Security, keychain, and biometrics in iOS apps

12.10.2018

Konrad Roj
iOS Developer
Konrad Roj
Software engineer. Focused on Apple platforms and their technological innovations for over five years. Connoisseur of a good UX. Fascinated by the development of adaptive and intelligent software.
 

Statistically, iOS is the most secure mobile system in the world. Apple strives to ensure that every user can safely log into their bank or entrust medical data. An FBI investigation from the beginning of 2016 confirms how hard it is to access the data stored on an iPhone, since even the largest security agency in the world could not access the data contained on a terrorist’s phone.

Security

All data contained on an iPhone is encrypted as long as the passcode has been activated. However, not only has the system been designed so that safety is at the highest level. The hardware is also responsible for security. System loading, updates, installing applications, sending data to the cloud, payments using Apple Pay – everything is designed to keep outsiders from capturing sensitive data.

Third party applications are the weakness. In many cases, during development, the security topic is skipped, and in rare cases user data is deliberately intercepted. Unfortunately, the detection of all such applications by Apple is not possible, so each of us can expose ourselves to data theft. Always check whether the company that distributes the application is trustworthy, and the app does not require us to access data that should not be obtained.

Nevertheless, the vast majority of applications are secure. This is facilitated by Apple, which provides many possibilities to secure data, passwords, and login processes. Recently, the use of HTTPS and TLS 1.2 protocols for network communication is also enforced, making this process very safe.

Encryption

Apple provides libraries that allow you to encrypt any data using popular algorithms.

According to them, only applications operating in specific industries, such as banking or medical data processing, are able to fully encrypt data. Other industries are allowed to fully encrypt data for authorization and/or digital signature purposes only. If they want to encrypt other data, the app owner may be forced to apply to US governmental agencies for consent, and annually send them application reports.

Considering that all data stored on the device is already encrypted by using a passcode, the above rules seem to be sufficient.

Keychain

Keychain is a system, encrypted database for storing sensitive data, such as passwords, logins, and application tokens. Its usefulness, however, is much greater. In the simplest solution, Keychain allows access only to the application that saved them. However, you can extend this access to all the developer’s applications, so that by logging into one application, you can also have quick access to other applications.

It is also a part of iCloud’s service, thanks to which the user can have access to passwords from all trusted devices which he is logged into.

Thanks to the complex security, this is the main place where application developers store short, sensitive data.

TouchID and FaceID

Apple’s introduction of TouchID provoked a revolution on the market. The device’s safety has ceased to depend on a series of numbers or a simple sign. The uniqueness of a fingerprint allowed us to create services such as Apple Pay, where the user can conduct contactless payments without PIN confirmation. Also, the payments themselves are much safer than before, because a stolen device is useless. As long as we used TouchID and nobody had the chance to see our passcode… or has our finger :).

Facilities resulting from user authentication using biometrics have been made available to developers. You can use them anywhere where confirmation is required.

The greatest convenience, however, is the ability to request data stored in Keychain, where after confirmation with TouchID / FaceID, we gain access. Thanks to this, developers have the opportunity to quickly implement a secure and quick login. Login with a glance or touch of a finger.

Data from the finger and face buttons are securely stored only on the device. They are not even sent to Apple servers. Thanks to this, we can be sure that no one will log into our bank or favorite game.

Jailbreak

A major security problem for iOS programmers are devices with jailbreak. Many users break their phones by being tempted to download paid applications, run applications unavailable for CarPlay on the screen in their car, or simply by unlocking the SIM-lock.

This poses a serious threat to the entire system and the applications installed on it. Access is then obtained, as well as the possibility of modifying the entire system, and accessing even encrypted data. It is even possible to modify the application’s operations in real time.

This creates a potential threat to user data.

However, it is possible to detect jailbreak from the application and block its functions. Many applications use this option.

Security in your apps!

If your application stores sensitive users’ data, make sure it’s secure. The iOS system will provide you with solutions and take care of the data entrusted to it.

But! It should be remembered that processes such as authentication, sending sensitive data and storing them in places such as UserDefaults or unprotected databases must be secured by programmers and this issue should be set at the design stage of the application.