# 課程:App資安規劃與實作 * [**課程網址**](http://wiki.softarts.cc/doku.php?id=%E5%85%AC%E9%96%8B:20180811_tibame_ios_app%E8%B3%87%E8%A8%8A%E5%AE%89%E5%85%A8) ``` NSExceptionAllowsInsecureHTTPLoads NSIncludesSubdomains ``` ## 資料安全 * 使用 [RNCryptor](https://cocoapods.org/pods/RNCryptor) 或 Keychain 做檔案加密 ## 網路安全 * 使用 [Trustkit](https://cocoapods.org/pods/TrustKit) 做 SSL Pining (OWASP推薦) * [SSL Labs](https://ssllabs.com) ``` 檢測網站憑證用,包含查看SSL pin SSL pin = Base64(SHA256(Public Key)) ``` * Home ![](https://1934061725-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4XrCDvjc3xNfiB-3eT%2F-M4Y-TstkTXMD9Y8W9l7%2F-M4Y03adOhVIvUpMfHq6%2FSSL_Labs_Home.jpg?alt=media\&token=49b57012-2bac-4df3-b83e-dd021e9f5a0e) * Hostname ![](https://1934061725-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4XrCDvjc3xNfiB-3eT%2F-M4Y-TstkTXMD9Y8W9l7%2F-M4Y03bbyT7_1cgvTF8S%2FSSL_Labs_hostname.png?alt=media\&token=477da810-8c70-4f2a-8a17-d857eb8e087a) * Report ![](https://1934061725-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4XrCDvjc3xNfiB-3eT%2F-M4Y-TstkTXMD9Y8W9l7%2F-M4Y03bcQx1B0qMH67YQ%2FSSL_Labs_Report.png?alt=media\&token=575e7a9f-96c6-4701-ad8b-e96d67e65577) * SSL Pin 1 ![](https://1934061725-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4XrCDvjc3xNfiB-3eT%2F-M4Y-TstkTXMD9Y8W9l7%2F-M4Y03aerX9hCQ3wk7Z0%2FSSL_Labs_SSL_Pin1.jpg?alt=media\&token=ca3be05c-3c58-4ffd-9c24-5b9fc4009216) * SSL Pin 2 ![](https://1934061725-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4XrCDvjc3xNfiB-3eT%2F-M4Y-TstkTXMD9Y8W9l7%2F-M4Y03afzw_0Zbu0dnFI%2FSSL_Labs_SSL_Pin2.jpg?alt=media\&token=f65b5c78-9697-44bb-84db-d97f0709f4fa) ## 程式碼安全 * Host domain 在程式碼中,應以密文形式存在 * 加密的 Key 可用 Computed property 來做,比直接寫一個值好 ```swift // Not good let key = "123456" // Not good, it will keep in memory when class initial let key: String = { return "12"+String(30+4)+String(7*8) }() // Good var key: String { return "12"+String(30+4)+String(7*8) } ``` * 做動態記憶體偵測反制 * 在AppDelegate,將 @UIApplicationMain 註解掉 * 新增 main.swift ```swift import Foundation import UIKit _ = autoreleasepool { UIApplicationMain( CommandLine.argc, UnsafeMutableRawPointer(CommandLine.unsafeArgv) .bindMemory( to: UnsafeMutablePointer.self, capacity: Int(CommandLine.argc)), nil, NSStringFromClass(AppDelegate.self) //Or your class name ) } ``` * 新增 DisableTrace.swift (停止 Debug mode) * 使用 macro,在 Release 模式時才反制 * 使用 @inline(\_\_always) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jacky-chen.gitbook.io/jackychen/security/ke-cheng-app-zi-an-gui-hua-yu-shi-zuo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.