As probably you know by now, I spend a lot of my free time reverse engineering iOS applications. But when I find a vulnerability in one of them, it's a very, very difficult process to figure out how to contact the company. More often than not, I have to write an email to a generic
email@example.com or fill out a form on the
company.com/contact website. Most of these channels are handled by people in marketing or sales, who might have no idea how to respond, what to do or even to identify if it's a real problem.
This is a common problem not just for mobile security researchers, but for all security researchers. This is why some very smart people created
security.txt for websites.
security.txt solves this problem by creating a text file with all the information a security researcher can use to contact a company about a potential vulnerability found in their system.
What I'm proposing is exactly the same but for iOS applications. We could technically use the same approach as
security.txt and embed a text file with all this information. But to keep this file very iOS-like, I thought why not use a property list for this purpose.
Most (if not all) of iOS developers are familiar with property lists files, Xcode includes a great viewer and editing features for
.plist files. This makes
security.plist a great candidate to be used to transmit this information.
security.txt's website is open source, I forked it and modified for
security.plist and you can use it to generate your own
security.plist files and add it to your Xcode projects.
You can access the website at
https://securityplist.ivrodriguez.com, here's an example of a
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Contact</key> <string>https://ivRodriguezCA</string> <key>Encryption</key> <string>https://ivrodriguez.com/pgp-key</string> <key>Acknowledgments</key> <string>https://ivrodriguez.com/security-thanks</string> <key>Preferred-Languages</key> <string>en, es</string> <key>Policy</key> <string>https://ivrodriguez.com/security-policy</string> <key>Hiring</key> <string>https://ivrodriguez.com/hiring</string> </dict> </plist>