iOS Application Security Testing
Presented by: Hans Weisheimer
This hands-on session is aimed at mobile app developers, QA testers, aspiring security testers, and other suspicious persons.
Modern mobile app development abstracts away most low-level interaction with the operating system. It is common to rely on third-party modules to handle sensitive data or perform critical tasks. What really happens when an application’s state is updated? Or biometric authentication requested? What are the analytics packages talking about behind your back? Mobile platforms (and iOS in particular) tend to make introspection difficult, .
You will learn how to look under the hood of a running application, using open source tools and unmodified devices. Topics include:
- Packaging and instrumenting an application with Frida
- Monitoring and manipulating HTTP traffic
- Browsing the application’s files, databases, and Keychain entries
- Lying to the application with hooked functions
- Easy mode w/ virtualization
- Occasional Android comparisons
- Thoughts on automation
Students must bring a laptop, with MacBooks being strongly recommended. Windows instructions will be provided, with some limitations. Please arrive with the following tools installed: XCode w/ command line tools, iTunes, NodeJS 10.x, Python 3.x (plus virtualenv), an OpenVPN client, and an intercepting proxy of your choice (OWASP ZAP, Burp Suite, Charles Proxy, etc). Students will be provided access to virtualized iOS devices.
After completing this workshop, students will be able to inspect their iOS applications for common security flaws. This includes the ability to inspect and manipulate an application’s network traffic, files, and function calls.