Researcher Proposes New iOS App Standard To Disclose Vulnerabilities Securely

Declared on his blog, security researcher Ivan Rodriguez proposed a new iOS app security standard earlier this month and dubbed it Security.plist, inspired by the Security.txt standard. The standard requires an app developer to create a property list file called security.plist and embed it in the root directory of an iOS application. It is stated that the file will contain all the basic information to "define the process for security researchers to disclose security vulnerabilities securely.”

Rodriguez said that the idea to create Security.plist comes from Security.txt, and Security.txt is currently being standardized by the Internet Engineering Task Force (IETF) and has been widely adopted by the industry. Moreover, it has likewise been embraced by Technology giants such as Google, Github, LinkedIn, and Facebook.

Noted that Rodriguez is a researcher who uses his spare time to find vulnerabilities in iOS applications. He insists that he spends most of his time "hanging around" in the app and therefore finds several flaws, but he has not yet found a convenient way to efficiently reach the responsible person and the appropriate channels of the disclosure. And often the common way is to communicate with an unethical business or sales workers, who may not know how to deal with the risk and its severity. Here is how he describes such an obstacle:
As probably you know by now, I spend a lot of my free time reverse engineering iOS applications. But when I find a vulnerability in one of them, it's a very, very difficult process to figure out how to contact the company. More often than not, I have to write an email to a generic [email protected] or fill out a form on the website. Most of these channels are handled by people in marketing or sales, who might have no idea how to respond, what to do or even to identify if it's a real problem.
Rodriguez, hence, advised that security personnel and developers should wish to leave a plist file in the root folder of the application and to register the relevant contact information to communicate and resolve the issue. But right now, he just came up with the system and wanted to hear the thoughts of app developers.

The researcher has also created a website explicitly for security.plist, where every app developer can create a basic file and embed it in their own app.

Post a Comment

Previous Post Next Post