Earlier this month, security researcher Ivan Rodriguez proposed a new security standard for the iOS app and named it Security.plist. It was inspired by the already popular Security.txt standard. The idea is that the application manufacturer needs to create a list of properties file called security.plist and embed it in the root directory of the iOS application. The file will contain all the basic information to report security vulnerabilities to developers.
(Instagram via ZDNet)
Rodriguez says the idea for Security.plist actually comes from Security.txt. A similar standard on the site was first proposed in 2017.
Security.txt is currently working on standardization, led by the Internet Engineering Task Force (IETF), but has been widely adopted by the industry and supported by tech giants such as Google, Github, LinkedIn and Facebook.
Researchers who analyze website security can make it easy to get in touch with the station.
In fact, Rodriguez himself is a researcher who uses his spare time to find vulnerabilities in iOS applications. The decision to make a similar initiative to iOS app developers has a lot to do with its previous experience.
I spend most of my time loitering around the app and discovering a lot of vulnerabilities. But so far, I haven’t found an easy way to find the right person and the correct disclosure channel.
Typically, I have to write an email, send it to a corporate mailbox like email@example.com, or fill out a form on the official contact page.
Unfortunately, most of these channels are connected to unprofessional business or marketing people. They may not know how to deal with it, or even the extent of the problem.
To address this pain point, Rodriguez suggests that you leave a plish document in the application root and note the appropriate contact information in it so that the problem can be resolved easily and efficiently.
For now, though, he has only come up with the idea and wants to listen to app developers, rather than urging Apple to issue an immediate death order.
“I’ve heard a lot of feedback so far, and maybe a lot of people resonate with me,” Rodriguez told ZDNet. Although it may be too early to implement the security.plist standard, I hope it becomes popular in the deployment of mobile applications.”
Given apple spending a lot of work on security practices, Rodriguez didn’t immediately ask Apple to promote the security.plist’s mandatory standard, which is a problem when it comes to actualexecution.
But to promote development, he also built a website specifically for security.plist. App developers can create a basic file in it and then include it in their app.