Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iOS Security - Hacking iOS Apps

Bruno Rocha
June 11, 2017
Technology
0
16

iOS Security - Hacking iOS Apps

TDC 2017

Bruno Rocha

June 11, 2017
Tweet

More Decks by Bruno Rocha

See All by Bruno Rocha
BuckOutsideValley.pdf
rockbruno
1
99
Avoiding Release Anxiety
rockbruno
0
18
Creating Scalable iOS Apps
rockbruno
0
11

Other Decks in Technology

See All in Technology
組織貢献をするフリーランスエンジニアという生き方
n_takehata
1
1k
関東Kaggler会LT: 人狼コンペとLLM量子化について
nejumi
3
460
FastConnect の冗長性
ocise
1
9.6k
テストアーキテクチャ設計で実現する高品質で高スピードな開発の実践 / Test Architecture Design in Practice
ropqa
3
710
20250208_OpenAIDeepResearchがやばいという話
doradora09
PRO
0
170
Kubernetes x k6 で負荷試験基盤を開発して 負荷試験を民主化した話 / Kubernetes x k6
sansan_randd
2
730
「海外登壇」という 選択肢を与えるために 〜Gophers EX
logica0419
0
500
依存関係があるコンポーネントは Barrel ファイルでまとめよう
azukiazusa1
3
530
第13回 Data-Centric AI勉強会, 画像認識におけるData-centric AI
ksaito_osx
0
360
現場で役立つAPIデザイン
nagix
29
10k
日経電子版 x AIエージェントの可能性とAgentic RAGによって提案書生成を行う技術
masahiro_nishimi
1
290
PL900試験から学ぶ Power Platform 基礎知識講座
kumikeyy
0
110

Featured

See All Featured
Building Flexible Design Systems
yeseniaperezcruz
328
38k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.7k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
193
16k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
BBQ
matthewcrist
86
9.5k
For a Future-Friendly Web
brad_frost
176
9.5k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Build The Right Thing And Hit Your Dates
maggiecrowley
34
2.5k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
The Cult of Friendly URLs
andyhume
78
6.2k

Transcript

  1. iOS Security Bruno Rocha iOS Developer @ Movile

  2. Bad people

  3. Crypto keys in NSUserDefaults/Keychain Secret API Keys in the Info.plist

    or hardcoded CoreData/SQLite with sensitive data var isSubscribed: Bool

  4. NSUserDefaults - Documents folder, not encrypted CoreData - Documents folder,

    not encrypted Info.plist - Exposed in your .ipa/.app Keychain - Encrypted, but exploitable NSKeyedArchiver - A plist in hex format
  5. None
  6. None

  7. var isSubscribed: Bool { let subscription = getSubscription() return subscription.isExpired

    == false } var swizzled__isSubscribed: Bool { return true }
  8. None

  9. Demo 1: Insecure Data Storages

  10. Protecting apps from Storage Attacks • Encrypt/Encode data before saving/

    hardcoding (Careful! This will not prevent attacks, only slow them down.) • Treat critical data (like secret API keys) server-side if possible • Open Source “String obfuscation" libs: Hackers have Google too.

  11. Demo 2: Runtime Manipulation

  12. Protecting apps from Runtime Manipulation Important logic should be treated/

    checked server-side! (eg: API Tokens)

  13. Protecting apps from Runtime Manipulation

  14. Protecting apps from Runtime Manipulation

  15. What about the real world?