Defense for your iOS App

iMAS helps developers encrypt app data, prompt for passwords, prevent app tampering, and enforce enterprise policies on iOS devices.

Download, compile in, and secure more.

Open Source on GitHub

Security at the app level.

Currently, iOS has limited app-level security controls. iMAS gives you common components to authenticate users, encrypt your app SQLite data, and use a secure keychain—all at the app level.

AppPassword demo

iOS Jailbreak

Safeguard your app runtime.

Whether you need to check for jailbreaks or debuggers, mitigate against binary patching, or secure sensitive information in memory iMAS helps your app protect itself in a hostile environment.


Enterprise-ready, Startup fast.

Mobile apps are increasingly being trusted with sensitive data, so it's important to keep them secure. iMAS has been used to secure healthcare data and has demonstrated a cost-effective way to add security controls to existing apps.



Security Components

With lots of stars and many forks, iMAS thanks GitHub developers for helping spread the word!

Encrypted Core Data

Encrypt your app's Core Data persistence store using SQLCipher.

App Password

Prevent unauthorized users with a password or scrambled keypad prompt.

Security Check

Register callbacks if the device is jailbroken or if a debugger is attached.

Secure Foundation

Secure components enabling application authentication, secure file storage, and app level file-based keychain to your app. Added File Shred - Removes app data file after shreding contents

Passcode Check

Ensure that the device passcode is set and is sufficiently complex.

Forced Inlining

Mitigate against memory editing by forcing functions to be inlined instead of referenced.

Memory Security

Encrypt memory at run-time, encrypted memory manager, anti-tamper checksum, and scrub on exit. Updated to include address range checks for advanced anti-tamper mitigation

Single Sign On

Simple MDM Single Sign On solution for application level logins.

Encrypted Code Modules

Mitigates static attacks - allows sections of source code to be encrypted into a .dylib at build time and decrypted at run-time. Includes Application Integrity Checker example app

Coming Soon...

  • iRASP – iOS Runtime Application Self-Protection - Application instrumentation enabling security detection and prevention
  • iLAD – iOS Leak Analysis and Detection - Extend PiOS research, static call graph and data loss analysis for iOS
  • Dynamic App Bundling research - App repackaging techniques

Stretch Goals ...

  • Off device trust - iOS Lightning Connector and trusted smart charger research

Outreach

OWASP AppSec USA 2014, Sept 2014, Denver Colorado, Defender Track

BlackHat USA 2014, August 2014, Las Vegas NV, Arsenal Talk