
Comprehensive guide for iOS app security testing and reverse engineering.
Developing for popular mobile OS
This article describes how to develop a real-time weather prediction app in Flutter using the Tomorrow.io Weather API. The app consists of a single screen that displays the current weather and a 4-day daily forecast for a specific location. We’re creating this prediction app on Flutter because it is an open-source UI development kit, which means it can be integrated beautifully into desktop and mobile apps across various platforms, making it scalable.
Let’s talk about app architecture and the approach I apply as an iOS software engineer in a few companies. My team and I were trying to build something solid without slipping into a dense swamp where following the rules distracts you from actual business domain code. As a result, we got something that works for us and good enough to be told from my point of view.
UIKit first appeared in iOS 2, and it is still here. Eventually we got to know it well and learned how to work with it. We have found many architectural approaches. MVVM, the most popular architecture in my opinion, has strengthened its position with the release of SwiftUI, while other architectures seemed to have some kind of problematic relationships with SwiftUI.
But what if I told you that Clean Swift, VIPER and other approaches can be adapted to SwiftUI. What if I told you that there are some modern architectures which might be as good as MVVM or even better.
We will talk about MVI.
Only after I had published a post detailing three iOS 0-day vulnerabilities and expressing my frustration with Apple Security Bounty Program, I received a reply from Apple:
We saw your blog post regarding this issue and your other reports.
We apologize for the delay in responding to you. We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance.
Please let us know if you have any questions.
Indeed, I do have questions. The same ones that you have ignored. I'm gonna repeat them. Why was the fix for analyticsd vulnerability quietly included in iOS 14.7 update but not mentioned on its security content list? Why did you promise to include it in the next update's list but broke your words not once but trice? Why do you keep ignoring these questions?
After my previous post, some people have expressed doubts that such code can make its way into the App Store. It's understandable why they think this way. That's because Apple makes people believe that the App Store is safe by repeating it over and over. Moreover, they claim that they disallow alternative stores and application sideloading to keep users safe and otherwise they would be in great danger. Android has alternative stores and unrestricted sideloading, and have you heard about any kind of security problems with Android recently? I haven't. But it the last few months alone there were so many reports about security and privacy issues on Apple platforms. And the real reason that Apple doesn't allow any alternatives to the App Store is that they receive 30% commission on all purchases made inside any app and it's a tremendously lucrative business for them. They also enact censorship by choosing to allow or disallow any app into the App Store based purely on subjective opinions of their employees and managers.
So in this article I'm going to dispute the claim that the App Store is safe, voice my complaints about the App Store review process and provide a detailed explanation (including source code) how malicious apps on the App Store conceal their functionality from the App Store review team and are able to sneak into the App Store.
I want to share my frustrating experience participating in Apple Security Bounty program. I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.
Read more to learn the specifics of 0-day vulnerabilities.
struct Test<T>: Codable where T: Codable {
enum CodingKeys: String, CodingKey {
case value
}
let value: T
let info: String
}
extension Test {
init(from decoder: Decoder) throws {
let container = try decoder.container(keyedBy: CodingKeys.self)
self.value = try container.decode(T.self, forKey: .value)
self.info = "Default init(from decoder:)"
}
}
extension Test where T == String {
init(from decoder: Decoder) throws {
let container = try decoder.container(keyedBy: CodingKeys.self)
self.value = try container.decode(T.self, forKey: .value)
self.info = "Custom init(from decoder:)"
}
}
let data = #"{"value":"Hello, World!"}"#.data(using: .utf8)!
let object = try? JSONDecoder().decode(Test<String>.self, from: data)
print(object.debugDescription)
Optional(
Test<String>(
value: "Hello, World!",
info: "Default init(from decoder:)"
)
)
Recently Epic Games’ Fortnite was removed from the Apple App Store and Google Play Store. The main reason being Epics bypassing of in-app purchases instead of using the officially sanctioned system for both platforms. While it is still possible for you to download Fortnite directly, this large scale case brings to light the duopoly of Apple and Google in the mobile market.
For most developers, these two stores account for almost all of their revenue and userbase. While Epic Games will be fine to go without, for the time being, what about the other 99% of developers who rely on these two stores for distributing and monetizing their apps. In this article, we’ll provide some of the alternative stores available for both developers and consumers for finding or distributing apps.
For one reason or another, you may have found yourself wondering, ‘where are some other places I can go to find and download new apps and games for my mobile device’? Or ‘are there any other marketplaces for me to share my apps’?
Statista.com has tracked the high number of video conference app downloads from AppStore and GoogleStore for the following:
Video conferencing App / Country | Hangouts Meet | Houseparty | Ms Teams | Zoom |
---|---|---|---|---|
USA | 30 | 8 | 11 | 4 |
France | 23 | 30 | 16 | 2 |
Germany | 15 | 26 | 11 | 17 |
Spain | 64 | 2360 | 15 | 27 |
Italy | 140 | 423 | 30 | 55 |
Despite the number, this is the third article about reactive programming. Today we are going to talk about how to handle side effects while using unidirectional approaches.
Recently I wrote an article What is Reactive Programming? iOS Edition where in a simple way I described how to build your own Reactive Framework, and helped you to understand that no-one should be scared by the reactive approach. The previous article could now be named How to cook reactive programming. Part 0., since this is a continuation. I would recommend reading the previous article if you are not familiar with the reactive programming concepts.
There are many articles about Reactive Programming and different implementations on the internet. However, most of them are about practical usage, and only a few concern what Reactive Programming is, and how it actually works. In my opinion, it is more important to understand how frameworks work deep inside — spoiler: nothing actually complicated there — rather than starting to use a number of traits and operators meanwhile shooting yourself in the foot.
So, what is RxSwift Combine Reactive programming?
Instruments for Apple's Xcode is a tool for performance analysis of an iOS application. In 2018 Apple introduced Custom Instruments — an opportunity to expand the standard set of instruments for application profiling. When existing tools are not enough, you can create new ones yourself — it will collect, analyze and display the data the way you need.
Source: Google Images