iOS Security: Deep Dive II

🇨🇿 mDevCamp on 11 Jun 2020
iOS security pentesting jailbreak

This is the second part of iOS Security Deep Dive. You can watch the first part here.

In 90 minutes we'll debunk the myth of iOS being secure-by-default, walk through the various techniques of penetration testing, try out a plethora of tools for security testing and learn how to make our systems as robust as possible.

Resources
📄 iOS Security: Deep Dive II slides
About this talk

What does this talk cover?

The second half of the iOS security deep dive from mDevCamp 2020: more penetration testing techniques, jailbreak-related flaws, and the tooling for security testing iOS apps. Part one is linked above.

Can Face ID or Touch ID authentication be bypassed?

The talk covers LocalAuthentication's two policies, why a positive evaluatePolicy result is weaker than it looks, and when the Keychain through Security.framework is the stronger choice - with a working bypass demo referenced for the sceptics.

What does the talk say about ATS and SSL pinning?

What App Transport Security enforces (TLS 1.2 or newer, no plain HTTP, public hostnames), the circumstances under which disabling it is defensible, and where SSL pinning fits - including the classic mistake of hardcoding the password.

What else does part two get into?

Universal Links, WebView pitfalls, a set of unusual attack vectors, and jailbreak detection - plus where to go after the talk.

Where can I watch the talk or get the slides?

The recording is embedded at the top of this page, starting where part one ends, and the part-two slide deck (PDF) is in the resources section.

Related consulting

I run audits like this against client apps: MASVS-aligned, with reproduction steps and code-level fixes.

iOS Security Audit

Similar Talks

Big O Notation of your app
🇪🇸 NSSpain, 2020

Modern devices are way more powerful for users to notice a difference between bubble sort and merge sort. Or not? Should everyone know how to implement Ukkonen's algorithm if they develop a weather app? What's the "Big O" of your average app and how to determine it?
iOS Security: Deep Dive I
🇨🇿 mDevCamp, 2020

Debunked the "iOS is secure by default" myth in 90 minutes. Walked through real pentesting techniques, tools, and war stories from the security trenches.
The Nomadic Approach to Teaching iOS Development
🇮🇹 SwiftHeroes, 2019

What teaching iOS at a Russian university taught me about learning. Turns out developers and nomads have more in common than you'd think — we both carry only what we need.
Independent watchOS: principles and practices
🇵🇱 Mobiconf, 2019

For a very long time, Apple Watch was considered to be a device for either people dealing with too many notifications. Today we will change it.
All talks