[WEB SECURITY] json, iphone, objectivec

Neaves, Tom tom.neaves at uk.verizonbusiness.com
Fri Mar 11 09:20:14 EST 2011


Linden,
 
I agree with everything you said except the comment you made about
mitigating mobile MiTM attacks by using SSL and the "iOS won't allow
connections using self-signed certificates, unless you add other
authorities" statement.  I have successfully MiTM'd a number of iOS
applications pulling JSON data over HTTPS simply by using a transparent
proxy (e.g. Mallory*).  If you want to stop this then you need to hard
code the certificate check into your iOS application like a number of
banking iOS applications already do so.
 
*<plug>
http://blog.tomneaves.com/post/3523418896/using-mallory-and-airbase-ng-t
o-mitm-mobile </plug>
 
Cheers,
Tom

________________________________

From: websecurity-bounces at lists.webappsec.org
[mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of
WebAppSec at CoreForm
Sent: 10 March 2011 01:45
To: application.secure at gmail.com; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] json, iphone, objectivec



> hello, im looking about best oractices regarding consuming json via
> fat mobile application and especially iphone/ipad application
> developed with objectiveC.
>
> thanks

That's a rather broad question. Given you've posted on this mailing
list, I'll answer purely from a security perspective and also only from
the perspective of your App:



Also assuming your App (the fat client) is running on a phone that is
not jailbroken and the App has been obtained via the App Store (and thus
has been analysed and allowed by Apple, so it "shouldn't" allow easter
eggs)...



To mitigate potential man-in-the-middle attacks, pull the JSON data over
a secure channel (HTTP + SSL/TLS = https). iOS won't allow connections
using self-signed certificates, unless you add other authorities.



The fat client should not trust data from the cloud, so it would be best
to validate data before using it within logic. That's to help prevent
logic attacks.

Then, depending on the context in which the data is to be used you may
need to ensure there's no chance of, say, SQL injection within a SQL
query or XSS in a UIWebView, for examples.



Beyond that, you certainly shouldn't store any sensitive data in
keychains as that data will persist beyond the lifetime of your App (if
your App is ever uninstalled).

Hope that helps,

Linden



Verizon UK Limited - registered in England & Wales - registered number 2776038 - registered office at Reading International Business Park, Basingstoke Road, Reading, Berkshire, UK RG2 6DA - VAT number 823 8170 33
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110311/efdbc0a7/attachment-0003.html>


More information about the websecurity mailing list