1

Thirdparty pentest company reported their findings in our iOS app. In the report explanation for this vulnerability is

Apple provides default encryption for applications; however, the encryption could easily be bypassed by using publicly available tools such as Clutch. This was verified by performing static analysis that shows that the application code has not been encrypted, using a strong encryption mechanism, which makes it easy for an attacker to reverse engineer the application and to explore and modify its functionality.

For the remediation they suggested

The recommendation is to use a custom encryption solution for the iOS application.

Is it possibile to build iOS app with custom encrytpiton solution? Is that something that is a feature when compiling iOS app?

Is there a way to use custom "encryption" for iOS app?

At0mic
  • 103
  • 3
titus
  • 111
  • 6
  • 1
    Is it possibile that their "recomendation" is actually "generic" text? – titus Jul 28 '20 at 12:13
  • 1
    This doesn't make any sense... The application's code is unencrypted? Just write your code securely, it wont matter if someone can read it. The only applications that want to encrypt their code is malware – john doe Jul 29 '20 at 04:03
  • Whether an app is using Apple's default encryption, or some custom encryption scheme, the code and keys necessary to decrypt it must be in the app bundle (otherwise it wouldn't be able to run) so an attacker has everything they need to reverse-engineer the application. Does the pen-test company also happen to sell a "_custom encryption solution_", one wonders? – TripeHound Jul 30 '20 at 12:54

0 Answers0