Wichita Programmer, Paul Peloquin, Reviews Project Catalyst Security

With the release of macOS
Catalina, Apple brings the ability for Mac computers to run properly configured
iPad applications. Called Mac Catalyst, Apple is beginning to truly bridge the
gap between standard computers and smart devices. Since its announcement, iOS
developers expressed excitement and concerns about moving forward with the
project. After the release of Catalina, many iOS developers have checked the
box in Xcode to enable compiling for Mac and gave it a try. The most
significant area of concern for developers after doing so seems to be in the
user experience area. But, as software developer Paul Peloquin of Wichita,
Kansas will show, one area must also be addressed if a developer is to bring its
iPad app to Mac effectively — security.

Below, Paul Peloquin reviews
project catalyst security as it pertains to iPad applications on the Mac.

Certain applications,
particularly those that store or process personally identifiable information
(PII), require more information security than others. Apple has done a good job
providing tools to developers to help secure such information in modern iPhones
and iPads. Biometric authentication is one of these tools.

Certain applications utilize
biometric entry for authentication at app entry. But with Mac Catalyst here is the rub — while biometric authentication is
available on most of the latest Mac computers, people replace their Mac
computers far less often than they replace their iPhones or iPads. This means
that this security feature will not be available on many of the computers that
now will be using the former iPad application. 

According to Apple’s
documentation, the LocalAuthentication framework is available in Mac Catalyst.
In testing, it was found that in multiple use cases, iOS local authentication
code performs adequately on both Mac computers with and without biometric
options. However, because the older computers do not have biometric
authentication, the user is asked to reenter their password for their computing
device. Is this an ok fallback? The answer to that question really depends on
the user experience meant to be achieved, and the security goals of the subject
application.

 Having an app quickly open or process a
request based on a simple fingerprint or face scan is a great, simple way to
authenticate on the client-side. Having to re-enter a passphrase over and over
is a markedly different experience. Because of this, an iOS app for the Mac may
want to consider moving the place where biometric authentication is sought —
perhaps moving it to later in the user experience. If the application only
contains a sensitive area in specific navigation points within it, it may be
worthwhile to consider applying the authentication to only those sensitive
areas.

Many secure iOS applications
also utilize multi-factor authorization. In such applications, the user’s
mobile device is likely engaged at some point in this multi-step process;
either to retrieve a code from an application like Google Authenticator or to
receive a texted code to the phone. While many people have their phones with them,
if the application is utilized within a secure work environment, the user may
not have easy access to their cell phone or may not have the privileges to
access iMessage in their work computer.

One way developers may choose to
overcome these problems is to consider two-factor authentication with email and
making that option easy to select in the application. And making it just as
easy to flip back to a mobile method when desired. Another option, depending on
the method used for the multi-factor authorization, is to educate the user
about available plugins to their browser. Google Authenticator has one such
plugin. In such situations, user education can be a developer’s best friend.

These are just a few of the many
security considerations a developer considering porting an iPad app to Mac will
have to consider. So long a well thought out approach is considered, Mac
Catalyst should prove helpful in providing iOS developers a whole new platform
to release to.

About Paul Peloquin:

Paul Peloquin of Wichita, Kansas is a
results-driven programmer with over 20 years of experience in software
development. Over the course of his diverse career, Mr. Peloquin has built a
reputation as both an innovator and tactical developer, helping entrepreneurs
and fortune 500 companies alike accelerate their businesses and workflows into
the 21st century.

Leave a Reply

Your email address will not be published. Required fields are marked *