SlideShare a Scribd company logo

iOS secure app development

Dusan Klinec
Dusan Klinec

The document discusses various aspects of iOS app security, detailing mechanisms like file system security, encryption, secure data storage, and sandboxing profiles. It highlights the importance of secure enclaves, data protection classes, and keychain functionalities while advising against the use of broken and weak cryptographic algorithms. Additionally, it covers best practices for handling sensitive data, preventing data leakage, and ensuring secure communications.

Software
1 of 97
Downloaded 59 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
iOS Apps security Dušan Klinec, Faculty of Informatics, Masaryk University
About me • Security enthusiast • Mgr. in IT security, FI MU • Senior Software Engineer & Consultant @ EnigmaBridge.com • Co-author of the PhoneX app. 2 I
Outline • File System security – Encryption – Secure data storage • IPC • Certificate Pinning 3 I
Sandboxing recap. 4 I
Sandboxing • MAC, Historically Seatbelt • Based on FreeBSD’s TrustedBSD framework • Sandboxing profile what app can/cannot – Files, OS services, network, memory • Unlike Android’s UID-based segregation, apps run as one user, “mobile” • Application contained in own directory 5 I
Anatomy of the AppDir 6 I ● /Documents – Persistent store for application data; this data will be synced and backed up to iTunes. Can be shared via iTunes. ● /Library/Application Support – Additional app files (config files, purchased content) ● /Library/Caches – Caches, not in backup ● /Library/Caches/Snapshots – Application screenshots taken when the app is backgrounded ● /Library/Cookies – Cookie plists ● /Library/Preferences – Preference plists, NSUserDefaults. ● /Library/WebKit – Webkit local storage ● /xxxxxx.app – App resources (binary, graphics, nibs, Info.plist, localisation resources etc.) ● /tmp – temporary, can be erased between app starts
Data Encryption 7 I
Secure Enclave • Cryptographic co-processor (not Secure Element) – Apple 7+ processor (ARMv8, 64b, ARM + Apple design) – iPhone 5S+ (Required for Touch ID) • Implemented via TrustZone in Processor. • Separate trusted boot, separate software updates – Jailbreak does not compromise Secure Enclave 8 I
Secure Enclave 9 I Normal World Secure World Normal World User Mode Normal World User Mode Normal World User Mode Normal World User Mode Monitor
Secure Enclave 10 I Oscillator based random number generator AES-256 Engine UID AES-256 Engine GID
Secure Enclave 11 I Oscillator based random number generator AES-256 Engine UID AES-256 Engine GID Memory Key
Secure Enclave 12 I http://arstechnica.com/apple/2014/09/chipworks-digs-up-more-information-on-apples-new-a8-chip/ https://www.guru3d.com/articles-pages/core-i5-750-core-i7-860-870-processor-review-test,6.html http://www.wired.com/2015/10/x-ray-scans-expose-an-ingenious-chip-and-pin-card-hack/
FileSystem encryption • All files are encrypted – w/ or w/o passcode set – easy data wipe • Data need to be decrypted on the device (SEnc) – no Flash chip desoldering. – no parallelization with cloud, FPGAs, ASICs, ... – hard passcode bruteforcing, 80ms derivation delay – 5 second delay on wrong passcode entry by SEnc 13 I
NSFileProtectionComplete 14 I File contents AES-256 Encrypt AES-256 Wrap File key
NSFileProtectionComplete 15 I File contents AES-256 Encrypt AES-256 Wrap File key Protection class key
NSFileProtectionComplete 16 I File contents AES-256 Encrypt AES-256 Wrap File key Protection class key UID Passcode key
NSFileProtectionComplete 17 I File contents AES-256 Encrypt AES-256 Wrap File metadata File key Protection class key UID Passcode key
NSFileProtectionComplete 18 I File contents AES-256 Encrypt AES-256 Wrap File metadata File System key File key Protection class key UID Passcode key
NSFileProtectionComplete 19 I File contents AES-256 Encrypt AES-256 Wrap File metadata File System key File key Protection class key UID Passcode key
NSFileProtectionCompleteUntilFirstUserA uthentication 20 I File contents AES-256 Encrypt AES-256 Wrap File metadata File System key File key Protection class key UID Passcode key
21 I File contents AES-256 Encrypt AES-256 Wrap File metadata File System key File key Protection class key UID NSFileProtectionNone
NSFileProtectionCompleteUnlessOpen 22 I File contents AES-256 Encrypt AES-256 Wrap File metadata File key fPubK, fPrvK fPubK fprvK File Create File System key
NSFileProtectionCompleteUnlessOpen 23 I File contents AES-256 Encrypt AES-256 Wrap File metadata File key class ECC public key fPubK, fPrvK fPubK fprvK File CreateUID File System key
NSFileProtectionCompleteUnlessOpen 24 I File contents AES-256 Encrypt AES-256 Wrap File metadata File key class ECC public key fPubK, fPrvK fPubK fprvK File Create ECC key agreement UID File System key
NSFileProtectionCompleteUnlessOpen 25 I File contents AES-256 Encrypt AES-256 Wrap File metadata File key fPubK File Create File System key
NSFileProtectionCompleteUnlessOpen 26 I File contents AES-256 Encrypt AES-256 Wrap File metadata File key fPubK File Open File System key
NSFileProtectionCompleteUnlessOpen 27 I File contents AES-256 Encrypt AES-256 Wrap File metadata File key class ECC private key fPubK File OpenUID File System key Passcode key
NSFileProtectionCompleteUnlessOpen 28 I File contents AES-256 Encrypt AES-256 Wrap File metadata File key class ECC private key fPubK File Open ECC key agreement UID File System key Passcode key
Data protection classes • NSFileProtectionComplete – e.g., password manager data container • NSFileProtectionCompleteUntilFirstUserAuthentication – e.g., contacts database, notes, messages, photos,... • NSFileProtectionCompleteUnlessOpen – e.g., background downloads, healthKit journal • NSFileProtectionNone – device without passcode, do not use. 29 I
Protected data availability • App Delegates – applicationProtectedDataWillBecomeUnavailable: – applicationProtectedDataDidBecomeAvailable: • NSNotificationCenter – UIApplicationProtectedDataWillBecomeUnavailable – UIApplicationProtectedDataDidBecomeAvailable • On demand check – [[UIApplication sharedApplication] protectedDataAvailable] 30 I
KeyChain 31 I https://materialdesignicons.com/
KeyChain • Place to store small sensitive data – usernames, passwords, tokens, certificates, – private keys, symmetric keys • /var/Keychains/keychain-2.db • All entries encrypted with entry-key – Protection classes. Potential Passcode dependency – *ThisDeviceOnly 32 I
KeyChain Usage • Original API ugly/complicated (C-style, ARC bridging) NSMutableDictionary *dict = [NSMutableDictionary dictionary]; NSData *passwordData = [@"mypassword" dataUsingEncoding:NSUTF8StringEncoding]; dict[(__bridge id) kSecClass] = (__bridge id) kSecClassGenericPassword; dict[(__bridge id) kSecAttrLabel] = @"Conglomco login"; dict[(__bridge id) kSecAttrDescription] = @"This is your password for the x service."; dict[(__bridge id) kSecAttrAccount] = @"dthiel"; dict[(__bridge id) kSecAttrService] = @"com.isecpartners.SampleKeychain"; dict[(__bridge id) kSecValueData] = passwordData; dict[(__bridge id) kSecAttrAccessible] = (__bridge id) kSecAttrAccessibleWhenUnlocked; OSStatus error = SecItemAdd((__bridge CFDictionaryRef)dict, NULL); if (error == errSecSuccess) { NSLog(@"Yay"); } 33 I
KeyChain Usage • Wrappers – github.com/carlbrown/PDKeychainBindingsController – github.com/granoff/Lockbox • NSUserDefaults-like API Get: PDKeychainBindings *bindings = [PDKeychainBindings sharedKeychainBindings]; [[[Model sharedModel] currentUser] setAuthToken:[bindings objectForKey:@"authToken"]]; Set: PDKeychainBindings *bindings = [PDKeychainBindings sharedKeychainBindings]; [bindings setObject:@"XYZ" forKey:@"authToken"]; 34 I
KeyChain & Secure Enclave • iOS 9.0+ • SecKeyGeneratePair() – Elliptic Curve P256 KeyPair – attribute kSecAttrTokenIDSecureEnclave • Public key returned • Private key stored in Keychain, protected by SEnc ACLs • Can perform SIGN operation, • Private key cannot be extracted 35 I
KeyChain & Backup • Unencrypted backup – Keychain items not re-encrypted – Recoverable only on the source device – Backup contains other files in plaintext • Encrypted backup – Keychain items re-encrypted (except *ThisDeviceOnly) – Recoverable on different devices – All files encrypted as well, protected backup 36 I
KeyChain & Jailbreak • After Jailbreak, all KeyChain entries are readable – Keychain Viewer by Sogeti, Keychain_Dumper • Jailbreaking of lost/stolen pass code-protected phone: – With Secure Enclave (Apple A7+ processor, iOS 7+) not probable – Exploit might require restart (recovery mode) → NSFileProtectionCompleteUntilFirstUserAuthentication • User can jailbreak his own phone - cannot be avoided 37 I
KeyChain & Jailbreak • Non-standard, multilayer precautions – Deter script kiddies, complicate automated attacks mnt. • Ideas: – Add another layer of encryption / Obfuscation – Jailbreak detection, tamper detection – User authentication (e.g., PIN lock screen, enc) – Secret sharing, server assisted encryption – Hardware security module - accessory, BT comm 38 I
Local storage 39 I
Local storage methods • Plists • NSUserDefaults • CoreData • SQLite 40 I
Local storage methods • NSFileProtectionCompleteUntilFirstUserAuthentication • Unencrypted backups → plaintext 41 I
42 I http://www.slideshare.net/xfempx/ios-app-security-common?qid=d11914b4-0a3e-4d1b-a005-3d404064eace&v=&b=&from_search=15
43 I http://www.slideshare.net/xfempx/ios-app-security-common?qid=d11914b4-0a3e-4d1b-a005-3d404064eace&v=&b=&from_search=15
44 I
• https://github.com/sqlcipher/sqlcipher 45 I
Core data protection • https://github.com/project-imas/encrypted-core-data/ 46 I
Wiping data from SQLite • DELETE FROM … may not delete data physically • Data still present in the DB file / Write Ahead Log • → Rewrite record before removal (same length) • → From time to time, call VACUUM (warning: VACUUM rebuilds DB) 47 I
Injection attacks - SQL NSString *uid = [myHTTPConnection getUID]; NSString *statement = [NSString stringWithFormat: @"SELECT username FROM users where uid = '%@'",uid]; const char *sql = [statement UTF8String]; • Use prepared statements & parameter binding: const char *sql = "SELECT username FROM users where uid = ?"; sqlite3_prepare_v2(db, sql, -1, &selectUid, NULL); sqlite3_bind_int(selectUid, 1, uid); int status = sqlite3_step(selectUid); 48 I
IPC 49 I
IPC - URL 50 I MyApp OtherApp myApp:// NSString * url = @"myApp://user/passwd"; [[UIApplication sharedApplication] openURL:url]; • Apps can register to custom URL Schemes • Multiple registered apps to the same scheme? Undefined.
IPC - URL 51 I • Do not pass sensitive information via URLs • Validate incoming URLs carefully (injections) • Take URL Hijacking into account
IPC - Universal links - iOS 9+ 52 I • App can register to listen to web links – https://www.phone-x.net/contact-me/dusan • Entitlement is required
IPC - Universal links - iOS 9+ 53 I • https://www.phone-x.net/apple-app-site-association { "applinks": { "apps": [], "details": [ { "appID": "TBEJCS6FFP.com.domain.App", "paths":[ "*" ] } ] }}
IPC - Universal links - iOS 9+ 54 I • App delegate method: application:continueUserActivity: restorationHandler: • Prons: – Not subject to URL hijacking – If app not installed, web page is shown • Android knew it years ago… (as with copy-paste)
Crypto 55 I
Broken/weak algorithms 56 I • Kind of broken: – RC4, MD4 • Not suitable anymore: – MD5, SHA1, DES • Weak: – RSA-1024, DH-1024, ECC 128 • Do not use: – ECB mode, no padding, custom crypto!
Broken/weak algorithms 57 I http://www.slideshare.net/xfempx/ios-app-security-common?qid=d11914b4-0a3e-4d1b-a005-3d404064eace&v=&b=&from_search=15
Minimal key lengths 58 I • https://www.keylength.com/
Generating random numbers 59 I const int rndBuffSize = 32; NSMutableData * rnd = [NSMutableData dataWithLength:rndBuffSize]; uint8_t * rndBuff = (uint8_t*) [rnd mutableBytes]; int result = SecRandomCopyBytes(kSecRandomDefault, rndBuffSize, rndBuff); • Simulator issues • rand(), random(), arc4random() are not for crypto!
rand() patterns 60 I http://programmers.stackexchange.com/questions/121568/php-rand-function-or-not-so-rand http://www.scsitoolbox.com/products/cpam.asp
rand() patterns 61 I
Generating random numbers 62 I • Generate high-quality random numbers for: – IV, nonces, salts • Do not use user provided passwords as encryption keys – PBKDF2(password, salt, iterations, keyLength), use kCCPRFHmacAlgSHA256 derivation.
Crypto in a good way 63 I • AES-128, AES-256 – CBC, but with random IV + HMAC. ENC then MAC. – or GCM = authenticated encryption (prefered) • RSA-2048, OAEP padding • ECDSA, ECDHE • SHA-256 • PBKDF2
Library 64 I • https://github.com/RNCryptor/RNCryptor NSString *password = @"Secret password"; RNEncryptor *encryptor = [[RNEncryptor alloc] initWithPassword:password]; NSMutableData *ciphertext = [NSMutableData new]; // ... Each time data comes in, update the encryptor and accumulate some ciphertext ... [ciphertext appendData:[encryptor updateWithData:data]]; // ... When data is done, finish up ... [ciphertext appendData:[encryptor finalData]];
Memory considerations 65 I • For sensitive data, use your own allocated memory • iVars are easy to find & read in runtime analysis • Wipe the memory after use, rewrite • https://github.com/project-imas/memory-security
Memory considerations 66 I • For sensitive data, use your own allocated memory • iVars are easy to find & read in runtime analysis • Wipe the memory after use, rewrite • https://github.com/project-imas/memory-security http://www.slideshare.net/mgianarakis/yow-connected-developing-secure-i-os-applications?qid=6663e884-0bc0-4c89-92a1-e3ccbe1d2aa3&v=&b=&from_search=1
Data leakage 67 I
Screenshots cache 68 I http://www.slideshare.net/mgianarakis/yow-connected-developing-secure-i-os-applications?qid=6663e884-0bc0-4c89-92a1-e3ccbe1d2aa3&v=&b=&from_search=1
Screenshots cache 69 I • When switching to background, for task manager • /var/mobile/Applications/<app- code>/Library/Caches/Snapshots • Prevention: – Clean form contents before transition – Show window to hidden on transition – Show splash screen before transition
Screenshots cache 70 I http://www.slideshare.net/mgianarakis/yow-connected-developing-secure-i-os-applications?qid=6663e884-0bc0-4c89-92a1-e3ccbe1d2aa3&v=&b=&from_search=1
Keyboard cache 71 I http://www.slideshare.net/mgianarakis/yow-connected-developing-secure-i-os-applications?qid=6663e884-0bc0-4c89-92a1-e3ccbe1d2aa3&v=&b=&from_search=1
Keyboard cache 72 I • Auto-correct caching – /private/var/mobile/Library/Keyboard/dynamic-text.dat • For sensitive fields, disable: – textField.autocorrectionType = UITextAutocorrectionTypeNo; – textField.secureTextEntry = YES;
Logging 73 I • https://github.com/CocoaLumberjack/CocoaLumberjack • Do not log sensitive data • In production, disable logs in compile time – Occupies less memory, logging messages not included – Do not document apps behavior for an attacker • If you have to log in production, log only Errors / Warnings
Jailbreak cont. 74 I
Jailbreak detection 75 I • https://github.com/project-imas/security-check • Detection not 100% reliable • Avoid simple logic: -(BOOL) isJailbroken; • Check multiple times during execution. • Use method inlining – __attribute__((always_inline))
Method inlining 76 I
Transport Security 77 I
Certificate pinning 78 I http://sierraware.com/blog/wp-content/uploads/2015/04/certificate_pinning.png https://www.cigital.com/wp-content/uploads/2016/03/Certificate-Chain-Visuals-1-1_750.png
Certificate pinning - preface 79 I • Use secure protocols (https, smtps, imaps, ssh, …) • Never disable certificate verification, not even in debug – setAllowsAnyHTTPSCertificate – continueWithoutCredentialForAuthenticationChallenge • Use https://letsencrypt.org/ - a free CA • Some scenarios where cannot use CA – Want intermediate signing certificate (e.g., server signs) • Do pinning on self-signed certificate with true CA flag
Certificate pinning - manual way • Implemented by handling events in NSURLConnectionDelegate (old API) – connection:canAuthenticateAgainstProtectionSpace: – connection:didReceiveAuthenticationChallenge: • NSURLSessionTaskDelegate (new API) – URLSession:task:didReceiveChallenge:completionHandler: • Example app: https://www.owasp.org/index. php/Pinning_Cheat_Sheet 80 I
Certificate pinning - manual way • Devel phase: – Add trust anchors as DER encoded certificates to the application (e.g., resources, binary, obfuscation, …) • Verification phase: – Load anchors, create NSArray<SecCertificateRef> – Process challenge, get SecTrustRef – Update trust, set anchors, allow only anchors – Evaluate trust SecTrustEvaluate. OK? Return credential 81 I
Certificate pinning - manual way - (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler { if ([[challenge protectionSpace].authenticationMethod isEqualToString: NSURLAuthenticationMethodServerTrust]){ // 1. verify trust // 2. if OK, create valid credential } } 82 I
Certificate pinning - manual way const SecTrustRef trust = [[challenge protectionSpace] serverTrust]; // Obtain trust root CA anchors. NSArray * anchors = [PEXSecurityCenter getServerTrustAnchors]; SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef) anchors); SecTrustSetAnchorCertificatesOnly(trust, YES); // Validate certificate & trust zone against given trust anchors. SecTrustResultType res = kSecTrustResultInvalid; OSStatus sanityCheck = SecTrustEvaluate(trust, &res); return sanityCheck == noErr && [self validateResult:res]; 83 I
Certificate pinning - manual way NSURLCredential * const newCredential = [NSURLCredential credentialForTrust:trust]; [[challenge sender] useCredential:newCredential forAuthenticationChallenge: challenge]; 84 I
Certificate pinning - library • https://github.com/iSECPartners/ssl-conservatory – +(BOOL)setupSSLPinsUsingDictionnary:(NSDictionary*) domainsAndCertificates; – +(BOOL)verifyPinnedCertificateForTrust:(SecTrustRef)trust andDomain: (NSString*)domain; • Convenience delegates – ISPPinnedNSURLConnectionDelegate – ISPPinnedNSURLSessionDelegate 85 I
Certificate pinning - library • https://github.com/AFNetworking let securityPolicy = AFSecurityPolicy(pinningMode: AFSSLPinningMode.Certificate) let certificatePath = NSBundle.mainBundle().pathForResource("pinned-certificate", ofType: "cer")! let certificateData = NSData(contentsOfFile: certificatePath)! securityPolicy.pinnedCertificates = [certificateData]; securityPolicy.validatesCertificateChain = false self.securityPolicy = securityPolicy 86 I
Certificate pinning - system CA? • Include or not to include system CA list. • Trust OK ⇔ systemTrustOK && PinningOK • Good if: – your certificates are CA signed (not self-signed, $$$) – can provide you a revocation (into some extent) • Bad if: – your root certificate is self signed 87 I
Certificate pinning - defeating • On Jailbroken devices, certificate verification can be completely disabled • https://github.com/iSECPartners/ios-ssl-kill-switch – Hooks to verifications calls @ runtime, – patches methods to always return YES; 88 I
Certificate pinning - defeating • On Jailbroken devices, certificate verification can be completely disabled • https://github.com/iSECPartners/ios-ssl-kill-switch – Hooks to verifications calls @ runtime, – patches methods to always return YES; 89 I
TLS security - iOS 9.0+ • App Transport Security - default conn requirements • NSURLConnection, CFURL, or NSURLSession APIs. – min TLS 1.2 – forward secrecy cipher suites – certificates must be valid and signed using SHA-256 + – min 2048-bit RSA key or 256-bit elliptic curve key • If req fail → connection fails. By default ON, can override 90 I
Resources 91 I
Resources • http://damnvulnerableiosapp.com/ 92 I
Resources • http://highaltitudehacks.com/2013/10/26/ios-application- security-part-20-local-data-storage-nsuserdefaults/ 93 I
Resources • https://www.owasp.org/index. php/IOS_Application_Security_Testing_Cheat_Sheet 94 I
Recommended reading 95 I
Thank you for your attention! Q & A 96 I
References 1. https://www.apple.com/business/docs/iOS_Security_Guide.pdf 2. https://www.quora.com/What-is-Apple%E2%80%99s-new-Secure-Enclave-and-why-is-it-important 3. http://www.wired.com/2015/10/x-ray-scans-expose-an-ingenious-chip-and-pin-card-hack/#slide-4 4. http://www.anandtech.com/show/8562/chipworks-a8 5. http://www.darthnull.org/2014/10/06/ios-encryption 6. http://blog.cryptographyengineering.com/2014/10/why-cant-apple-decrypt-your-iphone.html 7. http://highaltitudehacks.com/2013/09/17/ios-dev-storing-info-in-keychain-with-nsuserdefaults-like- syntax/ 8. http://willowtreeapps.com/blog/enhanced-device-security-in-ios-9/ 9. https://dl.packetstormsecurity.net/papers/general/apple-sandbox.pdf 10. 97 I

More Related Content

What's hot (20)

PDF
iPhone Data Protection in Depth
Seguridad Apple
 
PPTX
How to do Cryptography right in Android Part One
Arash Ramez
 
PDF
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
PPTX
How to do right cryptography in android part 3 / Gated Authentication reviewed
Arash Ramez
 
PPTX
Firmware analysis 101
veerababu penugonda(Mr-IoT)
 
PPTX
Certificate pinning in android applications
Arash Ramez
 
PDF
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
PDF
Pa or die
Setia Juli Irzal Ismail
 
PDF
Malware cryptomining uploadv3
Setia Juli Irzal Ismail
 
PDF
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Shakacon
 
PPTX
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi
 
PPTX
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
DataArt
 
PDF
Crack ios firmware-nlog2n
nlog2n
 
PPTX
Phone Hacking: A lucrative, but largely hidden history
David Rogers
 
PPTX
hacking ,bluetooth
Thrivikram Lycan
 
PDF
Creating secure apps using the salesforce mobile sdk
Martin Vigo
 
PPTX
System Security in Ethical Hacking
Vanipriya Sakthivel
 
PPTX
Developing an IoT System FIWARE Based from the Scratch
FIWARE
 
PPTX
Hacktrikz - Introduction to Information Security & Ethical Hacking
Ravi Sankar
 
PDF
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Mender.io
 
iPhone Data Protection in Depth
Seguridad Apple
 
How to do Cryptography right in Android Part One
Arash Ramez
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
Arash Ramez
 
Firmware analysis 101
veerababu penugonda(Mr-IoT)
 
Certificate pinning in android applications
Arash Ramez
 
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
Pa or die
Setia Juli Irzal Ismail
 
Malware cryptomining uploadv3
Setia Juli Irzal Ismail
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Shakacon
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
DataArt
 
Crack ios firmware-nlog2n
nlog2n
 
Phone Hacking: A lucrative, but largely hidden history
David Rogers
 
hacking ,bluetooth
Thrivikram Lycan
 
Creating secure apps using the salesforce mobile sdk
Martin Vigo
 
System Security in Ethical Hacking
Vanipriya Sakthivel
 
Developing an IoT System FIWARE Based from the Scratch
FIWARE
 
Hacktrikz - Introduction to Information Security & Ethical Hacking
Ravi Sankar
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Mender.io
 

Viewers also liked (20)

PDF
Semantic Pattern Transformation
Peter Teufl
 
PDF
Rahmenbedingungen mobile security
Peter Teufl
 
KEY
Security and Encryption on iOS
Graham Lee
 
PPTX
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
PPTX
Jamie Bowser - A Touch(ID) of iOS Security
centralohioissa
 
PDF
Kostentreiber bei der iOS-Entwicklung
xrb
 
PDF
Demystifying Apple 'Pie' & TouchID
Sebastián Guerrero Selma
 
PPTX
iOS Security and Encryption
Urvashi Kataria
 
PDF
Mobile Device Encryption Systems
Peter Teufl
 
PDF
Das iPad sicher im Unternehmen einsetzen
jekel & team
 
PDF
iOS Application Penetration Testing
n|u - The Open Security Community
 
PDF
iOS Application Security
Egor Tolstoy
 
PDF
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
PPT
iOS Application Penetration Testing for Beginners
RyanISI
 
PPTX
MDM - airwatch
Bharat Sinha
 
PDF
AirWatch Solution Overview
Proyet Kft
 
PDF
IOS Encryption Systems
Peter Teufl
 
PPT
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
PDF
Mobile Sicherheit Basics
Lookout
 
PDF
Live Hacking – Wie (un)sicher sind Android, iPhone, Blackberry & Co.?
Connected-Blog
 
Semantic Pattern Transformation
Peter Teufl
 
Rahmenbedingungen mobile security
Peter Teufl
 
Security and Encryption on iOS
Graham Lee
 
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Jamie Bowser - A Touch(ID) of iOS Security
centralohioissa
 
Kostentreiber bei der iOS-Entwicklung
xrb
 
Demystifying Apple 'Pie' & TouchID
Sebastián Guerrero Selma
 
iOS Security and Encryption
Urvashi Kataria
 
Mobile Device Encryption Systems
Peter Teufl
 
Das iPad sicher im Unternehmen einsetzen
jekel & team
 
iOS Application Penetration Testing
n|u - The Open Security Community
 
iOS Application Security
Egor Tolstoy
 
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
iOS Application Penetration Testing for Beginners
RyanISI
 
MDM - airwatch
Bharat Sinha
 
AirWatch Solution Overview
Proyet Kft
 
IOS Encryption Systems
Peter Teufl
 
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
Mobile Sicherheit Basics
Lookout
 
Live Hacking – Wie (un)sicher sind Android, iPhone, Blackberry & Co.?
Connected-Blog
 
Ad

Similar to iOS secure app development (20)

PDF
iOS Application Penetation Test
JongWon Kim
 
PPTX
Ярослав Воронцов — Пара слов о mobile security.
DataArt
 
PPTX
Hacking and securing ios applications
Satish b
 
PPTX
iOS application (in)security
iphonepentest
 
PDF
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
DefconRussia
 
PPTX
Pentesting iPhone applications
Satish b
 
PPTX
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
PDF
Evaluating iOS Applications
iphonepentest
 
PDF
CactusCon - Practical iOS App Attack and Defense
Seth Law
 
PDF
Hacking and Securing iOS Applications
n|u - The Open Security Community
 
PDF
I Want More Ninja – iOS Security Testing
Jason Haddix
 
ODP
Synapse india iphone apps presentation oncracking and analyzing apple icloud
SynapseIndiaiPhoneApps
 
PDF
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
Seth Law
 
PPTX
[OWASP Poland Day] Saving private token
OWASP
 
PPTX
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
PPTX
Android forensics an Custom Recovery Image
Mohamed Khaled
 
PPT
Encryption
Nitin Parbhakar
 
PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
PPTX
How to write secure code
Flaskdata.io
 
PDF
Are Your Mobile Apps Secure? (Part I)
Nagarro
 
iOS Application Penetation Test
JongWon Kim
 
Ярослав Воронцов — Пара слов о mobile security.
DataArt
 
Hacking and securing ios applications
Satish b
 
iOS application (in)security
iphonepentest
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
DefconRussia
 
Pentesting iPhone applications
Satish b
 
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
Evaluating iOS Applications
iphonepentest
 
CactusCon - Practical iOS App Attack and Defense
Seth Law
 
Hacking and Securing iOS Applications
n|u - The Open Security Community
 
I Want More Ninja – iOS Security Testing
Jason Haddix
 
Synapse india iphone apps presentation oncracking and analyzing apple icloud
SynapseIndiaiPhoneApps
 
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
Seth Law
 
[OWASP Poland Day] Saving private token
OWASP
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Android forensics an Custom Recovery Image
Mohamed Khaled
 
Encryption
Nitin Parbhakar
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
How to write secure code
Flaskdata.io
 
Are Your Mobile Apps Secure? (Part I)
Nagarro
 
Ad

Recently uploaded (20)

PDF
Wondershare PDFelement Pro Crack for MacOS New Version Latest 2025
bashirkhan333g
 
PDF
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
PDF
Adobe Premiere Pro Crack / Full Version / Free Download
hashhshs786
 
PDF
The 5 Reasons for IT Maintenance - Arna Softech
Arna Softech
 
PDF
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
PDF
Empower Your Tech Vision- Why Businesses Prefer to Hire Remote Developers fro...
logixshapers59
 
PPTX
Finding Your License Details in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
AEM User Group: India Chapter Kickoff Meeting
jennaf3
 
PDF
4K Video Downloader Plus Pro Crack for MacOS New Download 2025
bashirkhan333g
 
PPTX
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 
PPTX
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
Top Agile Project Management Tools for Teams in 2025
Orangescrum
 
PDF
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
PDF
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
PPTX
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
PDF
Technical-Careers-Roadmap-in-Software-Market.pdf
Hussein Ali
 
PPTX
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
Customise Your Correlation Table in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
PDF
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
Wondershare PDFelement Pro Crack for MacOS New Version Latest 2025
bashirkhan333g
 
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
Adobe Premiere Pro Crack / Full Version / Free Download
hashhshs786
 
The 5 Reasons for IT Maintenance - Arna Softech
Arna Softech
 
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
Empower Your Tech Vision- Why Businesses Prefer to Hire Remote Developers fro...
logixshapers59
 
Finding Your License Details in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
AEM User Group: India Chapter Kickoff Meeting
jennaf3
 
4K Video Downloader Plus Pro Crack for MacOS New Download 2025
bashirkhan333g
 
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Top Agile Project Management Tools for Teams in 2025
Orangescrum
 
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
Technical-Careers-Roadmap-in-Software-Market.pdf
Hussein Ali
 
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Customise Your Correlation Table in IBM SPSS Statistics.pptx
Version 1 Analytics
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 

iOS secure app development