Penetration Testing iOS Apps 2015

This class takes a deep dive into techniques for testing the security of iOS apps. Students will learn how to statically and dynamically analyze iOS apps for implementation as well as architectural security defects. After a brief description of the iOS hardware and software security architecture, the class steps through a myriad of security pitfalls made by many developers. Each weakness is described in detail and explored in hands-on labs to enable students to fully understand and internalize the details. The pitfalls covered start with simple problems and escalate steadily to more and more advanced problems, culminating in the use of “Man in the App” attacks against running apps. Using MitA techniques, the apps’ architecture is actively probed and explored via weaknesses in the underlying Objective C run-time environment to look for exploitable weaknesses in client-side security controls. This range of static and dynamic app analysis allows the tester to perform a broad range of security tests on any iOS app target.

Requirements: In order to be able to participate in the hands-on exercises, each student will need a laptop computer with a complete iOS development environment (XCode) installed. (Available for free from Apple Computer, Inc.) To perform all exercises including the MitA attacks, a jailbroken iOS device is needed. We recommend using a dedicated test device for the testing.