Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iOS Security - Hacking iOS Apps

Bruno Rocha
June 11, 2017
Technology
0
14

iOS Security - Hacking iOS Apps

TDC 2017

Bruno Rocha

June 11, 2017
Tweet

More Decks by Bruno Rocha

See All by Bruno Rocha
BuckOutsideValley.pdf
rockbruno
1
97
Avoiding Release Anxiety
rockbruno
0
17
Creating Scalable iOS Apps
rockbruno
0
10

Other Decks in Technology

See All in Technology
Storybook との上手な向き合い方を考える
re_taro
5
1k
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
260
CDCL による厳密解法を採用した MILP ソルバー
imai448
3
180
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
200
FlutterアプリにおけるSLI/SLOを用いたユーザー体験の可視化と計測基盤構築
ostk0069
0
120
静的解析で実現した効率的なi18n対応の仕組みづくり
minako__ph
1
110
AI前提のサービス運用ってなんだろう?
ryuichi1208
8
1.4k
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
130
SSMRunbook作成の勘所_20241120
koichiotomo
3
170
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
3
350
SDNという名のデータプレーンプログラミングの歴史
ebiken
PRO
2
130

Featured

See All Featured
How STYLIGHT went responsive
nonsquared
95
5.2k
Documentation Writing (for coders)
carmenintech
65
4.4k
10 Git Anti Patterns You Should be Aware of
lemiorhan
655
59k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Done Done
chrislema
181
16k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Site-Speed That Sticks
csswizardry
0
33
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Designing Experiences People Love
moore
138
23k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k

Transcript

  1. iOS Security Bruno Rocha iOS Developer @ Movile

  2. Bad people

  3. Crypto keys in NSUserDefaults/Keychain Secret API Keys in the Info.plist

    or hardcoded CoreData/SQLite with sensitive data var isSubscribed: Bool

  4. NSUserDefaults - Documents folder, not encrypted CoreData - Documents folder,

    not encrypted Info.plist - Exposed in your .ipa/.app Keychain - Encrypted, but exploitable NSKeyedArchiver - A plist in hex format
  5. None
  6. None

  7. var isSubscribed: Bool { let subscription = getSubscription() return subscription.isExpired

    == false } var swizzled__isSubscribed: Bool { return true }
  8. None

  9. Demo 1: Insecure Data Storages

  10. Protecting apps from Storage Attacks • Encrypt/Encode data before saving/

    hardcoding (Careful! This will not prevent attacks, only slow them down.) • Treat critical data (like secret API keys) server-side if possible • Open Source “String obfuscation" libs: Hackers have Google too.

  11. Demo 2: Runtime Manipulation

  12. Protecting apps from Runtime Manipulation Important logic should be treated/

    checked server-side! (eg: API Tokens)

  13. Protecting apps from Runtime Manipulation

  14. Protecting apps from Runtime Manipulation

  15. What about the real world?