Day 1
Introduction to iOS Security
• Mobile application threat model - What makes mobile application security so different?
• What is iOS
• iOS device architecture
• iOS security model
• Application file system isolation
• iOS Sandbox
• iOS Simulator
• The iOS Simulator VS. physical device
• Why Jailbreak
• LAB: Exploring the iOS security mechanisms
Coffee break
Traffic Analysis and Manipulation
• Intro to server side attacks - SQL injection, XSS
• Insecure remote Authentication - UUID, IMEI, etc.
• Insecure session management
• Authorization vulnerabilities
• Traffic interception
• Using proxies and sniffers
• Importing SSL certificates & trusted CA's configuration profile
• Sensitive information transmission
• Bypassing server certificate validations
• Exposing insecure traffic
• LAB: HTTP/HTTPS Sniffing and Proxying
• LAB: Parameter Manipulation
Meal break (lunch)
Insecure data storage
• Exploring deployed application files and directories
• The file system security model and public directories
• Insecure file system storage
• The SQLite Database storage
• Using sqlite browser
• Secrets inside Code
• Storage of sensitive data at the server side
• Insecure log exposure
• Bad cryptography
Coffee break
• LAB: Exposing insecure data storage
• LAB: Insecure Configuration
Day 2
iOS Application Static Analysis
• The ipa file package
• ipa extraction - Investigating layout, preferences, permissions and binaries
• Jailbreak benefits
• Cydia installation and configuration
• Installing decrypted ipa using Installious
• ViewController Enumeration
• property list files and plutil
• application info.plist file
• cfurl and urlScheme invocations
• harvesting binary for strings
• binary SQL statements
• binary URI peers
• binary parameters usage
• binary entitlements
• the macho file format
• class prototype Enumeration
• otool for the rescue
• LAB: Binary decryption
• LAB: Binary Analysis
Coffee break
iOS application security testing toolkit
• Cydia repository and packages configuration
• cycript introduction
• cycript basic usage
• cycript attachment
• cycript functions
• cycript methods overwrite
• cycript iVars
• cycript as a hacking tool
• cycript ssl modifications
• iOS ipa encryption
• iOS ipa decryption - manual
• iOS ipa decryption - automatic
• iOS ipa patching and resigning
• class-dump-z revisited
• cycript ViewControllers
• LAB: Cycript as a hacking tool
Meal break (lunch)
Analyzing Runtime Analysis with iNalyzer
• Monitoring process activity
• why use iNalyzer?
• iNalyzer key features
• iNalyzer components
• iNalyzer installation and usage
• iNalyzer Dashboard
• Application Decryption
• Application File system snapshot
• Application peer Enumeration
• Application SQL vulnerabilities
• Application URI vulnerabilities
• Application handleOpenURL: vulnerabilities
• Application Object enumeration
• Application Methods Enumerations
• Application Variables Enumerations
• Application Strings Analysis
• Application Objects and Analysis
• Cycript and iNalyzer integration
• Harnessing Web Scanners to iNalyzer
• No more black box iOS analysis
Coffee break
• LAB: iNalyzer Vs. a running application
Members of the security / software development team:
• Security penetration testers
• iOS developers
Before attending this course, students should be familiar with:
• Common security concepts
At least 2GB of RAM (4GB is highly recommended)
• 15GB of free HD space
• Jailbreaked iOS device
• VMWare Palyer installed
• Slides (pdf)
• Labs (pdf)
• iOS iNalyzer (DVD) containing all tools, runtime, target apps, scripts, etc.
• Certificate of completion
• Access to AppSec Labs' LMS (learning management system), at https://appsec-labs.com/education/)
Chilik Tamir is an experienced security trainer and speaker (Black Hat USA2013, HITB Amsterdam2013, OWASP Israel2011-2012-2013, Intel, HP, Cisco, Amdocs, Verint, RedBend and others). He is known for his security expertize with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse - a testing environment for Android applications developed together with Erez Metula; Belch - an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; as well as his lectures in conferences . He is the Chief Scientist at AppSec-Labs responsible for innovating and leading security development and research of tools, exploits and vulnerabilities in web applications. Chilik holds an Biomedical Engineering B.Sc. degree.
