Skip to content

Commit

Permalink
Added Security topic
Browse files Browse the repository at this point in the history
  • Loading branch information
shams-ahmed committed Mar 30, 2015
1 parent f9732b4 commit 761f571
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -467,6 +467,25 @@ First you should make your app send crash logs onto a server somewhere so that y

Once you have this set up, ensure that you _save the Xcode archive (`.xcarchive`)_ of every build you release. The archive contains the built app binary and the debug symbols (`dSYM`) which you will need to symbolicate crash reports from that particular version of your app.

### Security
Sensitive data such as username/password, personal user details, OAuth token etc should always be kept securely in a private location where it not accessible outside of the application. See [Apple security documentation](https://www.apple.com/business/docs/iOS_Security_Guide.pdf) for full brief on how iOS handle this area.

##### Do's
* Store sensitive data in Keychain. if your uncomfortable implementing Keychain library use a wrapper like [UICKeyChainStore](https://github.com/kishikawakatsumi/UICKeyChainStore)
* Treat untrusted files and data with care, always use NSFileProtectionComplete
* Remove personal data from memory when it not needed (i.e. self.password = nil;)
* Protect data in transit (https over ssl)
* Use TextFields with Secure Option and disable Autocorrection
* Clear the pasteboard once the app enters in background
* UIWebView: set cache policy to ignore local as its stored in the bundle
* NSLog disable it for release
* Use [obfuscation technique](https://github.com/UrbanApps/UAObfuscatedString) for runtime protection
* Analysis open source dependency before integrating

##### Don'ts
* Do not store sensitive data you don't actually need, or for longer than you need.
* Never store sensitive data in NSUserDefault, plist or CoreData. it mostly used to basic app feature like is first launch etc…
* Never store sensitive data in user document directory

## Building

Expand Down

0 comments on commit 761f571

Please sign in to comment.