Securing Your iOS Apps in the FieldSuganya Baskaran

Services Security

ArcGIS

Local Data SecurityApp Security

Securing your app in the field

ConcernHow can I protect my app?

Securing your app in the field

Local Authentication

• Use device’s Touch ID - Two Models

1. Stand Alone Local Authentication- Provides access to app- Acts as a checkpoint- Fall back – Custom authentication

2. Local Authentication Integration With Keychain- Provides access to app + Authenticates Users- Allows users to stay signed in- Fall back – Device’s passcode

Securing your app in the field

Demo – Local Authentication

Securing your app in the field

Stand Alone Local AuthenticationSecuring your app in the field

• Import Local Authentication framework• Create an instance of LAContext• Evaluate Policy for Biometrics

Securing your services in the field

ConcernDo the right people have access to the services?

Securing your services in the field

ArcGIS

Authentication

• Set up at Server / Portal• Types of Authentication Mechanisms

- Token based- External users, username/password- OAuth

- Windows based- Enterprise users, username/password

- PKI based- Enterprise users, Client certificate

• Save Credential to Keychain

Securing your services in the field

SDK supports all Auth Mechanisms!

Youhandle Client Code and UI!

ArcGIS

ConcernDo people have the right access to the services?

Securing your services in the field

ArcGIS

Authorization

• Set up at Server / Portal• Configured for each service• Two methods

1. Ownership Based Access Control- Owner has update / delete privileges- Can limit non-owner privileges

2. Capabilities- Can limit privileges for all users

Securing your services in the field

ArcGIS

Capabilities: Create,Query,Update

Capabilities: Create,Query

Popup Editing • SDK - handles everything• You – do nothing!

Manual Editing• You – do the checking

canDeleteFeature,canUpdateFeaturecanCreate, canDelete, canUpdatecanUpdateGeometry

Demo – Authentication & Authorization ArcGIS

ConcernAm I connecting to the right server in a secure way?

Securing your services in the field

ArcGIS

SSL

• Secure Socket Layer protocol• Digital Certificate

- Verifies Identity of Server- Creates encrypted link

• Types of Digital Certificate- Certificate Authority signed certificate- Domain certificate- Self-signed certificate

• Set up at Server / Portal

Securing your services in the field

ArcGIS

You - use https

SDK• redirects http to https• warns user about self-signed certificate

Securing your local data in the field

ConcernHow can I protect the data in my device?

Securing your local data in the field

Data Protection

• iOS provides Data Encryption• Set up passcode to opt-in• Data Protection Modes

- Complete- Available only when unlocked

- Protected Unless Open- Available when unlocked - Also available when file is open already

- Protected Until First User Authentication- Available after first unlock since reboot- Default

- No Protection- Always Available

Securing your local data in the field

Modifying Data Protection Mode

• App Level- ‘Capabilities’ pane of settings

• File Level- Use NSFileManager- Set NSFileProtectionKey

Securing your local data in the field

AuthenticationAuthorization

OBACCapabilities

SSL

Services Security

Data Protection

Local Data Security

Touch ID

App Security

Summary

Rate the session www.esri.com/RateMyDevSummitSession