Image: Ivan Rodriguez
Earlier this month, security researcher Ivan Rodriguez proposed a new security standard for iOS apps, which he named Security.plist.
The idea is simple. App makers would create a property list file (plist) named security.plist that they would embed inside the root of their iOS apps.
The file would contain all the basic contact details for reporting a security flaw to the app’s creator. Security researchers analyzing an app would have an easy way to get in contact with the app’s creators.
Inspired by security.txt and its great success
Rodriguez said the idea for Security.plist came from Security.txt, a similar standard for websites, that was proposed in late 2017.
Security.txt is currently going through an official standardization process at the Internet Engineering Task Force (IETF), but it has been widely adopted already, and companies like Google, GitHub, LinkedIn, and Facebook, all have a security.txt file hosted on their sites, so bug hunters can get in touch with their respective security teams.
Rodriguez, who is an amateur bug hunter in iOS apps, said he decided to propose a similar thing for iOS apps because getting in touch with an app’s dev or security team has been a problem in the past.
“I spend most of my free time poking mobile applications which has lead me to find many vulnerabilities and I have yet to find one that has an easy way to find the correct channel to responsibly disclose these issues,”Rodriguez told ZDNet in an email this week.
“More often than not, I have to write an email to a generic [email protected] or fill out a form on the company.com/contact website. Most of these channels are handled by people in marketing or sales, who might have no idea how to respond, what to do or even to identify if it’s a real problem,” the researcher said.
He argues that this would be much easier if the appropriate contacts would be listed in a plist file hosted in the app’s root.
No plans to reach out to Apple, yet
For now, Rodriguez has only put forward the idea. He wants to see how app makers feel about the idea.
“So far, I’ve gotten great reactions but might be because most of the people I follow or follow me are pro ‘application security’,” Rodriguez told ZDNet. “It might be a bit too early to tell, but I really hope either security.plist or any other way to deploy contact information on mobile apps catches on.”
The security researcher has not yet reached out to Apple, the only entity that could make security.txt mandatory for all iOS apps.
“I think it’s too early,” Rodriguez said. “Even though Apple does a great job when it comes to security practices, mandatory security asks are hard to enforce, as we’ve seen with App Transport Security (ATS).”
A website to help iOS app makers get started
To help move things along, Rodriguez published a website for security.plist where app makers can generate a basic file to include inside their apps.
“I hope mobile developers see security.plist as an initial step to work closely with the security community,” Rodriguez said.
