$30 off During Our Annual Pro Sale. View Details »

iOS Security - Hacking iOS Apps

Avatar for Bruno Rocha Bruno Rocha
June 11, 2017
Technology
0
19

iOS Security - Hacking iOS Apps

TDC 2017

Avatar for Bruno Rocha

Bruno Rocha

June 11, 2017
Tweet

More Decks by Bruno Rocha

See All by Bruno Rocha
BuckOutsideValley.pdf
Avatar for Bruno Rocha rockbruno
1
100
Avoiding Release Anxiety
Avatar for Bruno Rocha rockbruno
0
23
Creating Scalable iOS Apps
Avatar for Bruno Rocha rockbruno
0
12

Other Decks in Technology

See All in Technology
Agent Skillsがハーネスの垣根を超える日
Avatar for Gota gotalab555
6
4.4k
ESXi のAIOps だ!2025冬
Avatar for Unno Wataru unnowataru
0
370
アラフォーおじさん、はじめてre:Inventに行く / A 40-Something Guy’s First re:Invent Adventure
Avatar for 株式会社カミナシ kaminashi
0
160
AI with TiDD
Avatar for Shiraji shiraji
1
300
松尾研LLM講座2025 応用編Day3「軽量化」 講義資料
Avatar for Aratako aratako
7
3.9k
AWSの新機能をフル活用した「re:Inventエージェント」開発秘話
Avatar for みのるん minorun365
2
460
マイクロサービスへの5年間 ぶっちゃけ何をしてどうなったか
Avatar for Tomohiro Hashidate joker1007
21
8.2k
意外と知らない状態遷移テストの世界
Avatar for nihonbuson nihonbuson
PRO
1
270
ハッカソンから社内プロダクトへ AIエージェント ko☆shi 開発で学んだ4つの重要要素
Avatar for Tech Leverages leveragestech
0
210
まだ間に合う! Agentic AI on AWSの現在地をやさしく一挙おさらい
Avatar for みのるん minorun365
17
2.8k
Amazon Quick Suite で始める手軽な AI エージェント
Avatar for shimy shimy
1
1.9k
たまに起きる外部サービスの障害に備えたり備えなかったりする話
Avatar for Sohei Iwahori egmc
0
420

Featured

See All Featured
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
Avatar for MADOX madoxten
51
46k
Marketing Yourself as an Engineer | Alaka | Gurzu
Avatar for Gurzu gurzu
0
91
Jess Joyce - The Pitfalls of Following Frameworks
Avatar for Tech SEO Connect techseoconnect
PRO
1
31
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
239
140k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
46
7.8k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
35
2.3k
Navigating Team Friction
Avatar for Lara Hogan lara
191
16k
Un-Boring Meetings
Avatar for Sebastian Deterding codingconduct
0
160
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
Avatar for Yuki Nakata chikuwait chikuwait
0
230
Paper Plane
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
44k
Accessibility Awareness
Avatar for Sarah Abderemane sabderemane
0
24
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
132
19k

Transcript

  1. iOS Security Bruno Rocha iOS Developer @ Movile

  2. Bad people

  3. Crypto keys in NSUserDefaults/Keychain Secret API Keys in the Info.plist

    or hardcoded CoreData/SQLite with sensitive data var isSubscribed: Bool

  4. NSUserDefaults - Documents folder, not encrypted CoreData - Documents folder,

    not encrypted Info.plist - Exposed in your .ipa/.app Keychain - Encrypted, but exploitable NSKeyedArchiver - A plist in hex format
  5. None
  6. None

  7. var isSubscribed: Bool { let subscription = getSubscription() return subscription.isExpired

    == false } var swizzled__isSubscribed: Bool { return true }
  8. None

  9. Demo 1: Insecure Data Storages

  10. Protecting apps from Storage Attacks • Encrypt/Encode data before saving/

    hardcoding (Careful! This will not prevent attacks, only slow them down.) • Treat critical data (like secret API keys) server-side if possible • Open Source “String obfuscation" libs: Hackers have Google too.

  11. Demo 2: Runtime Manipulation

  12. Protecting apps from Runtime Manipulation Important logic should be treated/

    checked server-side! (eg: API Tokens)

  13. Protecting apps from Runtime Manipulation

  14. Protecting apps from Runtime Manipulation

  15. What about the real world?