Mobile Security Guide: How to start
A lot of people write mobile applications, but way less are trying to find and fix privacy leaks and security issues. This talk is an overview of various techniques of penetration testing as well as some theory on iOS security.
What is this talk about?
A starting point for iOS security: the theory behind the platform's defences, an overview of common penetration testing techniques, and where to begin if you've never tested your own app.
What does the mobile security stack look like?
The talk breaks it into layers - application, OS (version and root access), hardware (device and firmware), and infrastructure (GSM, GPS, SMS) - and what can go wrong at each one.
What does it say about protecting app data?
App Transport Security and why NSURLConnection and NSURLSession require it, transport-layer protection, and the everyday mistakes that leave user data exposed on the wire.
Where can I watch it?
The recording is embedded at the top of this page, and the slides are linked in the resources section.
I run audits like this against client apps: MASVS-aligned, with reproduction steps and code-level fixes.
iOS Security AuditSimilar Talks
Modern devices are way more powerful for users to notice a difference between bubble sort and merge sort. Or not? Should everyone know how to implement Ukkonen's algorithm if they develop a weather app? What's the "Big O" of your average app and how to determine it?
The second part of a thorough introduction into iOS Security, from various pentesting techniques, to possible flaws to use-cases and tools.
Debunked the "iOS is secure by default" myth in 90 minutes. Walked through real pentesting techniques, tools, and war stories from the security trenches.
What teaching iOS at a Russian university taught me about learning. Turns out developers and nomads have more in common than you'd think — we both carry only what we need.