Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
iOS Security - Hacking iOS Apps
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Bruno Rocha
June 11, 2017
Technology
0
19
iOS Security - Hacking iOS Apps
TDC 2017
Bruno Rocha
June 11, 2017
Tweet
Share
More Decks by Bruno Rocha
See All by Bruno Rocha
BuckOutsideValley.pdf
rockbruno
1
100
Avoiding Release Anxiety
rockbruno
0
23
Creating Scalable iOS Apps
rockbruno
0
12
Other Decks in Technology
See All in Technology
ClickHouseはどのように大規模データを活用したAIエージェントを全社展開しているのか
mikimatsumoto
0
230
Agile Leadership Summit Keynote 2026
m_seki
1
610
Ruby版 JSXのRuxが気になる
sansantech
PRO
0
150
All About Sansan – for New Global Engineers
sansan33
PRO
1
1.3k
AIエージェントを開発しよう!-AgentCore活用の勘所-
yukiogawa
0
160
Bedrock PolicyでAmazon Bedrock Guardrails利用を強制してみた
yuu551
0
230
日本の85%が使う公共SaaSは、どう育ったのか
taketakekaho
1
150
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
0gm
0
900
超初心者からでも大丈夫!オープンソース半導体の楽しみ方〜今こそ!オレオレチップをつくろう〜
keropiyo
0
110
SREチームをどう作り、どう育てるか ― Findy横断SREのマネジメント
rvirus0817
0
230
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
sansan33
PRO
0
3k
Embedded SREの終わりを設計する 「なんとなく」から計画的な自立支援へ
sansantech
PRO
3
2.4k
Featured
See All Featured
Music & Morning Musume
bryan
47
7.1k
A Soul's Torment
seathinner
5
2.3k
Designing for Performance
lara
610
70k
Odyssey Design
rkendrick25
PRO
1
490
Code Review Best Practice
trishagee
74
20k
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
91
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
133
19k
Money Talks: Using Revenue to Get Sh*t Done
nikkihalliwell
0
150
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
The Language of Interfaces
destraynor
162
26k
Between Models and Reality
mayunak
1
190
Transcript
iOS Security Bruno Rocha iOS Developer @ Movile
Bad people
Crypto keys in NSUserDefaults/Keychain Secret API Keys in the Info.plist
or hardcoded CoreData/SQLite with sensitive data var isSubscribed: Bool
NSUserDefaults - Documents folder, not encrypted CoreData - Documents folder,
not encrypted Info.plist - Exposed in your .ipa/.app Keychain - Encrypted, but exploitable NSKeyedArchiver - A plist in hex format
None
None
var isSubscribed: Bool { let subscription = getSubscription() return subscription.isExpired
== false } var swizzled__isSubscribed: Bool { return true }
None
Demo 1: Insecure Data Storages
Protecting apps from Storage Attacks • Encrypt/Encode data before saving/
hardcoding (Careful! This will not prevent attacks, only slow them down.) • Treat critical data (like secret API keys) server-side if possible • Open Source “String obfuscation" libs: Hackers have Google too.
Demo 2: Runtime Manipulation
Protecting apps from Runtime Manipulation Important logic should be treated/
checked server-side! (eg: API Tokens)
Protecting apps from Runtime Manipulation
Protecting apps from Runtime Manipulation
What about the real world?
rockbruno
mikimatsumoto
m_seki
sansantech
sansan33
yukiogawa
yuu551
taketakekaho
0gm
keropiyo
rvirus0817
bryan
seathinner
lara
rkendrick25
trishagee
jdejongh
bermonpainter
morganepeng
nikkihalliwell
smashingmag
destraynor
mayunak
