AppSec California 2015

Mobile apps are ever more ubiquitous, but their widespread adoption comes at a cost. Seemingly every week, a new vulnerability is discovered that jeopardizes the security and privacy of mobile users. Examples include the popular dating app Tinder (leaked the exact location of its users), the photo messaging app SnapChat (exposed connections between phone numbers and users’ accounts) and CitiMobile (stored sensitive account information without encryption). These vulnerabilities (and many more) were not found by the developers of the applications, but rather by reverse-engineers who took it upon themselves to dissect said applications. 

Unfortunately, at least for iOS applications, reverse-engineering is still viewed by many as somewhat of a black art. This is due to a myriad of reasons; iOS apps are encrypted, written in a difficult-to-reverse-engineer language (Objective-C), and run on a mostly closed-sourced proprietary OS.  

This talk will detail the process of reverse-engineering iOS apps in order to perform security audits and identify common mobile-specific vulnerabilities (e.g. OWASP Mobile Risks). Specifically, the talk will describe how to extract an application’s unencrypted binary code, analyze the ARM disassembly, and identify vulnerabilities that commonly affect iOS apps. Real-life cases from iOS applications in the App Store will be presented to provide a more 'hands-on' feel to the reversing procedure and to show some actual security vulnerabilities.