Mobile App Security: CryptoKit Your Critical Kit

Here’s a set of posts that you should make some time to read if you’re any kind of mobile developer, not because there’s anything strikingly new here — in fact, hopefully there isn’t! — but just to be sure that you have a good basic grounding in 2020’s app security requirements, both for iOS and that other platform:

Mobile App Security: Best Practices on Android & iOS

Android App Security: Best Practices

iOS App Security: Best Practices

Smartphone apps are the center of most peoples’ technology usage. They deal with a lot of private and sensitive user data like your personal health information or banking information. Protecting this data as well as possible is heavily important and the topic of this article.

In this article, we focus on iOS App Security. We’ll show you concrete techniques for making your iOS apps more secure. Our best practices cover means for securely storing data as well as sending & receiving data over the network. You’ll see why it is so hard to get security right and how you can improve your app security by using services from Apple and other providers…

Most of this hasn’t changed much since the last time we did any posts about security here 8-10 years ago, so it should pretty much be a refresher for you, with the possible exception of what you might have overlooked with all that actually exciting stuff out of last year’s WWDC:

Apple’s CryptoKit is a new API that was introduced in iOS 13 and provides lower-level APIs to perform cryptographic operations or implement security protocols.

CryptoKit is based on top of more lower-level APIs. They were available before but introduced additional risk factors since developers often used them in a wrong way.

CryptoKit also allows you to use the SecureEnclave to get cryptographically safe functions that are performant and optimized for the device’s hardware…

So that’s pretty much a solid win all around there, isn’t it? Next time you’re touching crypto stuff, do yourself and the rest of the ecosystem a favor and adopt it! Isn’t a great deal of resources out there, but here’s what we’ve noticed:

WWDC session 709: Cryptography and Your Apps and associated playground

Discover the New Apple CryptoKit Framework

Common Cryptographic Operations With Cryptokit

When CryptoKit is not Enough

CryptoKit and the Secure Enclave

Particularly that last one, if you want really really secure:

For us developers, how the Secure Enclave deals with biometrics is not the most exciting part about it, because we cannot query it directly. Even our biometric APIs are constrained and they are fully handled by the system, so we cannot really do much work on top of that. The real exciting thing is that we as developers can leverage the Secure Enclave to encrypt and decrypt information with keys that are specific to a specific setup in a specific device…

And that’s about it for state of the art security. For your non-up-to-date users, their recommendation is

If you want to support older iOS versions you can use those lower-level APIs or use well known open-source third-party libraries like CryptoSwift.

That one does look pretty much the most comprehensive to us at the moment as well, yep; but there’s a wide variety of libaries in this space with varying focuses, so we’ll just point you at the currently best maintained curated lists with applicable sections — those links should stay relevant for another decade we trust!

Awesome iOS: Security

Awesome Swift: Security

UPDATES:

Introducing Swift Crypto

Swift Crypto is a new Swift package that brings the fantastic APIs of Apple CryptoKit to the wider Swift community. This will allow Swift developers, regardless of the platform on which they deploy their applications, to access these APIs for a common set of cryptographic operations…

Alex | January 28, 2020

Leave a Reply