Archive for the ‘Tools’ Category

# Update 1

After posting this on HackerNews some developers / users feel my hypothesis is wrong and one can not repeat the steps below without having physical access to an user’s phone or locked devices. I agree to this. I also need to check for on which iOS version this is secure. Because as per as I remember, this is definitely doable in earlier version of iOS. But the original problem still remains same. These files are unencrypted and unprotected and one can copy your entire mail contents if he/she has access to your phone.

File Protection API won’t be enough to protect data for unlocked phones. For which one might require to encrypt documents or files with a key and the key being stored in some secure location.

I am building some concept apps to try out few things. Stay tuned …

Last year I developed immense interest in iOS app security and discovered many interesting facts and tools about the same that I presented in my talk in GeekCamp.sg

I love iOS apps and developers. And it’s the apps that I love motivates me to write better codes. However, Mailbox is an exception. I like the UX of this application but I dislike its data protection approach more. As a matter of fact, there’s no data protection at all.

Apple discussed about “Protecting the User’s Data” in WWDC session 714. There you can get to know about all the data and file protection APIs a developer gets out of the box from their SDK.

Tools I used to extract the information

I used iExplorer, which is a tool that lets users to transfer music, movies and playlists from any iDevices to computers and iTunes. But wait it gives you more, it gives you access to an application’s Document and Library directories on your devices. These are the usual places, where iOS developers store their database, plist files or other resource files and can be extracted to a system if device is stolen. You don’t need to jailbreak the device, you do not even need to unlock the device.

So if anyone else can get hold of your phone, he can access to files of those apps where data is not protected.

Information that I got from Mailbox app

On top level of the Documents directory there’s a folder called ‘Attachments‘. It consists of all the attachments that I received or sent. Be it a source code of some app, my bank statements or some confidential information. All these files are there unencrypted and unprotected, ready to be stolen if you lose your phone for some reason!

attachment

The same folder consists of a sqlite file which contains your email contacts, actual email contents and more.

db

One can just use any SQlite manager tool to open this file and see contents of it. There’s a table called ‘ZORCONTACT’ that contains details of your contacts and another table called ‘ZORITEM’ that contains details of your emails. Depending on what you do with your emails, this can be pretty scary!

email_body

How Mailbox can improve

Now for an app that I waited almost a month to get my hands on, I expect more.  I do not know if Mailbox is already working on adding these security features or not but this is something they should to retain their users. It’s all about adding few extra lines of codes to their iOS app to increase the security level. iOS SDK gives a developer a list data protection APIs (as displayed in the image below) for protecting documents, database and other sensitive files that consists of confidential information about your users. I would love to try my hands on a better Mailbox iOS app, that is more secure. Until then I have deleted my accounts from Mailbox.

data_protection_api_list

Couple of weeks back I spoke in GeekCampSG about iOS security where I demonstrated how insecure some of the iOS apps are when it comes to protecting user data. Popular apps like Whatsapp, EverNote, Instagram also fall into that categories.

During my talk I talked about 3 things:

  • How data is insecure when stored unprotected in Filesystem
  • How data is insecure while application communicates with a backend server
  • How insecure these data can be on a jailbroken device where reverse engineering is possible in GDB prompt

You can view the slides of my GeekCamp talk below. I have already talked about part-2 “which is securing iOS apps through file protection api” in iOS Dev Scout # Sept meetup. I will post the slide of the same here as well.

  
So much talk about inclusion of Near Field Communication with iPhone 5. We can never know whether it’s going to be supported soon or not.

Few months back Apple filed a patent that reveled about their upcoming product called iWallet. This makes other similar initiatives by other providers or vendors look naive. This will arguably change the way mobile payments are being done today and definitely the one that will rule the world as mentioned in the article below.

The creative engineers at Apple have given enough thought to iWallet to make it work both in the scenarios of making transaction in person or remotely. This leads to another revolutionary steps that might replace credit cards, debit cards, gift card completely!

In stead of traditional One Time Password (OTP) that is being sent to a registered mobile device or a security token being used by an external devices; Apple is probably going to use an Application that’s running on iPhone / iPad / or on Mac to validate the transaction is authorized. A simplest thing I can think of is to validate authorization by iTunes password.

More over card holder can enable/ disable automatic authorization for certain merchants, below certain value and flag certain transactions as unauthorized that will immediately notify issuing bank or credit card association. The cardholder-not-present authorization functionality may also be combined with a distinctive gesture for example drawing a character or reverse swiping certain control.

From the screens below it’s clear that third party applications can be enabled for “MobilePay” to use the features of iWallet.

Reference Link: http://www.patentlyapple.com/patently-apple/2012/03/part-2-apples-iwallet-the-one-that-will-rule-the-world.html

 

Not very long ago Google announced about “Digital Wallet” leveraging on Near Filed Communication. Some retail store are also figuring out how you can use Augmented Reality and Face Recognition technology to auto-debit money from the customer’s account to enhance shopping experience.

However these technologies are still pretty unstable when you combine it with m-Commerce or e-Commerce. But one thing that’s unique about an user would be his thumb impression or palm impression. So bringing it into mobile applications would not only solve the issue of payment in retail but checkin to airports (which already some airports have tried).

Fujitsu has manufactured a system called PalmSecure that requires no hardware on the user side. The technology work just by waving your hand in front of the detector. It identifies the users and make payment on their behalf. Very useful for priority customers or gold customers in retail. Same thing can be applied to business class passenger in airlines enriching their boarding experience.

PalmSecure is a identification / security scheme that falls under the umbrella of biometrics. Examples of other biometric identifiers are fingerprint, voice, SIRI, face recognition etc. PalmSecure is uniquely unobtrusive as it requires the same gesture required to use an NFC phone wallet or to swipe a credit card, only you don’t have to have anything on your person to make it work.

Few organizations have adopted it already as a trial to replace Single Sign On to access to their enterprise systems. I am thinking of ordering some of these devices and try to see if you can connect it to an iPad which then can control anything starting from opening the door of a car to give me my medical history for last 6 months.

Reference: http://www.fujitsu.com/us/services/biometrics/palm-vein/palmsecure/index.html

I would sound naive if I will try to emphasize on how important testing is for building a high quality application. Be it a consumer mobile or web app or large scale enterprise application. I have been playing with iOS ever since the first SDK was released. And hence, worked with so many customers, clients, enterprises (starting from startups to fortune 500 companies).

And I think about 80% of those customers or clients prefer to do their testing manually and track the test results in excel or Bugzilla which is always time-consuming and requires a significant amount of man-hours every time we want to do a proper testing. iOS apps now supports automated Unit testing by default. But Unit testing only ensures that an unit of your code works properly and doesn’t guarantee the application will run properly under all circumstances.

Cedar is a BDD-style testing tool for Objective-C similar to rspec in Ruby. The documentation available online is bit old and doesn’t really work with iOS5. Hence, I would jot down few quick steps on how to use this tool.

1. Download the framework from GitHub: https://github.com/pivotal/cedar

2. Build Cedar-iOS static framework. You might want to change the default “Derived Data” directory path from its default location to the your project directory. So that you won’t have to look up in the archive of your application folder to find the static library.

3. Add these flags under “Other Linker Flags” in your build settings. -ObjC, -all_load, -lstdc++

4. Add Cedar-iOS static framework to your project.

5. Comment out the default codes on main.m and add the below lines which will launch CedarAppDelegate in stead of your application AppDelegate. Another way you can do this is to select UnitTest while creating your project and modify the main.m under the test directory. So whenever you will test the application it will launch Cedar.

#import <UIKit/UIKit.h>
#import <Cedar-iOS/Cedar-iOS.h>

int main(int argc, char *argv[])
{
	@autoreleasepool {
		return UIApplicationMain(argc, argv, nil, @"CedarApplicationDelegate");
	}
}

6. Create a new (c++) file called AdditionSpec.mm and you can write your test specs on this file. You can use matchers, mocks and stubs. For these things you can refer to the GitHub project.

#import "SpecHelper.h"
using namespace Cedar::Matchers;

SPEC_BEGIN(AdditionSpec)

describe(@"BehaviorSpec"), ^{
	it(@"addition should work properly"), ^{
			1+2 should equal(3);
	});
});

SPEC_END

7. Build and Run. It will display all the test results in a table view.

Let me know if you face any issues in building or running it. Happy Testing. 😉

# Omni Omnigraffle + iOS Stencil (Paid): http://www.omnigroup.com/products/omnigraffle/

Get Stencils from: http://graffletopia.com/

# Sketch-kit Keynote Template: (Free) http://www.extrathought.com/sketchkit/

# Photoshop PSD Files (Free)

iPhone PSD: http://www.teehanlax.com/blog/iphone-gui-psd-v4/
iPad PSD: http://www.teehanlax.com/blog/ipad-gui-psd/

Other Options (Around 21 Different Tools): http://goo.gl/SwU2b

Summary: Use the tool you are most comfortable with. For example if you are familiar with Keynote then use Sketch-kit or other keynote templates. I personally prefer OmniGraffle. Best way to judge is: check the sample screens or video of these tools and choose the one you like the most. 🙂

Ever since I installed iOS5 Beta firmware, I was curious to try out iCloud. It has so many amazing features like new notifications, over the air print for map, camera grid, better photo editing options to name few. Everything else was working except iCloud. Every time I tried it used to say “Your Apple ID is correct but the device is not registered/eligible for iCloud”. I thought may be it has something to do with the hardware.

Earlier today my friend told me that iCloud beta is released, and curiously I tried again and it worked and worked like magic.

For those who are listening first time about iCloud, this is a content integration platform which integrates all your contents and makes it available on all your apple devices like iPhone, iPad, iPod Touch and Mac. Everything happens over the air (wirelessly). Not only that, it makes all the app purchases available to all your devices. Apart from synchronizing it takes a back up of all the data (currently up to 5MB) and make it available on cloud. So if your device gets crashed, you don’t loose the data ever.

In this beta release it has got the following features:

  • Mail : Synchronizes and takes backup of mails in your inbox and makes it available on other devices
  • Contacts : Synchronizes and backs up your contacts
  • Calendar : Synchronizes and take backup of your Calendar Events
  • Find my iPhone: Locate your device, send message, lock and wipe data
  • iWork: Office suite, backs up all documents, presentations

The first look is amazing with future scope to support photo, music, app, video synchronization. Won’t be surprised if they plan to store the snapshot of the system like how they do it on time machine.