Security controls

Some of the security features implemented within the SDK could make application development slower, if those couldn't be disabled during development phase. For example root detection feature will not allow running application on iOS simulator since it behaves as rooted device. Onegini SDK gives a possibility to turn off those features by implementing SecurityController class within your application. This class, if present, will be picked up be the SDK and the configuration you specified will be applied.

It's strongly advised to release applications with all security controls enabled, and debug logs disabled. Security controls should only be turned off during development.

Debug detection

The iOS SDK has an ability to detect if the app runs with a debugger attached. If debug mode detection is enabled and a debugger is detected, the SDK will not allow to successfully complete any of the flows. All flows will end in an error that states that the device is not suitable to communicate with the back-end. Also a special event will be logged in the Token Server event log indicating that a connection from potentially unreliable device was made.

Root detection

The iOS SDK is capable to detect whenever a device running the application is jailbroken. If detection is enabled and the device is jailbroken, the SDK will not allow to successfully complete any of the flows. All flows will end in an error that states that the device is not suitable to communicate with the back-end. Also a special event will be logged in the Token Server event log indicating that a connection from a potentially unreliable device was made.

Tampering detection

The application's signature is used to detect whether the application is tampered. If the application is tampered communication with the Token Server will fail.

Debug logs

The iOS SDK has an additional option to print debug logs to console if needed. The SDK will log its network communication (HTTP request/response paths and status codes) and every method call to the public API.

How to configure security controls

You may want to disable root or debug detection (or both), for example during the development process. The SDK uses the NSClassFromString method to search for a class called SecurityController. The object should contain a static BOOL method named debugDetection and/or rootDetection, for example:

//SecurityController.h

#ifdef DEBUG
@interface SecurityController : NSObject

+ (BOOL)rootDetection;
+ (BOOL)debugDetection;
+ (BOOL)debugLogs;

@end
#endif
//SecurityController.m

#ifdef DEBUG
@implementation SecurityController

+ (BOOL)debugDetection
{
    return NO;
}

+ (BOOL)rootDetection
{
    return NO;
}

+ (BOOL)debugLogs
{
    return YES;
}

@end
#endif

This way you can (temporarily) disable both security controls and turn debug logs on. To ensure that your application will not be released with security controls disabled its advised to add the SecurityController class only for debug builds. It can be accomplished by using #ifdef DEBUG macro.