Mobile Data Encryption in iOS: Techniques and Technologies
Data In today’s world, where we constantly use phones and handheld devices, mobile data encryption is extremely important. Unauthorized access to application content or network traffic can lead to leaks of private information and losses, both for individual users and entire companies.
While modern mobile operating systems allow encrypting mobile devices, which users can use to protect themselves, it is ultimately the developer’s responsibility to make sure that their software is thoroughly safeguarded. To this end, developers should provide reliable mobile app data encryption that leaves no user data without protection.
There are several techniques for mobile data encryption in iOS that can help you safeguard user data. Let’s look at them in detail:
Keychain offers built-in secure storage for small pieces of data (passwords, keys, etc.) on iOS and macOS. Data stored in Keychain is encrypted and isn’t accessible by other apps running on a device (unlike NSUserDefaults, which is just an XML file with plain data). On iOS devices, Keychain is automatically locked when the device is locked and unlocked when the user unlocks the device.
Keychain data accessibility
Something important that you shouldn’t ignore is the accessibility of the data stored in Keychain. The kSecAttrAccessible attribute is used to set up accessibility options.
You should always use the most restrictive option that makes sense for your app:
kSecAttrAccessibleWhenPasscodeSet: If a passcode is not set on the device, the item will not be stored. If a user disables the passcode, the item will be deleted.
kSecAttrAccessibleWhenUnlocked (default value): The Keychain item is secure when the device is off and when it’s locked.
kSecAttrAccessibleAfterFirstUnlock: The Keychain item is secure while the device is off as well as when the device is turned on (or restarted) but before the passcode has been entered for the first time. After the first unlock, the data remains accessible until the next restart.
kSecAttrAccessibleAlways: The most insecure option; data is accessible regardless of the lock state of the device. Not recommended by Apple.
Data protection is a feature that protects data saved by your app on the disk (actually, in the app’s sandbox container). It uses built-in hardware to store files in an encrypted format on-disk and to decrypt them on demand.
Protected files are inaccessible even to the app that created them if the device is locked by passcode (or Touch ID).
Touch ID and Passcode
Check if passcode protection is enabled:
Passcode protection is very important for iOS Data Protection and for data stored in the Keychain. Therefore, we may need to know if passcode protection is set on a device. If it’s not, we can, for example, notify a user about possible weaknesses or even change our security strategy.
Another topic we want to talk about is in-app purchases. If your app contains in-app purchases, you would like to secure the paid content from being cracked.
Apple provides the StoreKit framework for managing purchases. To keep this article short, we won’t explain how to work with it here.
You may have noticed that the built-in security services also have limitations, such as when passcode protection is disabled or devices are jailbroken. In some cases, it may be best to use third-party mobile data encryption technologies to protect your data.
Generally, cryptography on iOS is no different than on other systems. Security and the CommonCrypto framework provide a lot of cryptographic services, including:
- Key generation
- Encryption and decryption algorithms
- Digital signatures (signing and verification)
- Secure communications (SSL and TLS)
Another important aspect of app security is the source code itself. The Secure Coding guide from Apple explains common vulnerabilities and secure coding techniques.
Here are a few tips to secure your code:
- Use the Xcode Static Analyzer to find common issues.
- Obfuscate your code. Objective-C has a lot of runtime information that makes it vulnerable to symbol analysis/injection/replacement.
- Bury security-related logic in your code to make it hard to locate and patch.
- Don’t use shared libraries, as they can be patched or swapped.
- Detect and block the debugger.
- Clear the Pasteboard once the application enters background.
- Don’t show sensitive data in logs.
- Validate input.
In this article, we tried to answer the question of what is mobile data encryption and how you can use it to protect user data. We’ve covered iOS data encryption on mobile devices, and addressed the following issues:
- Encrypt sensitive data with data protection
- Use TouchID and passwords for authentication
- Verify in-app purchases
- Know when and how to use cryptography
- Code securely
We’ve also reviewed some restrictions and hidden obstacles.
The next step is to think what your app needs to protect, choose services or techniques, and start coding. Whether you develop for Android or iOS, it is important to always have a solid encryption policy that will help your users protect themselves and feel secure.