You are previewing iOS Application Security.
O'Reilly logo
iOS Application Security

Book Description

iOS Application Security covers everything you need to know to design secure iOS apps from the ground up and keep users' data safe.

Table of Contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. About the Author
  5. About the Technical Reviewer
  6. Brief Contents
  7. Contents in Detail
  8. Foreword
  9. Acknowledgments
  10. Introduction
    1. Who This Book Is For
    2. What’s in This Book
      1. How This Book Is Structured
      2. Conventions This Book Follows
      3. A Note on Swift
    3. Mobile Security Promises and Threats
      1. What Mobile Apps Shouldn’t Be Able to Do
      2. Classifying Mobile Security Threats in This Book
    4. Some Notes for iOS Security Testers
  11. Part I: iOS Fundamentals
    1. Chapter 1: The iOS Security Model
      1. Secure Boot
      2. Limiting Access with the App Sandbox
      3. Data Protection and Full-Disk Encryption
        1. The Encryption Key Hierarchy
        2. The Keychain API
        3. The Data Protection API
      4. Native Code Exploit Mitigations: ASLR, XN, and Friends
      5. Jailbreak Detection
      6. How Effective Is App Store Review?
        1. Bridging from WebKit
        2. Dynamic Patching
        3. Intentionally Vulnerable Code
        4. Embedded Interpreters
      7. Closing Thoughts
    2. Chapter 2: Objective-C for the Lazy
      1. Key iOS Programming Terminology
      2. Passing Messages
      3. Dissecting an Objective-C Program
        1. Declaring an Interface
        2. Inside an Implementation File
      4. Specifying Callbacks with Blocks
      5. How Objective-C Manages Memory
      6. Automatic Reference Counting
      7. Delegates and Protocols
        1. Should Messages
        2. Will Messages
        3. Did Messages
        4. Declaring and Conforming to Protocols
      8. The Dangers of Categories
      9. Method Swizzling
      10. Closing Thoughts
    3. Chapter 3: iOS Application Anatomy
      1. Dealing with plist Files
      2. Device Directories
      3. The Bundle Directory
      4. The Data Directory
        1. The Documents and Inbox Directories
        2. The Library Directory
        3. The tmp Directory
      5. The Shared Directory
      6. Closing Thoughts
  12. Part II: Security Testing
    1. Chapter 4: Building Your Test Platform
      1. Taking Off the Training Wheels
      2. Suggested Testing Devices
      3. Testing with a Device vs. Using a Simulator
      4. Network and Proxy Setup
        1. Bypassing TLS Validation
        2. Bypassing SSL with stunnel
        3. Certificate Management on a Device
        4. Proxy Setup on a Device
      5. Xcode and Build Setup
        1. Make Life Difficult
        2. Enabling Full ASLR
        3. Clang and Static Analysis
        4. Address Sanitizer and Dynamic Analysis
      6. Monitoring Programs with Instruments
        1. Activating Instruments
        2. Watching Filesystem Activity with Watchdog
      7. Closing Thoughts
    2. Chapter 5: Debugging with lldb and Friends
      1. Useful Features in lldb
        1. Working with Breakpoints
        2. Navigating Frames and Variables
        3. Visually Inspecting Objects
        4. Manipulating Variables and Properties
        5. Breakpoint Actions
      2. Using lldb for Security Analysis
        1. Fault Injection
        2. Tracing Data
        3. Examining Core Frameworks
      3. Closing Thoughts
    3. Chapter 6: Black-Box Testing
      1. Installing Third-Party Apps
        1. Using a .app Directory
        2. Using a .ipa Package File
      2. Decrypting Binaries
        1. Launching the debugserver on the Device
        2. Locating the Encrypted Segment
        3. Dumping Application Memory
      3. Reverse Engineering from Decrypted Binaries
        1. Inspecting Binaries with otool
        2. Obtaining Class Information with class-dump
        3. Extracting Data from Running Programs with Cycript
        4. Disassembly with Hopper
      4. Defeating Certificate Pinning
      5. Hooking with Cydia Substrate
      6. Automating Hooking with Introspy
      7. Closing Thoughts
  13. Part III: Security Quirks of the Cocoa API
    1. Chapter 7: iOS Networking
      1. Using the iOS URL Loading System
        1. Using Transport Layer Security Correctly
        2. Basic Authentication with NSURLConnection
        3. Implementing TLS Mutual Authentication with NSURLConnection
        4. Modifying Redirect Behavior
        5. TLS Certificate Pinning
      2. Using NSURLSession
        1. NSURLSession Configuration
        2. Performing NSURLSession Tasks
        3. Spotting NSURLSession TLS Bypasses
        4. Basic Authentication with NSURLSession
        5. Managing Stored URL Credentials
      3. Risks of Third-Party Networking APIs
        1. Bad and Good Uses of AFNetworking
        2. Unsafe Uses of ASIHTTPRequest
      4. Multipeer Connectivity
      5. Lower-Level Networking with NSStream
      6. Even Lower-level Networking with CFStream
      7. Closing Thoughts
    2. Chapter 8: Interprocess Communication
      1. URL Schemes and the openURL Method
        1. Defining URL Schemes
        2. Sending and Receiving URL/IPC Requests
        3. Validating URLs and Authenticating the Sender
        4. URL Scheme Hijacking
      2. Universal Links
      3. Sharing Data with UIActivity
      4. Application Extensions
        1. Checking Whether an App Implements Extensions
        2. Restricting and Validating Shareable Data
        3. Preventing Apps from Interacting with Extensions
      5. A Failed IPC Hack: The Pasteboard
      6. Closing Thoughts
    3. Chapter 9: iOS-Targeted Web Apps
      1. Using (and Abusing) UIWebViews
        1. Working with UIWebViews
        2. Executing JavaScript in UIWebViews
      2. Rewards and Risks of JavaScript-Cocoa Bridges
        1. Interfacing Apps with JavaScriptCore
        2. Executing JavaScript with Cordova
      3. Enter WKWebView
        1. Working with WKWebViews
        2. Security Benefits of WKWebViews
      4. Closing Thoughts
    4. Chapter 10: Data Leakage
      1. The Truth About NSLog and the Apple System Log
        1. Disabling NSLog in Release Builds
        2. Logging with Breakpoint Actions Instead
      2. How Sensitive Data Leaks Through Pasteboards
        1. Restriction-Free System Pasteboards
        2. The Risks of Custom-Named Pasteboards
        3. Pasteboard Data Protection Strategies
      3. Finding and Plugging HTTP Cache Leaks
        1. Cache Management
        2. Solutions for Removing Cached Data
        3. Data Leakage from HTTP Local Storage and Databases
      4. Keylogging and the Autocorrection Database
      5. Misusing User Preferences
      6. Dealing with Sensitive Data in Snapshots
        1. Screen Sanitization Strategies
        2. Why Do Those Screen Sanitization Strategies Work?
        3. Common Sanitization Mistakes
        4. Avoiding Snapshots by Preventing Suspension
      7. Leaks Due to State Preservation
      8. Secure State Preservation
      9. Getting Off iCloud to Avoid Leaks
      10. Closing Thoughts
    5. Chapter 11: Legacy Issues and Baggage from C
      1. Format Strings
        1. Preventing Classic C Format String Attacks
        2. Preventing Objective-C Format String Attacks
      2. Buffer Overflows and the Stack
        1. A strcpy Buffer Overflow
        2. Preventing Buffer Overflows
      3. Integer Overflows and the Heap
        1. A malloc Integer Overflow
        2. Preventing Integer Overflows
      4. Closing Thoughts
    6. Chapter 12: Injection Attacks
      1. Client-Side Cross-Site Scripting
        1. Input Sanitization
        2. Output Encoding
      2. SQL Injection
      3. Predicate Injection
      4. XML Injection
        1. Injection Through XML External Entities
        2. Issues with Alternative XML Libraries
      5. Closing Thoughts
  14. Part IV: Keeping Data Safe
    1. Chapter 13: Encryption and Authentication
      1. Using the Keychain
        1. The Keychain in User Backups
        2. Keychain Protection Attributes
        3. Basic Keychain Usage
        4. Keychain Wrappers
        5. Shared Keychains
        6. iCloud Synchronization
      2. The Data Protection API
        1. Protection Levels
        2. The DataProtectionClass Entitlement
        3. Checking for Protected Data Availability
      3. Encryption with CommonCrypto
        1. Broken Algorithms to Avoid
        2. Broken Initialization Vectors
        3. Broken Entropy
        4. Poor Quality Keys
      4. Performing Hashing Operations
      5. Ensuring Message Authenticity with HMACs
      6. Wrapping CommonCrypto with RNCryptor
      7. Local Authentication: Using the TouchID
        1. How Safe Are Fingerprints?
      8. Closing Thoughts
    2. Chapter 14: Mobile Privacy Concerns
      1. Dangers of Unique Device Identifiers
        1. Solutions from Apple
        2. Rules for Working with Unique Identifiers
      2. Mobile Safari and the Do Not Track Header
      3. Cookie Acceptance Policy
      4. Monitoring Location and Movement
        1. How Geolocation Works
        2. The Risks of Storing Location Data
        3. Restricting Location Accuracy
        4. Requesting Location Data
      5. Managing Health and Motion Information
        1. Reading and Writing Data from HealthKit
        2. The M7 Motion Processor
      6. Requesting Permission to Collect Data
      7. Proximity Tracking with iBeacons
        1. Monitoring for iBeacons
        2. Turning an iOS Device into an iBeacon
        3. iBeacon Considerations
      8. Establishing Privacy Policies
      9. Closing Thoughts
  15. Index
  16. Updates
  17. Support the Electronic Freedom Foundation
  18. Footnotes
    1. Chapter 1: The iOS Security Model
    2. Chapter 2: Objective-C for the Lazy
    3. Chapter 3: iOS Application Anatomy
    4. Chapter 4: Building Your Test Platform
    5. Chapter 5: Debugging with lldb and Friends
    6. Chapter 6: Black-Box Testing
    7. Chapter 7: iOS Networking
    8. Chapter 8: Interprocess Communication
    9. Chapter 9: iOS-Targeted Web Apps
    10. Chapter 10: Data Leakage
    11. Chapter 11: Legacy Issues and Baggage from C
    12. Chapter 12: Injection Attacks
    13. Chapter 13: Encryption and Authentication
    14. Chapter 14: Mobile Privacy Concerns