Uncovering OWASP's Mobile Risks in iOS Apps - AppSec California 2015

Explore the process of reverse-engineering iOS applications to uncover mobile security risks in this conference talk from OWASP AppSec California 2015. Delve into the challenges of iOS app analysis, including encryption, Objective-C complexities, and the proprietary nature of the operating system. Learn techniques for extracting unencrypted binary code, analyzing ARM disassembly, and identifying common mobile-specific vulnerabilities. Gain insights from real-world examples of security flaws found in App Store applications. Discover tools and methods for automated app grabbing, removing encryption, and performing both static and dynamic analysis. Understand the ARM architecture powering mobile processors and its implications for iOS devices. Follow along as the speaker demonstrates how to spot vulnerabilities through disassembly and user defaults plist examination, providing a comprehensive look at iOS app security auditing.

Intro
AN OUTLINE THE TALK TODAY WILL COVER A SOLID AMOUNT OF MATERIAL
IOS IS DERIVED FROM OS X
REVERSING IS SOMEWHAT NON-TRIVIAL - being an object-oriented language static analysis can be challenging
ARM POWERS MOBILE PROCESSORS EVERYWHERE - IOS DEVICES RUN ON PROCESSORS BASED ON THE ARM ARCHITECTURE
ARM ARCHITECTURE ON (MODERN) 32-BIT CPUS
ARM ARCHITECTURE ON 64-BIT CPUS
AUTOMATED APP GRABBING
REMOVING ENCRYPTION
OTOOL OTOOL OBJECT FILE DISPLAYING TOOL
CLASS-DUMP
IDA PRO IDA IS THE DE-FACTO REVERSING TOOL
DYNAMIC ANALYSIS OF IOS APPS
SPOTTING A VULNERABILITY STATICALLY
SPOTTING A VULNERABILITY DYNAMICALLY
SPOTTING A VULNERABILITY - scope out the disassembly or dump the user defaults plist