In this post, I’ll discuss how Apple’s recent focus on mobile user privacy is upping the ante for mobile app makers to take more active measures that are intended to protect mobile user data. In recent iOS releases starting with iOS 14, Apple has introduced new privacy requirements that require mobile developers to be more transparent about who has access to mobile user’s data, how they access it, and what they can do with it. For any iOS app that uses advertising, tracks users, allows access to user data, or monitors user activity, Apple now requires explicit permission to track mobile users via the IDFA. In addition, the app developer must also identify each 3rd party provider, SDK, or 3rd party library that tracks mobile users inside the iOS application by including the provider’s unique identifier in an iOS properties list (ie: the provider’s SKAdNetwork ID). Apple’s new privacy requirements are mandatory. The changes have significant impacts both on iOS developers, advertisers, and ad networks that track mobile users. This blog will focus on the security implications introduced by Apple’s requirement to disclose advertising providers within Plists, and explain how iOS developers can meet Apple’s requirements and protect property lists and the data stored within them.
What Are Property Lists or Plists in iOS Apps?
In iOS apps, a plist (aka ‘property list’) is a structured text file that contains metadata about the app which are essential for the app to run. Plists are collections of key-value pairs (such as a dictionary list) that specify how the system should interpret the various data elements contained inside the app bundle. Some key-value pairs characterize the bundle itself, while others configure the app, frameworks, or other entity referenced in the bundle.
Every iOS app has at least one plist (info.plist is the default plist supplied by Xcode when you create a project). iOS apps can have multiple plists for specific functions, and the details of what to include in the property list vary by executable type and platform. With the introduction of Apple’s new privacy requirements, the information stored in plists has become more valuable, and thus plist encryption has become an important requirement in order to protect the sensitive data stored within them.
How Are Plists Used In iOS Apps?
Property list files are often used to store smaller data sets that require persistence across mobile app sessions. Plists are used to define user settings, device configuration info, screen orientation/displays/interfaces, localization, and information about bundles and the application itself. Properties files can also be used to store information about app permissions and resources requested and used by other applications. The data stored in a plist also needs to be externalized fairly often, so the data needs to be available when it is requested by the app or an external entity. Apple’s privacy initiatives require more sensitive information to be stored in plists than ever before.
What is an IDFA?
The Identifier for Advertisers (IDFA) is an anonymized unique identifier assigned by Apple to a user’s device that allows an installed mobile application to track user behavior across other companies’ apps, websites or offline properties for the purposes of ad targeting, personalization, tracking, measurement, and attribution. Much like a third-party cookie in a browser, IDFA enables advertisers to track a user’s interactions within mobile apps, such as downloads, clicks and purchases.
The first of Apple’s new privacy requirements is that developers must obtain permission from users before tracking them using the IDFA on an app-by-app basis.
The second important requirement is that in iOS 14.5, the app developer must make specific declarations within properties files (plist or info.plist) that identifies each 3rd party provider, SDK, or 3rd party library that tracks mobile users inside the iOS application by including the provider’s unique identifier in an iOS properties list (ie: the provider’s SKAdNetwork ID). As an example, let’s say you’re a developer who builds an app with the Google Admob mobile advertising SDK. Going forward, in order to meet Apple’s requirements, you’ll need to include the key/value pair in info.plist which identifies the Google ADMob SDK (GADApplicationIdentifier). And you’ll need to do the same for all other advertising or attribution SDKs/libraries or other entities that track mobile users.
How Apple’s IDFA Requirements Affect iOS Developers
This new requirement to disclose information about advertising SDKs and 3rd party libraries in the info.plist file has many mobile developers and mobile game makers on edge. Most mobile developers would rather not reveal the 3rd party ad SDKs and related libraries used in their app.
In addition, there are also some important security implications that arise from storing sensitive data in properties lists – especially if the information is not encrypted:
- Public disclosure about 3rd party libraries can introduce security challenges for developers. If fraudsters know the 3rd party SDKs and libraries in the app, they can discover vulnerabilities in those libraries using public sources (such as Mitre), and then target the apps that use those libraries to exploit the vulnerabilities.
- Property Lists (plists) can be altered easily.
- Plist hacking – Properties files are often targets for malicious reverse engineers and game cheaters because plists can be modified to alter game scores or other values, and also to disable mobile ads. Specifically, plists often contain important metadata about the app’s structure, configuration, and how it functions, as well as information about app permission and user preferences. In mobile games, plists are sometimes used to store game values, so game cheaters often engage in ‘plist hacking’ in order to modify game values. Here are some of the malicious actions that can be accomplished by hacking Plist files in iOS apps:
- Mobile game cheating – by changing the values of game properties such as coins, gems, lives, powers, game scores or any other values stored in plists
- Disable mobile advertising
- Change app bundle ID and build numbers
- Change app permissions
- Unauthorized access to private user data via app preferences
In order to maintain compliance with Apple’s new privacy requirements, protect their competitive advantage, and safeguard their mobile user’s information, protecting the information stored inside info.plist has become an important requirement for mobile app developers.
Appdome’s Solution: Plist Encryption
Appdome enables developers to meet Apple’s new privacy requirements AND protect their info.plist files using plist encryption. This encrypts the information stored in any property lists (including info.plist) of any iOS app without any code or coding required. This will protect any data and keys stored inside the plist from being accessed or altered by any unauthorized entity. And by doing so, this will help developers comply with Apple’s privacy requirements without alot of extra work.
If you want to learn more about any of these features or see them in action, feel free to request a demo to see how Appdome helps mobile developers automate mobile app security and protect mobile data in all iOS and Android apps – all app frameworks – No coding, No SDK required.