Wichita Programmer, Paul Peloquin, Reviews Project Catalyst Security

With the release of macOS Catalina, Apple brings the ability for Mac computers to run properly configured iPad applications. Called Mac Catalyst, Apple is beginning to truly bridge the gap between standard computers and smart devices. Since its announcement, iOS developers expressed excitement and concerns about moving forward with the project. After the release of Catalina, many iOS developers have checked the box in Xcode to enable compiling for Mac and gave it a try. The most significant area of concern for developers after doing so seems to be in the user experience area. But, as software developer Paul Peloquin of Wichita, Kansas will show, one area must also be addressed if a developer is to bring its iPad app to Mac effectively — security.

Below, Paul Peloquin reviews project catalyst security as it pertains to iPad applications on the Mac.

Certain applications, particularly those that store or process personally identifiable information (PII), require more information security than others. Apple has done a good job providing tools to developers to help secure such information in modern iPhones and iPads. Biometric authentication is one of these tools.

Certain applications utilize biometric entry for authentication at app entry. But with Mac Catalyst here is the rub — while biometric authentication is available on most of the latest Mac computers, people replace their Mac computers far less often than they replace their iPhones or iPads. This means that this security feature will not be available on many of the computers that now will be using the former iPad application. 

According to Apple’s documentation, the LocalAuthentication framework is available in Mac Catalyst. In testing, it was found that in multiple use cases, iOS local authentication code performs adequately on both Mac computers with and without biometric options. However, because the older computers do not have biometric authentication, the user is asked to reenter their password for their computing device. Is this an ok fallback? The answer to that question really depends on the user experience meant to be achieved, and the security goals of the subject application.

 Having an app quickly open or process a request based on a simple fingerprint or face scan is a great, simple way to authenticate on the client-side. Having to re-enter a passphrase over and over is a markedly different experience. Because of this, an iOS app for the Mac may want to consider moving the place where biometric authentication is sought — perhaps moving it to later in the user experience. If the application only contains a sensitive area in specific navigation points within it, it may be worthwhile to consider applying the authentication to only those sensitive areas.

Many secure iOS applications also utilize multi-factor authorization. In such applications, the user’s mobile device is likely engaged at some point in this multi-step process; either to retrieve a code from an application like Google Authenticator or to receive a texted code to the phone. While many people have their phones with them, if the application is utilized within a secure work environment, the user may not have easy access to their cell phone or may not have the privileges to access iMessage in their work computer.

One way developers may choose to overcome these problems is to consider two-factor authentication with email and making that option easy to select in the application. And making it just as easy to flip back to a mobile method when desired. Another option, depending on the method used for the multi-factor authorization, is to educate the user about available plugins to their browser. Google Authenticator has one such plugin. In such situations, user education can be a developer’s best friend.

These are just a few of the many security considerations a developer considering porting an iPad app to Mac will have to consider. So long a well thought out approach is considered, Mac Catalyst should prove helpful in providing iOS developers a whole new platform to release to.

About Paul Peloquin:

Paul Peloquin of Wichita, Kansas is a results-driven programmer with over 20 years of experience in software development. Over the course of his diverse career, Mr. Peloquin has built a reputation as both an innovator and tactical developer, helping entrepreneurs and fortune 500 companies alike accelerate their businesses and workflows into the 21st century.