Best practices for iOS applications security
#1 what are best practices to get a better security in iOS application?
Appropriate data security is highly dependent on the nature of the information. Is it long-lived or short-lived? Is it a general credential that can be used to open other things, or a single piece of data? Is the potential loss privacy, financial, or safety? Determining the appropriate protections requires a specific case and has no general answer. But you ask for best practices and there are several. None of them are perfect or unbreakable. But they are best practice. Here are a few:
- Store sensitive information in Keychain
- Set Data Protection to
NSFileProtectionComplete
wherever possible. - Do not store sensitive data you don't actually need, or for longer than you need.
- Store application-specific authentication tokens rather than passwords.
- Use HTTPS to verify the server you are contacting. Never accept an invalid or untrusted certificate.
- When connecting to your own server, validate that the service presents a certificate that you have signed, not just "a trusted certificate."
This is just a smattering of approaches, but they set the basic tone:
- Use the built-in APIs to store things. As Apple improves security, you get the benefits for free.
- Avoid storing sensitive information at all and minimize the sensitivity of what you do store.
- Verify the services you communicate with.
#2 what are best ways to reduce revenue loss and minimise hacking exposure?
This has been discussed many times on SO. This answer includes links to several of the other discussions:
Secure https encryption for iPhone app to webpage
The short answer is: worry about your customers, not your non-customers. Many pirates will never, ever pay you money, so your time and money are better spent helping your actual customers want to pay you, and making it easy for them to do so. Focus on making more money rather than protecting yourself from money that you could never have. Never, ever, tick off a paying customer in your efforts to chastise a non-paying customer. Revenge is a sucker's game and a waste of resources.
There are two great ways to avoid piracy:
- Don't publish.
- Publish junk no one wants.
There are some basic things you can do that are worth it just, as they say, to keep honest people honest (some are discussed in the various linked discussions). But don't lie awake nights worrying about how to thwart pirates. Lie awake worrying about how to amaze your customers.
And always remember: Apple spends more money than most of us have ever seen in our lives trying to secure the iPhone. Still it's jailbroken. Think about what your budget is going to achieve.
When the attacker gains physical access to the device (e.g. theft), he can do almost anything. Note that is very easy to read application files. Stolen device can be jailbroken easily and the attacker gains access even to the protected files.
My advice for storing sensitive data to the device:
- don't do it if they can be stored on secure server
- use your own encryption, decrypt when user is logged in, delete decrypted file when they logs out or after some time the app is in the background.
- every password and encryption key must be stored into the keychain.