What do you mean how? The app has a secure token only the app has, any traffic without that token is invalid. IOS already sandboxes all apps so the token would be impossible to extract. This is basic app security, I can't believe this is even discussed
People extract tokens from apps all the time. Jailbreaks for modern versions of iOS do exist and if they become too hard to pull off, that'll just create a market for pre-jailbroken devices.
Tokens embedded into your app can and will be extracted. You can make life harder for criminals by rapidly updating tokens and invalidating all but the last X updates, but I doubt your users are going to like that, and I doubt criminals will be stopped for long with the amount of money at stake.
There are ways to make it incredibly difficult for hacked apps but if the file ends up at a user's device, you lose control.
I'm not following. So we have to keep to the locked app store-only model because if we allowed sideloading....people could jailbreak their devices and apps could extract secrets? I don't follow.
>>that'll just create a market for pre-jailbroken devices.
I don't understand - people will get pre-jailbroken devices so they can be hacked easier? The whole idea with forcing apple to allow sideloading is that you can be on the very latest, most secure iOS version and sideload apps.
I think you misunderstand. The secure token you mention isn't secure if it's part of your app, like any other API key or password. Fake apps will just extract that token from the real app and insert it into their own code.
And how exactly will they do that on a non-jailbroken fully updated iOS installation?
Not to mention that iOS apps keep those kinds of secrets in the Secure Enclave and you can't get anything out of it unless you are the app that put the secret in there in the first place - that doesn't change whether apple allows sideloading or not. If you need a jailbreak to break that protection then this isn't something that will affect your "normal" user like many here are worried about. Normal iOS protections will be more than enough.
> And how exactly will they do that on a non-jailbroken fully updated iOS installation?
This is irrelevant because banks need to support people using older versions of iOS as well.
> Not to mention that iOS apps keep those kinds of secrets in the Secure Enclave
iOS doesn’t store tokens in the Secure Enclave. It can generate keys and use them to sign things, but keys and tokens are different things. The Secure Enclave isn’t a generic secret store, it has very specific, limited functionality. Are you perhaps mixing it up with the keychain?
Also, you didn’t answer the question:
> What kind of token? How does it obtain it?
It’s still unclear whether you are thinking of a static token bundled with the application or a per-user token obtained during first use. In the former case attackers can just download the IPA and extract it themselves without even thinking about attacking a user’s device. In the latter case, you need a mechanism to distribute tokens to untrusted devices, so that is the most likely entry point for an attack, not trying to obtain an existing token after the fact.
This is how I think it roughly works where I live: You get a per-user token directly at the bank or via mail (not email, but a physical envelope). Your banking app can use this token once to get a secret key. Secret key + user name + password allows you to use the banking app.
Any way to circumvent this requires app isolation to be broken somehow.
Sadly, there’s a far more straightforward way. The phisher says “Sorry, your token has expired! You will need to get a new one…” Plenty of people will fall for it.
Also, I wouldn’t personally describe an out-of-band token delivery / exchange mechanism like that as “actually trivial” for apps to do.
How?