Platform

ios

MASVS v1 MSTG-PLATFORM-8

MASVS v2 MASVS-CODE-4

Last updated: May 08, 2023

Testing Object Persistence

Overview

Static Analysis

All different flavors of object persistence share the following concerns:

• If you use object persistence to store sensitive information on the device, then make sure that the data is encrypted: either at the database level, or specifically at the value level.
• Need to guarantee the integrity of the information? Use an HMAC mechanism or sign the information stored. Always verify the HMAC/signature before processing the actual information stored in the objects.
• Make sure that keys used in the two notions above are safely stored in the KeyChain and well protected. See the chapter "Data Storage on iOS" for more details.
• Ensure that the data within the deserialized object is carefully validated before it is actively used (e.g., no exploit of business/application logic is possible).
• Do not use persistence mechanisms that use Runtime Reference to serialize/deserialize objects in high-risk applications, as the attacker might be able to manipulate the steps to execute business logic via this mechanism (see the chapter "iOS Anti-Reversing Defenses" for more details).
• Note that in Swift 2 and beyond, a Mirror can be used to read parts of an object, but cannot be used to write against the object.

Dynamic Analysis

There are several ways to perform dynamic analysis:

• For the actual persistence: Use the techniques described in the "Data Storage on iOS" chapter.
• For the serialization itself: Use a debug build or use Frida / objection to see how the serialization methods are handled (e.g., whether the application crashes or extra information can be extracted by enriching the objects).

Resources

• Mirror
• Objective-C Runtime Reference