Sebastien Andrivet
Learn the secrets of the iOS platform, how to attack iOS applications and how to correctly implement secure iPhone and iPad apps.
This training starts with a short introduction about security concepts and iOS. It is then highly practical: you will learn how to take the control of your iOS device, how to intercept communications, how to reverse engineer applications and find security defects. Then in the second part of the training, you will learn how to correctly implement secure iOS applications: what are the most common security mistakes and the corresponding solutions. The training concludes with some advanced hacking techniques.
Win an iPad!
All participants will have a chance to win an iPad by participating to a small contest at the end of this training
Requirements
No requirement, except some understanding of computers. In particular, as the training is based on exercises and applications already prepared, no previous knowledge of iOS development is necessary. This training is both for novices and experimented people. Each person will have to bring her or his own laptop under Windows, Mac OS X or Linux. If the participant wants to install the tools on her or his own laptop, Mac OS X 10.7 (Lion) is required. But as most of the training will be done in a virtual environment, it is not mandatory. We will also provide a limited number of iOS devices for participants. You can also choose to bring your own.
Program
Day 1 Morning – Fundamentals
- Key security concepts
- Introduction to OWASP and OWASP for Mobiles
- Overview of some network protocols
- Introduction to cryptography
- Presentation of iPhone and iPad
- Introduction to iOS operating system
- iOS Security Services
- Presentation of development tools
- Anatomy of an iOS native application
- Introduction to the training virtual environment
Day 1 Afternoon – Local Attacks
- Overview of pentesting methodology
- Extraction and decryption of an application from AppStore
- Disassembling, decompilation and reverse engineering
- Studying and attacking artifacts (files, databases, keychains ...)
Days 2 Morning – Remote Attacks
- Interception of communication
- Man-In-The-Middle attacks
- SSL certificates injection
- Web services attacks
- Authentication, authorization, ... attacks
Day 2 Afternoon & Day 3 Morning – Defense
- Introduction to Objective-C, C and C++
- Introduction to CocoaTouch
- Examples of vulnerable applications and development of solution by the students:
* Unsecure file storage
* Databases (SQLite)
* Property lists
* Keychain
* Encryption and protection classes
* ASLR
* Sandboxing
* Embedded navigator
* Memory management
Day 3 Afternoon – Challenge and advanced hacking techniques
- Examples of vulnerable applications and development of solution by the students:
* SSL/TLS
* IPC
* Web services
- Advanced hacking techniques (crack passcodes, keychains, defeat wiping, etc.)
- Challenge: Be the first with a correct answer and win an iPad (iPad wifi black with 64 Go RAM)