Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
iOS Security - Hacking iOS Apps
Search
Bruno Rocha
June 11, 2017
Technology
0
18
iOS Security - Hacking iOS Apps
TDC 2017
Bruno Rocha
June 11, 2017
Tweet
Share
More Decks by Bruno Rocha
See All by Bruno Rocha
BuckOutsideValley.pdf
rockbruno
1
100
Avoiding Release Anxiety
rockbruno
0
22
Creating Scalable iOS Apps
rockbruno
0
12
Other Decks in Technology
See All in Technology
serverless team topology
_kensh
3
240
AIプロダクトのプロンプト実践テクニック / Practical Techniques for AI Product Prompts
saka2jp
0
120
Oracle Database@Google Cloud:サービス概要のご紹介
oracle4engineer
PRO
0
390
IBC 2025 動画技術関連レポート / IBC 2025 Report
cyberagentdevelopers
PRO
2
220
Observability — Extending Into Incident Response
nari_ex
1
580
20251024_TROCCO/COMETAアップデート紹介といくつかデモもやります!_#p_UG 東京:データ活用が進む組織の作り方
soysoysoyb
0
130
AIでデータ活用を加速させる取り組み / Leveraging AI to accelerate data utilization
okiyuki99
6
1.4k
データとAIで明らかになる、私たちの課題 ~Snowflake MCP,Salesforce MCPに触れて~ / Data and AI Insights
kaonavi
0
130
OTEPsで知るOpenTelemetryの未来 / Observability Conference Tokyo 2025
arthur1
0
320
ゼロコード計装導入後のカスタム計装でさらに可観測性を高めよう
sansantech
PRO
1
540
進化する大規模言語モデル評価: Swallowプロジェクトにおける実践と知見
chokkan
PRO
0
130
JSConf JPのwebsiteをGatsbyからNext.jsに移行した話 - Next.jsの多言語静的サイトと課題
leko
2
190
Featured
See All Featured
The Cult of Friendly URLs
andyhume
79
6.6k
Java REST API Framework Comparison - PWX 2021
mraible
34
8.9k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
230
22k
Building a Scalable Design System with Sketch
lauravandoore
463
33k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
640
Practical Orchestrator
shlominoach
190
11k
Balancing Empowerment & Direction
lara
5
700
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.1k
Mobile First: as difficult as doing things right
swwweet
225
10k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
34
2.3k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
140
34k
Transcript
iOS Security Bruno Rocha iOS Developer @ Movile
Bad people
Crypto keys in NSUserDefaults/Keychain Secret API Keys in the Info.plist
or hardcoded CoreData/SQLite with sensitive data var isSubscribed: Bool
NSUserDefaults - Documents folder, not encrypted CoreData - Documents folder,
not encrypted Info.plist - Exposed in your .ipa/.app Keychain - Encrypted, but exploitable NSKeyedArchiver - A plist in hex format
None
None
var isSubscribed: Bool { let subscription = getSubscription() return subscription.isExpired
== false } var swizzled__isSubscribed: Bool { return true }
None
Demo 1: Insecure Data Storages
Protecting apps from Storage Attacks • Encrypt/Encode data before saving/
hardcoding (Careful! This will not prevent attacks, only slow them down.) • Treat critical data (like secret API keys) server-side if possible • Open Source “String obfuscation" libs: Hackers have Google too.
Demo 2: Runtime Manipulation
Protecting apps from Runtime Manipulation Important logic should be treated/
checked server-side! (eg: API Tokens)
Protecting apps from Runtime Manipulation
Protecting apps from Runtime Manipulation
What about the real world?
rockbruno
_kensh
saka2jp
oracle4engineer
cyberagentdevelopers
nari_ex
soysoysoyb
okiyuki99
kaonavi
.jpeg){kind=avatar}
arthur1
sansantech
chokkan
leko
andyhume
mraible
caitiem20
danielanewman
lauravandoore
bluesmoon
shlominoach
lara
eileencodes
swwweet
marcduiker
