Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

iOS Security - Hacking iOS Apps

Avatar for Bruno Rocha Bruno Rocha
June 11, 2017
Technology
0
18

iOS Security - Hacking iOS Apps

TDC 2017

Avatar for Bruno Rocha

Bruno Rocha

June 11, 2017
Tweet

More Decks by Bruno Rocha

See All by Bruno Rocha
BuckOutsideValley.pdf
Avatar for Bruno Rocha rockbruno
1
100
Avoiding Release Anxiety
Avatar for Bruno Rocha rockbruno
0
22
Creating Scalable iOS Apps
Avatar for Bruno Rocha rockbruno
0
12

Other Decks in Technology

See All in Technology
文字列の並び順 / Unicode Collation
Avatar for とみたまさひろ tmtms
3
550
Ruby で作る大規模イベントネットワーク構築・運用支援システム TTDB
Avatar for Taketo Takashima taketo1113
1
260
チーリンについて
Avatar for ぐっち hirotomotaguchi
6
1.9k
【AWS re:Invent 2025速報】AIビルダー向けアップデートをまとめて解説!
Avatar for みのるん minorun365
4
510
非CUDAの悲哀 〜Claude Code と挑んだ image to 3D “Hunyuan3D”を EVO-X2(Ryzen AI Max+395)で動作させるチャレンジ〜
Avatar for hawky the miscellaneous hawkymisc
1
170
技術以外の世界に『越境』しエンジニアとして進化を遂げる 〜Kotlinへの愛とDevHRとしての挑戦を添えて〜
Avatar for subroh_0508 subroh0508
1
430
re:Invent 2025 ~何をする者であり、どこへいくのか~
Avatar for tetutetu214 tetutetu214
0
210
re:Inventで気になったサービスを10分でいけるところまでお話しします
Avatar for Yuuki Yamashita yama3133
1
120
多様なデジタルアイデンティティを攻撃からどうやって守るのか / 20251212
Avatar for Ayokura ayokura
0
430
AWS Security Agentの紹介/introducing-aws-security-agent
Avatar for tomoki10 tomoki10
0
140
意外とあった SQL Server 関連アップデート + Database Savings Plans
Avatar for Takuya Shibata stknohg
PRO
0
310
Uncertainty in the LLM era - Science, more than scale
Avatar for Gael Varoquaux gaelvaroquaux
0
840

Featured

See All Featured
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
120k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
348
40k
How GitHub (no longer) Works
Avatar for Zach Holman holman
316
140k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
253
22k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
303
21k
Navigating Team Friction
Avatar for Lara Hogan lara
191
16k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
249
1.3M
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
196
70k
The Success of Rails: Ensuring Growth for the Next 100 Years
Avatar for Eileen M. Uchitelle eileencodes
47
7.9k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
128
54k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
17k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
Avatar for mongodb mongodb
48
9.8k

Transcript

  1. iOS Security Bruno Rocha iOS Developer @ Movile

  2. Bad people

  3. Crypto keys in NSUserDefaults/Keychain Secret API Keys in the Info.plist

    or hardcoded CoreData/SQLite with sensitive data var isSubscribed: Bool

  4. NSUserDefaults - Documents folder, not encrypted CoreData - Documents folder,

    not encrypted Info.plist - Exposed in your .ipa/.app Keychain - Encrypted, but exploitable NSKeyedArchiver - A plist in hex format
  5. None
  6. None

  7. var isSubscribed: Bool { let subscription = getSubscription() return subscription.isExpired

    == false } var swizzled__isSubscribed: Bool { return true }
  8. None

  9. Demo 1: Insecure Data Storages

  10. Protecting apps from Storage Attacks • Encrypt/Encode data before saving/

    hardcoding (Careful! This will not prevent attacks, only slow them down.) • Treat critical data (like secret API keys) server-side if possible • Open Source “String obfuscation" libs: Hackers have Google too.

  11. Demo 2: Runtime Manipulation

  12. Protecting apps from Runtime Manipulation Important logic should be treated/

    checked server-side! (eg: API Tokens)

  13. Protecting apps from Runtime Manipulation

  14. Protecting apps from Runtime Manipulation

  15. What about the real world?