iOS Application Security

iOS Application Security
The Definitive Guide for Hackers and Developers
by 
David Thiel
February 2016, 296 pp.
ISBN-13: 
978-1-59327-601-0

"The most thorough and thoughtful treatment of iOS security that you can find today."
—Alex Stamos, Chief Security Officer at Facebook

"David Thiel is the most skilled and knowledgeable iOS security researcher that I've worked with. David's advice for developing secure iOS applications has been indispensable to my organization."
—Brandon Sterne, Director of Security Engineering, Workday, Inc.

Eliminating security holes in iOS apps is critical for any developer who wants to protect their users from the bad guys. In iOS Application Security, mobile security expert David Thiel reveals common iOS coding mistakes that create serious security problems and shows you how to find and fix them.

After a crash course on iOS application structure and Objective-C design patterns, you’ll move on to spotting bad code and plugging the holes. You’ll learn about:

  • The iOS security model and the limits of its built-in protections
  • The myriad ways sensitive data can leak into places it shouldn’t, such as through the pasteboard
  • How to implement encryption with the Keychain, the Data Protection API, and CommonCrypto
  • Legacy flaws from C that still cause problems in modern iOS applications
  • Privacy issues related to gathering user data and how to mitigate potential pitfalls

Don’t let your app’s security leak become another headline. Whether you’re looking to bolster your app’s defenses or hunting bugs in other people’s code, iOS Application Security will help you get the job done well.

Author Bio 

David Thiel has nearly 20 years of computer security experience. His research and book Mobile Application Security (McGraw-Hill) helped launch the field of iOS application security, and he has presented his work at security conferences like Black Hat and DEF CON. An application security consultant for years at iSEC Partners, Thiel now works for the Internet.org Connectivity Lab.

Table of contents 

Introduction

PART I: IOS FUNDAMENTALS
Chapter 1: The iOS Security Model
Chapter 2: Objective-C for the Lazy
Chapter 3: iOS Application Anatomy

PART II: SECURITY TESTING
Chapter 4: Building Your Test Platform

Chapter 5: Debugging with lldb and Friends
Chapter 6: Black-Box Testing

PART III: SECURITY QUIRKS OF THE COCOA API
Chapter 7: iOS Networking
Chapter 8: Interprocess Communication
Chapter 9: iOS-Targeted Web Apps
Chapter 10: Data Leakage
Chapter 11: Legacy Issues and Baggage from C
Chapter 12: Injection Attacks

PART IV: KEEPING DATA SAFE
Chapter 13: Encryption and Authentication
Chapter 14: Mobile Privacy Concerns

View the detailed Table of Contents (PDF)
View the Index (PDF)

Reviews 

“The book is strongly recommended for all iOS app developers, especially for those who use the Objective-C programming language.”
Computing Reviews

“In summary, this is a book that every iOS developer needs to read and then act on. The next time you see an app that leaks private data everywhere, is vulnerable to a whole host of injection attacks, and uses crypto like it’s 1995, ask them why they didn’t consult this book before shipping.”
;login:

iOS Application Security offers an excellent foundation for anyone interested in ethical hacking on mobile platforms. This is going to be a growing sector of the penetration testing industry, as mobile devices assume an ever-greater importance in corporate IT estates."
Network Security Newsletter

"Worthy read and covers a lot of ground in 200ish pages. Well recommended."
Michael Howard, author of Writing Secure Code

"A major asset to any iOS developer who wants to ensure his app's ability to protect a user's data. I would highly recommend anyone interested in the field of iOS app security to take a close look at iOS Application Security."
MacTrast

Updates 

Page 9: In the last paragraph,

In the absence of this API, developers have implemented a number of tricks to try detect jailbreaking themselves.

should instead be

In the absence of this API, developers have implemented a number of tricks to try to detect jailbreaking themselves.

Page 16: Listing 2-2 should include @end at the end of the listing.

Page 21: Listing 2-4, should include @end before
@implementation and again at the end of the listing.

Page 27: In the second paragraph,

The quickest way find out what data your application stores locally on an iOS device is to check out...

should instead be

The quickest way to find out what data your application stores locally on an iOS device is to check out...

Page 27:
~Library/Developer/CoreSimulator/Devices

should instead be

~/Library/Developer/CoreSimulator/Devices

Page 27:
~/data/Containers/Data/Application/

should instead be

/data/Containers/Data/Application/

Page 66: Under Listing 5-1, it reads,

To examine the variables of the current frame, you can use the frame
variable command, as shown in Listing ??.

but it should instead read

To examine the variables of the current frame, you can use the frame
variable command, as shown in Listing 5-2.

Page 83: port 666 should actually be port 1234

Page 86: In the last paragraph,

These values are in hexadecimal, though―a quick way to obtain the hex values is to execute the following in the Terminal…

should instead read

These values are in decimal, though―a quick way to obtain the hex values is to execute the following in the Terminal…

Page 93: "de.vi.c.e" should be “de.vi.ce.ip”

Page 96: “192.168.1.107” should be “de.vi.ce.ip”

Page 100: In the last line, “Intropsy” should be “Introspy”

Page 101: In the second line, “Cydia Substratey” should be “Cydia Substrate”

Page 112: In Table 7-1, NSURLCredentialPersistencePermanent is incorrectly listed twice. Please refer to the second entry.

Page 121:
In Listing 7-9, NSRULSessionConfiguration should be NSURLSessionConfiguration

Page 153: In the second paragraph,

(This is a bug in iOS that, as of iOS 8, has yet to be resolved.)

should instead read

(This is a bug in iOS that, as of iOS 9, has yet to be resolved.)

Page 185: In the last paragraph

I discuss encryption in more detail in Chapter 13), but here’s how you’d encrypt this particular sort of data.

should instead read

I discuss encryption in more detail in Chapter 13, but here’s how you’d encrypt this particular sort of data.

Page 241: In the last paragraph,

While HealthKit shows how to record steps, but there are more detailed
ways to get motion data to help guess exactly what kind of activity the user is
engaged in.

should instead read

While HealthKit shows how to record steps, there are more detailed
ways to get motion data to help guess exactly what kind of activity the user is
engaged in.