iOS应用程序安全性的最佳实践 [英] Best practices for iOS applications security

问题描述

在考虑iPhone / iPad应用程序安全性时，我注意到：

• 广泛使用的黑客工具允许文件系统访问


• 网络拦截，中间人攻击

==>数据盗窃威胁

还有：

• 允许与朋友自由分享付费应用的黑客工具的可用性/社区（见于Cydia）


• 黑客工具的可用性，允许在不付费的情况下进入应用程序购买（在Cydia中看到，并听说它不适用于任何应用程序）

==>收入损失威胁

所以我想知道＃1 在iOS应用程序中获得更好安全性的最佳做法是什么？
此外，＃2 减少收入损失和减少黑客攻击的最佳方法？

＃1
我看过一些关于安全的WWDC幻灯片
1 2 3 4
+ apple docs

我可以说这些之间的论文最佳实践有：

• 使用API​​提供数据保护（如NSFileManager和NSFileProtectionKey属性）


• 使用钥匙串


• 使用SSL保护敏感数据并使用证书

＃b
$ b

＃2
我认为使用基于免费应用程序的商业模式，然后使用商店收据验证的应用程序购买可以是收入损失最小的模型。

您的安全最佳做法是什么，以及最小化应用程序黑客攻击机会的最佳方法？

解决方案

＃1在iOS应用程序中获得更好安全性的最佳做法是什么？

适当数据安全性高度依赖于信息的性质。它是长寿还是短命？它是一种通用凭证，可用于打开其他内容或单个数据吗？隐私，财务或安全可能会损失吗？确定适当的保护措施需要特定的案例，并且没有一般性的答案。但是你要求最好的做法，有几个。它们都不是完美的或牢不可破的。但它们是最佳实践。以下是一些：

• 在Keychain中存储敏感信息


• 将数据保护设置为 NSFileProtectionComplete 尽可能。


• 不要存储您实际不需要的敏感数据，也不要存储超出需要的时间。


• 存储特定于应用程序的身份验证令牌而不是密码。


• 使用HTTPS验证您要联系的服务器。永远不要接受无效或不受信任的证书。


• 连接到您自己的服务器时，请验证该服务是否提供您签名的证书，而不仅仅是受信任的证书。

这只是一些方法，但它们设定了基调：

• 使用内置API存储内容。随着Apple提高安全性，您可以免费获得优惠。


• 避免存储敏感信息，并尽量降低存储内容的敏感度。


• 验证您与之通信的服务。

＃2减少收入损失和减少黑客攻击的最佳方法是什么曝光？

这已在SO上多次讨论过。这个答案包括几个其他讨论的链接：

为iPhone应用程序安全https加密到网页

简短的回答是：担心你的客户，而不是你的客户-顾客。许多海盗永远不会付钱给你，所以你的时间和金钱最好花在帮助你的实际客户想要付钱给你，并让他们更容易这样做。专注于赚更多的钱，而不是保护自己免受你永远不会拥有的钱。永远不要在惩罚非付费客户的努力中勾选付费客户。复仇是一个傻逼的游戏，浪费资源。

有两种避免盗版的好方法：

• 不要发布。


• 发布没有人想要的垃圾。

<正如他们所说，有一些基本的事情是值得的，它们是为了让诚实的人诚实（有些在各种相关的讨论中讨论过）。但是，不要担心如何挫败海盗的清醒夜晚。醒着担心如何让顾客惊艳。

并且永远记住：苹果花费的钱比我们大多数人在生活中看到的更多钱来试图保护iPhone。它还是越狱了。想想你的预算将会达到什么目标。

When thinking about iPhone/iPad applications security, I can notice that there is:

• Widely available hacking tools allow filesystem access
• Network interception, men in the middle attack

==> data theft threat

and also:

• Availability of hacking tools that allow to freely share a paid app with friends/community (seen in Cydia)
• Availability of hacking tools that allow to get in app purchases without paying (seen in Cydia, and heard that it doesn't work with any app)

==> Revenue loss threat

So I am wondering #1 what are best practices to get a better security in iOS application? Also, #2 what are best ways to reduce revenue loss and minimise hacking exposure?

for #1 I've seen some WWDC slides about security 1 2 3 4 + apple docs

and I can say that between theses best practices there are:

• Using APIs Offering Data Protection (like NSFileManager with NSFileProtectionKey attribute)
• Using Keychain
• Protecting sensitive data with SSL and using certificates

for #2 I think that using a business model based on free application, then in app purchase with Store Receipts verification can be the model with minimum revenue loss.

What are your best practices for security, and best way to minimise app hacking chances?

解决方案

#1 what are best practices to get a better security in iOS application?

Appropriate data security is highly dependent on the nature of the information. Is it long-lived or short-lived? Is it a general credential that can be used to open other things, or a single piece of data? Is the potential loss privacy, financial, or safety? Determining the appropriate protections requires a specific case and has no general answer. But you ask for best practices and there are several. None of them are perfect or unbreakable. But they are best practice. Here are a few:

• Store sensitive information in Keychain
• Set Data Protection to NSFileProtectionComplete wherever possible.
• Do not store sensitive data you don't actually need, or for longer than you need.
• Store application-specific authentication tokens rather than passwords.
• Use HTTPS to verify the server you are contacting. Never accept an invalid or untrusted certificate.
• When connecting to your own server, validate that the service presents a certificate that you have signed, not just "a trusted certificate."

This is just a smattering of approaches, but they set the basic tone:

• Use the built-in APIs to store things. As Apple improves security, you get the benefits for free.
• Avoid storing sensitive information at all and minimize the sensitivity of what you do store.
• Verify the services you communicate with.

#2 what are best ways to reduce revenue loss and minimise hacking exposure?

This has been discussed many times on SO. This answer includes links to several of the other discussions:

Secure https encryption for iPhone app to webpage

The short answer is: worry about your customers, not your non-customers. Many pirates will never, ever pay you money, so your time and money are better spent helping your actual customers want to pay you, and making it easy for them to do so. Focus on making more money rather than protecting yourself from money that you could never have. Never, ever, tick off a paying customer in your efforts to chastise a non-paying customer. Revenge is a sucker's game and a waste of resources.

There are two great ways to avoid piracy:

• Don't publish.
• Publish junk no one wants.

There are some basic things you can do that are worth it just, as they say, to keep honest people honest (some are discussed in the various linked discussions). But don't lie awake nights worrying about how to thwart pirates. Lie awake worrying about how to amaze your customers.

And always remember: Apple spends more money than most of us have ever seen in our lives trying to secure the iPhone. Still it's jailbroken. Think about what your budget is going to achieve.

这篇关于iOS应用程序安全性的最佳实践的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！