iOS Security 101-ish
As you probably know, iOS apps are isolated from each other via the Apple sandbox ("Seatbelt"). However, that doesn't mean developers shouldn't pay attention to their users safety.
In this talk we will briefly cover all layers of iOS security architecture, delve into secrets of Secure Enclave and discuss the most common mistakes and vulnerabilities to prevent them from happening in the future, as well as have a sneak peek into penetration testing done right.
I will share a few examples of security flaws I found during the last few years and show how to use various tools to spot and fix them.
What does this talk cover?
The layers of the iOS security architecture, how the sandbox ('Seatbelt') isolates apps, what the Secure Enclave does, and the most common vulnerabilities in iOS apps - with examples of real security flaws found in production apps and the tools penetration testers use to spot them.
What kind of data is at risk in a typical iOS app?
The talk goes through the categories attackers go after - credentials, location data, facial and advertising data, address book entries, payment information - and which parts of the platform are supposed to protect each.
How does the iOS sandbox ('Seatbelt') work?
Its whole history is in the deck: it arrived on Mac OS X Leopard in 2007, became automatic with App Store signing, and now isolates every iOS app's containers. The talk covers where its protection ends.
Which tools does the talk use for security testing?
The testing environment is built around Frida, and the talk shows how to set it up - plus where the OWASP mobile guidelines fit when you decide what to test first.
Where can I watch the talk or get the slides?
The full recording is embedded on this page via SlidesLive, and the slide deck (PDF) is in the resources section below it.
I run audits like this against client apps: MASVS-aligned, with reproduction steps and code-level fixes.
iOS Security AuditSimilar Talks
Modern devices are way more powerful for users to notice a difference between bubble sort and merge sort. Or not? Should everyone know how to implement Ukkonen's algorithm if they develop a weather app? What's the "Big O" of your average app and how to determine it?
The second part of a thorough introduction into iOS Security, from various pentesting techniques, to possible flaws to use-cases and tools.
Debunked the "iOS is secure by default" myth in 90 minutes. Walked through real pentesting techniques, tools, and war stories from the security trenches.
What teaching iOS at a Russian university taught me about learning. Turns out developers and nomads have more in common than you'd think — we both carry only what we need.