0
 NSString *stko = [NSString 
stringWithFormat:@"https://myserver.com/getstring.php"];
NSData *dataf;
dataf = [NSData dataWithContentsOfURL:[NSURL URLWithString:stko ]];

NSString * serverOutputg= [[NSString alloc]initWithData:dataf 
encoding:NSASCIIStringEncoding];

if ([serverOutputg isEqualToString:@"teststring"]) {
[flurry logevent:@"ifentered"];
}

How is it possible for someone to get inside the if, after an the app is compiled?, What happened to me is this: someone using the app managed to get inside the if, but the server never sent the string needed and also according to my analytics at the moment the if was performed i dind't received any call on the php, so to do that someone must have seen what string they need to make the server return to be able to perform the method, also the code always worked great with this exception and it was connected to the internet as i received the logevent call. Please help me out I've been 4 days trying to work on this and haven't found any logical solution. Thanks

The other thing is that to enter the if it must match the string but How they knew what the string was, because the string isn't even on the php. Is there someway to see the code on compiled IOS Apps? because as far as i know is not possible and i can't find any docs about that.

Edit: According to @matt answer the Literal strings could be easily found and i agree with that so what could i do on the method to perform the operation: the if just turn a bool to true so what method of connection to my server to get a yes or no that could be harder to hack should be used?

  • 1
    How is that possible, to get into if condition while using the app. Someone must know about the API path and might trying it running on Postman or something. Not sure if I understand properly from your question or you wants to elaborate more? – Bhavin Kansagara Aug 07 '18 at 19:07
  • Hi, that's what I'm trying to understand, how it even be possible. The worst part is that to enter the if it must match the string but How they knew what the string was, because the string isn't even on the php . – My name is jeff Aug 07 '18 at 19:11
  • If someone was really motivated enough, they could potentially have a rooted phone and install something like Charles Proxy, perform a MiTM attack on themselves and forge their own requests coming from the server. They would also need to know specifically what to forge, which would require some bit of reverse engineering of your binary. This seems like a lot of work for someone, so unless you are a bank or something I don't see why someone would go through the trouble. – Asleepace Aug 07 '18 at 19:19
  • Okay so it is possible?, so what could i do to prevent that from happening? – My name is jeff Aug 07 '18 at 19:22
  • Someone could just be reverse-proxying the calls on your app. Did you pin your SSL certificate? – Andy Ibanez Aug 07 '18 at 19:33
  • A small correction to @Asleepace's comment: MITM an iOS app is really simple, and unless you pin the SSL certificate, you don't even need to jailbreak. Just install Charles or another tool, install the tool's certificate on the device, and then point the proxy server to the computer running the proxy. You will be able to view all HTTPS call that way (except for the ones that do SSL pinning, unless you jailbreak and follow other steps). – Andy Ibanez Aug 07 '18 at 19:38
  • @Mynameisjeff take a look at this thread: https://stackoverflow.com/questions/17919304/decompilation-possibilities-in-ios-and-how-to-prevent-them – Asleepace Aug 07 '18 at 19:38

0 Answers0