Thiel - iOS Application Security: The Definitive Guide for Hackers and Developers

The Definitive Guide for Hackers and Developers

David Thiel

San Francisco

iOS APPLICATION SECURITY. Copyright 2016 by David Thiel.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

Printed in USA

First printing

20 19 18 17 16 1 2 3 4 5 6 7 8 9

ISBN-10: 1-59327-601-X

ISBN-13: 978-1-59327-601-0

Publisher: William Pollock

Production Editor: Alison Law

Cover Illustration: Garry Booth

Interior Design: Octopod Studios

Developmental Editor: Jennifer Griffith-Delgado

Technical Reviewer: Alban Diquet

Copyeditor: Kim Wimpsett

Compositor: Alison Law

Proofreader: James Fraleigh

For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:

No Starch Press, Inc.

245 8th Street, San Francisco, CA 94103

phone: 415.863.9900;

www.nostarch.com

Library of Congress Cataloging-in-Publication Data

Names: Thiel, David, 1980- author.
Title: iOS application security : the definitive guide for hackers and
developers / by David Thiel.
Description: San Francisco : No Starch Press, [2016] | Includes index.
Identifiers: LCCN 2015035297| ISBN 9781593276010 | ISBN 159327601X
Subjects: LCSH: Mobile computing--Security measures. | iPhone
(Smartphone)--Mobile apps--Security measures. | iPad (Computer)--Security
measures. | iOS (Electronic resource) | Application software--Development.
| Objective-C (Computer program language)
Classification: LCC QA76.9.A25 T474 2016 | DDC 004--dc23
LC record available at http://lccn.loc.gov/2015035297

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

To whomever I happen to be dating right now.

And to my parents, for attempting to restrict my computer access as a child.

Also cats. Theyre pretty great.

David Thiel has nearly 20 years of computer security experience. Thiels research and book Mobile Application Security (McGraw-Hill) helped launch the field of iOS application security, and he has presented his work at security conferences like Black Hat and DEF CON. An application security consultant for years at iSEC Partners, Thiel now works for the Internet.org Connectivity Lab.

Alban Diquet is a software engineer and security researcher who specializes in security protocols, data privacy, and mobile security, with a focus on iOS. Diquet has released several open source security tools, such as SSLyze, iOS SSL Kill Switch, and TrustKit. Diquet has also presented at various security conferences, including Black Hat, Hack in the Box, and Ruxcon.

PART I
IOS FUNDAMENTALS

THE IOS SECURITY MODEL

OBJECTIVE-C FOR THE LAZY

IOS APPLICATION ANATOMY

PART II
SECURITY TESTING

BUILDING YOUR TEST PLATFORM

DEBUGGING WITH LLDB AND FRIENDS

BLACK-BOX TESTING

PART III
SECURITY QUIRKS OF THE COCOA API

IOS NETWORKING

INTERPROCESS COMMUNICATION

IOS-TARGETED WEB APPS

DATA LEAKAGE

LEGACY ISSUES AND BAGGAGE FROM C

INJECTION ATTACKS

PART IV
KEEPING DATA SAFE

ENCRYPTION AND AUTHENTICATION

MOBILE PRIVACY CONCERNS

Prior to the digital age, people did not typically carry a cache of sensitive personal information with them as they went about their day. Now it is the person who is not carrying a cell phone, with all that it contains, who is the exception....

Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans the privacies of life.... The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought.

Chief Justice John Roberts, Riley v. California (2014)

Few would argue that the smartphone has been, by far, the most impactful technological advance of the 21st century. Since the release of the iPhone in 2007, the number of active smartphones has skyrocketed. As I write this at the end of 2015, there are nearly 3.4 billion in use; thats one for just about half the human population (somewhere over 7.3 billion). Globally, phones have easily eclipsed all other types of computers used to access the Internet, and an entire book could be filled with examples of how near-ubiquitous access is shaping human civilization. Mobile is changing the world, and has enriched countless lives by bringing widespread access to educational resources, entertainment, and unprecedented economic opportunities. In some parts of the world, mobile connectivity and social networking has even led to the downfall of autocratic regimes and the realignment of societies.

Even the septuagenarians on the US Supreme Court have recognized the power of modern mobile computing, setting new legal precedents with judgements, like Riley v. California quoted above, that recognize that a smartphone is more than just a deviceit is a portal into the private aspects of everyones lives.

Like all technological revolutions, the mobile revolution has its downsides. Our ability to connect with the far side of the world does nothing to improve the way we communicate with those in front of our faces, and mobile has done nothing to eliminate the worlds long-established economic disparities. At the same time, as with enterprise computing, personal computing, and networking revolutions, smartphones have introduced new kinds of potential security flaws, and introduced or reinvented all kinds of security and safety issues.

While the proto-smartphones released prior to 2007 brought us several important technological innovations, it was the subsequent publishing of rich SDKs and the opening of centralized app stores that turned the new mobile computers into platforms for third-party innovation. They also created a whole new generation of developers who now need to adapt the security lessons of the past to a new, uncertain threat landscape.