Generally, iOS is claimed to be secure. Each app requires passing Apple’s vetting process before being published to the App Store. Additionally, the iOS framework is strict, for instance not allowing to install unauthorized apps on the device, or perform any modification on the app files. This prevents malicious apps from reaching the iOS environment. However, this doesn’t prevent security vulnerabilities that stem from a valid app’s code. The iOS Analyzer covers this gap, by detecting these issues and supplying the information required to fix them.
Our solution relies on IBM’s innovative Glass Box technology, leveraging it to mobile space. The Mobile Analyzer for iOS (part of the IBM Application Security on Cloud ) installs the application and then performs automatic crawling to simulate the user’s interaction with the app. While the application is active, the Glass Box monitors and logs specific system method calls, which are used to detect security vulnerabilities. Using Glass Box technology brings accurate and detailed results (such as the location of the security issue in the user code).
Running the iOS Analyzer
The first step to using the iOS Analyzer it to generate the IPAX file. The IPAX file contains the user application after it was linked with the proprietary iOS Analyzer library, which allows the iOS Analyzer to monitor the application code during runtime.
To generate the IPAX file, download the IPAX Generator utility from the iOS Analyzer . You can then run the IPAX Generator through the command line, supplying the path to your Xcode project or workspace. The IPAX Generator automatically downloads the latest version of the iOS Analyzer library and will build and package the application with the library linked to it. The resulting IPAX file will contain the built application. It is also strongly encrypted to protect your privacy.
In order to test your application, simply upload the IPAX file to the iOS Analyzer. You may supply some additional information, such as user credentials, if the application requires it.
The iOS Analyzer will then automatically crawl your app, detecting any possible security vulnerabilities. Once the scan is done, a comprehensive report will be generated, which will include details for each vulnerability, such as the description of the security issue, how and where it was found in the app code, and how to fix it.
This post submitted by:
AppScan Mobile Analyzer Team Lead
IBM Security Systems
IBM Security Team