Implementing anti-tampering mechanism in iOS apps

Security is a topic that should be considered also by iOS developers. Since the platform cannot be treated as 100% secure, devs and security division need to create a separate threat model for mobile applications.

Wojciech Reguła 2019.05.04   –   2 MIN read

Security is a topic that should be considered also by iOS developers. Since the platform cannot be treated as 100% secure, devs and security division need to create a separate threat model for mobile applications.

For all the years when iOS exists, many different types of application vulnerabilities have been discovered. They can result in a real risk and should be covered at first! After it is done, in most cases, the fire has been extinguished.

Source: giphy.com

However, if you are responsible for developing high risk application you will be probably interested in reaching a higher app resiliency. Before attackers find the vulnerabilities they need to analyze your app. This is the moment when you can make their job harder — implement anti-tampering mechanisms and detect if you application has been launched in a malicious environment.

Disclaimer: Before I show you my solution you need to remember that it is also an additional security layer. Any anti-tampering mechanism cannot be a substitution of fixing vulnerabilities or implementing secure code. Otherwise, it will be only a false sense of security.

To simplify the implementation of anti-tampering mechanism in your iOS application I decided to create the iOS Security Suite — a Swift library that will do all the checks for you! Click here to visit our Github page and download.

Implementing ISS is really easy. To start using it:

  1. Just copy the files from the repo.
git clone https://github.com/securing/IOSSecuritySuite

2. Install via CocoaPods

pod 'IOSSecuritySuite'

3. Use Carthage

github "securing/IOSSecuritySuite"

Now, import ISS in your Swift code and you are set! Read the docs to see full description. Below I’m pasting a code snippet example.

 import UIKit
 import IOSSecuritySuiteclass ViewController: UIViewController {  
    
 override func viewDidLoad() { 
 super.viewDidLoad() 
 }override func viewDidAppear(_ animated: Bool) {
 let jailbreakStatus = IOSSecuritySuite.amIJailbrokenWithFailMessage()
 let title = jailbreakStatus.jailbroken ? "Jailbroken" : "Jailed"let message = """
 Jailbreak: \(jailbreakStatus.failMessage),
 Run in emulator?: \(IOSSecuritySuite.amIRunInEmulator())
 Debugged?: \(IOSSecuritySuite.amIDebugged())
 Reversed?: \(IOSSecuritySuite.amIReverseEngineered())
 """let alert = UIAlertController(title: title, message: message, preferredStyle: .alert)
 alert.addAction(UIAlertAction(title: "Dismiss", style: .default))
 print("TEST: \(message)")
 self.present(alert, animated: false)
 }}
Source: giphy.com

Including this tool in your project is not the only thing you should do in order to improve your app security! You should also read my general mobile security whitepaper.

Wojciech Reguła
Wojciech Reguła Senior IT Security Consultant