[WEB SECURITY] json, iphone, objectivec

David Rajchenbach-Teller David.Teller at mlstate.com
Thu Mar 10 04:40:52 EST 2011

Still from a broad security perspective.

The fact that you're writing the application in Objective-C plays for you. Indeed, while JSON by itself is neither safe/secure nor unsafe/unsecure, JSON-manipulation libraries in JavaScript often rely on an [eval()] as a fallback for compatibility with older browsers, and this is a very good place to attack an application. Many JSON-manipulation libraries in other dynamic languages rely on the same kind of tricks ([setattr()], etc.), providing the same kind of attack vector, but without the JavaScript sandbox, which makes them even better candidates for attacks.

Now, afaik, there is no such unsafe/unsecure JSON-manipulation library in Objective-C. However, the usual precautions still apply: don't use [char*] (good candidate for attack), only [NSString] (much more robust, not to mention more convenient), etc. – and ensure that your JSON library does the same.

Hope this helps,

On Mar 10, 2011, at 2:45 AM, WebAppSec at CoreForm wrote:

> > hello, im looking about best oractices regarding consuming json via
> > fat mobile application and especially iphone/ipad application
> > developed with objectiveC.
> >
> > thanks
> That's a rather broad question. Given you've posted on this mailing list, I'll answer purely from a security perspective and also only from the perspective of your App:

David Rajchenbach-Teller
 Head of R&D

More information about the websecurity mailing list