Working towards security is critical for any project. Currently looking towards integration of an third party SDK into my iOS App. However before that I would like to thoroughly analyse and scrutinize the SDK.
Some of the checkpoints are -
Pasteboard Analysis
Use of private API's banned by Apple e.g
CTTelephonyNetworkInfo
Database encryption (if any is created by the SDK)
What I looking for as an answer here is the way I can achieve the above plus any other things that I should look for.
I know the question might sound off the topic or rather like a discussion, but a checklist like this can turn out to be very important for all developers out there.
So I was able to check a simple checklist for this. However, I believe this answer would get out of date rather sooner. Still I will share what I should.
Pasteboard analysis - This is to check if the SDK copies anything on
the public pasteboard. As this is shared across all apps, it could
lead to vulnerability.
Persistent Data - Add the SDK to the app and check if it creates any
persistent storage like .sqlite file. Check the contents of this file
to understand what is being stored and if this information is
sensitive in any way.
UserPreferences - NSUserPreferences can be extensively used in any
SDK, this can rather lead to data being stored into simple text
format.
Private API usage - An SDK can use private iOS API's with help of methods like NSClassFromString and NSSelectorFromString. The usage for such API's is banned by Apple and can lead to rejection in review.
One can closely follow the following post. It would help to understand how to take a class dump. Check for hardcoded strings. Specially usage of Hopper Disassembler turned out helpful for me.
Related
At first, I will describe my use-case on why I need to add the framework at runtime on iOS.
Let's say I have an app on iOS device. The app requires some 3rd party frameworks to add some external features to it. Now, the features are many. So, the required number of frameworks will be many too. An user may not need lots of features. Just a small set of features. Plus, lots of framework will require a lot of space. The application will be huge in size.
For an example, an user needs only 1 feature. The application provides 100. So, all the other frameworks will definitely be unnecessary.
So, the solution would be to download the frameworks and the necessary files on demand from an online repository, link them on runtime and use them. This would mean the application size would be very small and not bulky with unnecessary stuff.
But does iOS provide that? I have to add an external framework and the necessary files that is not on the app use them on runtime.
Is this possible? Can anyone provide me with some resources on how I can do that?
I have seen some resources on SO and some other sites. The results are not so helpful.
"But does iOS provide that?" - no
"Is this possible?" - partially
"Can anyone provide me with some resources on how I can do that" - unfortunately no
More details: That is certainly not possible out of the box. And it will be firstly a pain in the ass to do achieve what you are trying and (far more important) secondly it will probably not be allowed by Apple. You are not allowed to load new "program code" into the app at runtime. For the simple reason that Apple cannot review what you are about to load. And it would a huge security risk for your users if your backend gets compromised.
What you can do is load resources like images, videos etc. on demand.
You might even be able to come up with some scripting behavior of your app. The server could theoretically deliver code to your app and then your app interprets that code. But that code would not be Swift but some other language that you have to define first. You see where this is going? That is possible while not really doable. And still it might get you rejected anyway.
In particular if you are talking about actual frameworks that include actual binary code is is not possible.
So I'm looking to create a niche market static yelp-style wine/dine restaurant finder. After asking around, I was suggested to look into cloud kit since apple provides asset storage and synchronization. I'm looking to provide misc. information in regards to restaurants: menu, location, open times, images; this information will be provided by myself.
With that in mind... here is the problem. It appears that cloud kit may be the perfect fit, unfortunately beginner-type tutorials are insufficient in explanation or outdated (obj-c - I only know swift). So for one, would you be able to recommend any tutorials?
Nonetheless, here is the meat of the question...
I am aware that a public database held in a container will be able to hold numerous bits of information: strings, integers, assets, date, etc.
However, would cloud kit (as in, off the device), hold the entirety of instances of a struct in the cloud or are only variables held? In other words, what is held on the device and what is held in the cloud when using cloud kit?
Also, should I create a iCloud id just for development usage or should I use my existing iCloud if?
Jon,
There is a lot of questions here.
1. CloudKit is very easy to get started, but a little bit of a challenge to use in a real app.
2. You can store basic types + assets in cloud kit; an asset being an image for example or just a glob of data.
3. The https://www.raywenderlich.com/video-tutorials#cloudkit website has a number of good tutorials on the subject in SWIFT, although no its not free, you need to pay a small monthly charge; although its worth it if you want to learn more about code development.
Does Apple allow the usage of sysctl.h within iOS applications?
PS: App Scanner, a third party tool that checks code for possible private-API usage seems to think it's okay.
Note:
There is one more question like this : How can I know if I'm using private frameworks?
With the usual disclaimer that nobody can tell you what a reviewer will do, I can say for sure that there are apps in the store that use sysctl functions.
(Minor point: Simply including a header isn't a problem since symbols there shouldn't be visible in your app unless they're used...it's the things you use that might get flagged rather than what's included.)
I'm a complete noob at Swift (and Xcode), as a matter of fact, the only programming language I (somewhat) know is Javascript.
I'm trying to make a Swift SpriteKit game, and I would like to access the number of calories burned in HealthKit.
The idea is that my game will provide more points the more calories you burn using other apps like Endomondo. My app does not actually track anything, I would just like to access other data left by other apps in the Health App.
Is this even possible? (I'm running the latest version of everything, from Mac OS X to Xcode)
Certainly. I don't think there is anything technically preventing you from making calls to the HealthKit APIs in your game. In fact, you're fairly free to mix and match the use of any public frameworks provided on iOS.
One thing to keep in mind is privacy and disclosure of the use of health data. The user will have to explicitly grant your app permission to see data.
HealthKit is a really rich API with lots of ways to access lots of different kinds of data, and you're really only interested in a small part right now, so a quick way to experiment is to create a new Swift SpriteKit game from the new project template in Xcode, do your research on HealthKit, and see if you can just log the number of calories burned since some time point while your app is running. If you can do that, the rest is details (as in, the entire app :-)).
Here are what I think might be some helpful links, good luck on your project!
https://itunes.apple.com/us/book/swift-programming-language/id881256329?mt=11
https://developer.apple.com/library/ios/documentation/HealthKit/Reference/HealthKit_Framework/index.html
You'll also find some good documentation on SpriteKit (references and guides) on the iOS Developer Library site.
OSX has functionality not available in the iOS SDK, and occasionally I'll find an answer like this one: no route.h on the iPhone SDK, that says "just copy the header file from the Simulator (or OSX) SDK and it'll work fine."
That seems suspect to me on multiple levels, including App Store approval, but then I read something like this from an Apple employee who says "if you're using sys/route.h declarations on iOS for an App Store app, please get in touch with me...", which sounds like tacit approval (or a ruse to catch misbehavior :)
Anyone know where the official line really is, and whether something like this is at all safe to do in production code? I'm particularly interested in lower-level BSD functions and whatnot for portability, as opposed to undocumented Objective-C methods.
I would not regard that comment on the Apple forums as tacit approval. It sounds like they're just trying to decide if some additional BSD APIs should be added for use in iOS apps.
In general, if there isn't an iOS header available for a function, then it's considered a Private API (for example, something under https://developer.apple.com/library/ios/). The official policy on Private APIs is that they're not to be used in apps distributed through the App Store.
Now, you can certainly use them for personal/hobby apps, or apps that you deploy in-house (Enterprise Distribution).
If the APIs you're talking about are APIs that are publically documented for OS X, and you can get them to work for iOS by copying headers, then they're probably part of the Darwin source base. It's very likely that they'll continue to function in future versions of iOS, although that's not guaranteed. Of course, nothing is guaranteed (really), as public APIs get deprecated, too.
Then, there's the issue that not all review checks are automated (I don't work for Apple, but can deduce this from things I've seen get through review). It isn't that unusual for apps to be approved with Private API usage, although if they get popular, Apple frequently pulls those apps from the store within a couple weeks. The review process isn't perfect.
So, my answer is that if you're submitting to the app store, don't expect copying in headers to work.
P.S. If you can tell us specifically which BSD function you're referring to, we might be able to give you a better answer.
P.P.S. The answer you link to about Route.h is from Grant Paul, who writes quite a bit of non-App Store software.
Additional useful information on Private APIs and the App Store
Apple never knows what header files you use - the danger of course is the definition from the copied file is close to, but not exactly, what iOS uses. If this file is important, or a few select files, post a question on Apple's internal forums and you will surely get an answer to such a question. Failing that, burn a DTS incident (you get two a year, I almost never use mine).