Skip to content

MASTG-TEST-0079: Testing Object Persistence

Overview

Static Analysis

All different flavors of object persistence share the following concerns:

  • If you use object persistence to store sensitive information on the device, then make sure that the data is encrypted: either at the database level, or specifically at the value level.
  • Need to guarantee the integrity of the information? Use an HMAC mechanism or sign the information stored. Always verify the HMAC/signature before processing the actual information stored in the objects.
  • Make sure that keys used in the two notions above are safely stored in the KeyChain and well protected. See the chapter "Data Storage on iOS" for more details.
  • Ensure that the data within the deserialized object is carefully validated before it is actively used (e.g., no exploit of business/application logic is possible).
  • Do not use persistence mechanisms that use Runtime Reference to serialize/deserialize objects in high-risk applications, as the attacker might be able to manipulate the steps to execute business logic via this mechanism (see the chapter "iOS Anti-Reversing Defenses" for more details).
  • Note that in Swift 2 and beyond, a Mirror can be used to read parts of an object, but cannot be used to write against the object.

Dynamic Analysis

There are several ways to perform dynamic analysis:

  • For the actual persistence: Use the techniques described in the "Data Storage on iOS" chapter.
  • For the serialization itself: Use a debug build or use Frida / objection to see how the serialization methods are handled (e.g., whether the application crashes or extra information can be extracted by enriching the objects).