-Language-Specific Things

Secure Communications

  • App Transport Security
  • HTTPS Recommendation
  • ATS Help
  • Certificate Pinning
  • No Pinning
  • Certificate Pinning via WKWebKit
  • Push Notification
  • Notification Recommendations
  • Session Management

Client Side Injection

  • WebViews
  • Controlling a WebView
  • NAVIGATIONS DELEGATE
  • XSS and JavaScript
  • Introduction to SQL Injection
  • SQL Injection Vulnerability Example
  • Correct Example

Authentication

  • Authentication
  • Device Authentication V.S. Application Authentication and Client-Side V.S. Server-Side
  • Touch ID Introduction
  • Bad
  • Touch ID Recommendation
  • Authentication Credentials

Secure Storage

  • Local Storage and Data Leakage
  • Introduction to Logging
  • Logging
  • CAUTION!
  • Background Screenshots
  • Background Screen Shots Recommendations
  • NSUserDefaults Introduction
  • NSUserDefaults The Bad
  • NSUserDefaults: Ensuring Controls
  • NSUserDefaults: Performance Improvements
  • NSUserDefaults: Offline Access
  • NSUserDefaults: Server Authentication
  • Data Files: Introduction
  • The Bad: Data Protection API
  • Recommendation: Data Protection API
  • Data Protection: Performance Improvement
  • Data Protection: Offline Access
  • Data Protection: Server Authentication
  • Keychain Services
  • KeyChain Recommendations

Binary Protections

  • DISCLAIMER!
  • Debugger Detection
  • Jailbreak Detection
  • Code Obfuscation

Inter-Process Communication

  • Inter-Process Communication in iOS
  • URL Scheme
  • Defining a URL Scheme
  • Handling a URL
  • Opening an Application Using a URL
  • Recommendation
  • General (System) Pasteboard
  • Pasteboard Access
  • Pasteboard Best Practice: Adding Security Controls
  • Pasteboard Best Practice: Handoff Controls
  • Named Pasteboards: Sharing Data Between Apps
  • Access
  • Restrictions and Best Practice
  • App Group Containers
  • Shared Keychain Groups

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster