Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
iOS Security - Hacking iOS Apps
Search
Bruno Rocha
June 11, 2017
Technology
0
18
iOS Security - Hacking iOS Apps
TDC 2017
Bruno Rocha
June 11, 2017
Tweet
Share
More Decks by Bruno Rocha
See All by Bruno Rocha
BuckOutsideValley.pdf
rockbruno
1
100
Avoiding Release Anxiety
rockbruno
0
21
Creating Scalable iOS Apps
rockbruno
0
12
Other Decks in Technology
See All in Technology
「全員プロダクトマネージャー」を実現する、Cursorによる仕様検討の自動運転
applism118
21
11k
ZOZOマッチのアーキテクチャと技術構成
zozotech
PRO
4
1.5k
react-callを使ってダイヤログをいろんなとこで再利用しよう!
shinaps
1
240
AIのグローバルトレンド2025 #scrummikawa / global ai trend
kyonmm
PRO
1
280
テストを軸にした生き残り術
kworkdev
PRO
0
200
BPaaSにおける人と協働する前提のAIエージェント-AWS登壇資料
kentarofujii
0
140
生成AI時代のデータ基盤設計〜ペースレイヤリングで実現する高速開発と持続性〜 / Levtech Meetup_Session_2
sansan_randd
1
150
企業の生成AIガバナンスにおけるエージェントとセキュリティ
lycorptech_jp
PRO
2
160
未経験者・初心者に贈る!40分でわかるAndroidアプリ開発の今と大事なポイント
operando
5
550
Practical Agentic AI in Software Engineering
uzyn
0
110
Automating Web Accessibility Testing with AI Agents
maminami373
0
1.3k
Snowflake Intelligenceにはこうやって立ち向かう!クラシルが考えるAI Readyなデータ基盤と活用のためのDataOps
gappy50
0
210
Featured
See All Featured
Testing 201, or: Great Expectations
jmmastey
45
7.7k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
840
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Rebuilding a faster, lazier Slack
samanthasiow
83
9.2k
Producing Creativity
orderedlist
PRO
347
40k
Embracing the Ebb and Flow
colly
87
4.8k
Code Reviewing Like a Champion
maltzj
525
40k
Automating Front-end Workflow
addyosmani
1370
200k
Optimizing for Happiness
mojombo
379
70k
It's Worth the Effort
3n
187
28k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Transcript
iOS Security Bruno Rocha iOS Developer @ Movile
Bad people
Crypto keys in NSUserDefaults/Keychain Secret API Keys in the Info.plist
or hardcoded CoreData/SQLite with sensitive data var isSubscribed: Bool
NSUserDefaults - Documents folder, not encrypted CoreData - Documents folder,
not encrypted Info.plist - Exposed in your .ipa/.app Keychain - Encrypted, but exploitable NSKeyedArchiver - A plist in hex format
None
None
var isSubscribed: Bool { let subscription = getSubscription() return subscription.isExpired
== false } var swizzled__isSubscribed: Bool { return true }
None
Demo 1: Insecure Data Storages
Protecting apps from Storage Attacks • Encrypt/Encode data before saving/
hardcoding (Careful! This will not prevent attacks, only slow them down.) • Treat critical data (like secret API keys) server-side if possible • Open Source “String obfuscation" libs: Hackers have Google too.
Demo 2: Runtime Manipulation
Protecting apps from Runtime Manipulation Important logic should be treated/
checked server-side! (eg: API Tokens)
Protecting apps from Runtime Manipulation
Protecting apps from Runtime Manipulation
What about the real world?