[WEB SECURITY] json, iphone, objectivec

WebAppSec@CoreForm webappsec at coreform.com.au
Wed Mar 9 20:45:13 EST 2011


> hello, im looking about best oractices regarding consuming json via
> fat mobile application and especially iphone/ipad application
> developed with objectiveC.
>
> thanks

That's a rather broad question. Given you've posted on this mailing
list, I'll answer purely from a security perspective and also only
from the perspective of your App:

Also assuming your App (the fat client) is running on a phone that is
not jailbroken and the App has been obtained via the App Store (and
thus has been analysed and allowed by Apple, so it "shouldn't" allow
easter eggs)...

To mitigate potential man-in-the-middle attacks, pull the JSON data
over a secure channel (HTTP + SSL/TLS = https). iOS won't allow
connections using self-signed certificates, unless you add other
authorities.

The fat client should not trust data from the cloud, so it would be
best to validate data before using it within logic. That's to help
prevent logic attacks.

Then, depending on the context in which the data is to be used you may
need to ensure there's no chance of, say, SQL injection within a SQL
query or XSS in a UIWebView, for examples.

Beyond that, you certainly shouldn't store any sensitive data in
keychains as that data will persist beyond the lifetime of your App
(if your App is ever uninstalled).

Hope that helps,

Linden
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110310/87852b47/attachment-0003.html>


More information about the websecurity mailing list