Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
iOS Security - Hacking iOS Apps
Search
Bruno Rocha
June 11, 2017
Technology
0
18
iOS Security - Hacking iOS Apps
TDC 2017
Bruno Rocha
June 11, 2017
Tweet
Share
More Decks by Bruno Rocha
See All by Bruno Rocha
BuckOutsideValley.pdf
rockbruno
1
100
Avoiding Release Anxiety
rockbruno
0
21
Creating Scalable iOS Apps
rockbruno
0
12
Other Decks in Technology
See All in Technology
Aurora DSQLはサーバーレスアーキテクチャの常識を変えるのか
iwatatomoya
1
1.2k
バイブスに「型」を!Kent Beckに学ぶ、AI時代のテスト駆動開発
amixedcolor
2
580
データ分析エージェント Socrates の育て方
na0
6
2k
LLM時代のパフォーマンスチューニング:MongoDB運用で試したコンテキスト活用の工夫
ishikawa_pro
0
170
会社紹介資料 / Sansan Company Profile
sansan33
PRO
6
380k
普通のチームがスクラムを会得するたった一つの冴えたやり方 / the best way to scrum
okamototakuyasr2
0
110
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
4
10k
「何となくテストする」を卒業するためにプロダクトが動く仕組みを理解しよう
kawabeaver
0
430
AIのグローバルトレンド2025 #scrummikawa / global ai trend
kyonmm
PRO
1
310
Unlocking the Power of AI Agents with LINE Bot MCP Server
linedevth
0
110
dbt開発 with Claude Codeのためのガードレール設計
10xinc
2
1.3k
現場で効くClaude Code ─ 最新動向と企業導入
takaakikakei
1
260
Featured
See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.1k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
920
The Power of CSS Pseudo Elements
geoffreycrofte
77
6k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.4k
GraphQLとの向き合い方2022年版
quramy
49
14k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Docker and Python
trallard
46
3.6k
The Cult of Friendly URLs
andyhume
79
6.6k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
33
2.4k
Navigating Team Friction
lara
189
15k
Side Projects
sachag
455
43k
Transcript
iOS Security Bruno Rocha iOS Developer @ Movile
Bad people
Crypto keys in NSUserDefaults/Keychain Secret API Keys in the Info.plist
or hardcoded CoreData/SQLite with sensitive data var isSubscribed: Bool
NSUserDefaults - Documents folder, not encrypted CoreData - Documents folder,
not encrypted Info.plist - Exposed in your .ipa/.app Keychain - Encrypted, but exploitable NSKeyedArchiver - A plist in hex format
None
None
var isSubscribed: Bool { let subscription = getSubscription() return subscription.isExpired
== false } var swizzled__isSubscribed: Bool { return true }
None
Demo 1: Insecure Data Storages
Protecting apps from Storage Attacks • Encrypt/Encode data before saving/
hardcoding (Careful! This will not prevent attacks, only slow them down.) • Treat critical data (like secret API keys) server-side if possible • Open Source “String obfuscation" libs: Hackers have Google too.
Demo 2: Runtime Manipulation
Protecting apps from Runtime Manipulation Important logic should be treated/
checked server-side! (eg: API Tokens)
Protecting apps from Runtime Manipulation
Protecting apps from Runtime Manipulation
What about the real world?