Archive for the ‘Apple’ Category

iSecPartners – Auditing high-value applications cheat-sheet

July 22, 2014 Leave a comment

iSecPartners has released on GitHub a “cheat-sheet” for auditing high-value applications. It’s well worth a read.

This list is intended to be a list of additional or more technical things to look for when auditing extremely high value applications. The applications may involve operational security for involved actors (such as law enforcement research), extremely valuable transactions (such as a Stock Trading Application), societal issues that could open users to physical harassment (such as a Gay Dating Application), or technologies designed to be used by journalists operating inside repressive countries.

It is an advanced list – meaning entry level issues such as application logic bypasses, common web vulnerabilities such as XSS and SQLi, or lower level vulnerabilities such as memory corruption are explicitly not covered. It is assumed that the reader is aware of these and similar vulnerabilities and is well trained in their search, exploitation, and remediation.

A good example of the type of analysis to strive for can be shown in Jacob Appelbaum’s analysis of UltraSurf:


Free Online CTF and Penetration Testing Course

June 14, 2014 1 comment

From Trail of Bits, they are offering a free online CTF and penetration testing course. Lots of great material from a well respected organization.


[link] “iOS Assembly Tutorial: Understanding ARM”

January 8, 2014 Leave a comment

Here’s a very well written post by Matt Galloway…this one is about ARM assembly.

When you write Objective-C code, it eventually turns into machine code – the raw 1s and 0s that the ARM CPU understands. In between Objective-C code and machine code, though, is the still human-readable assembly language.

Understanding assembly gives you insight into your code for debugging and optimizing, helps you decipher the Objective-C runtime, and also satisfies that inner nerd curiosity.

In this iOS assembly tutorial, you’ll learn:

  • What assembly is – and why you should care about it.
  • How to read assembly – in particular, the assembly generated for Objective-C methods.
  • How to use the assembly view while debugging – useful to see what is going on and why a bug or crash has occurred.
Categories: Apple, Disassembly, Tech

[link] “iOS App Security and Analysis”

January 6, 2014 Leave a comment

A well written article/tutorial on performing iOS application and security analysis by Ray Wenderlich.

In this two-part tutorial, you will be taking on the role of a penetration tester, evaluating your iOS app security to identify vulnerabilities. The goal of this tutorial’s unique teaching perspective is not to turn you into a hacker – it is rather to make you more security-conscious by showing common methods attackers use to circumvent your application’s logic and retrieve important user data.

Categories: Apple, Tech

[video] Securing a Large Global Mac Fleet

November 24, 2013 Leave a comment

OS X security is evolving: defenses are improving with each OS release but the days of “Macs don’t get malware” are gone. Recent attacks against the Java Web plugin have kindled a lot of interest in hardening and managing Macs. So how does Google go about defending a large global Mac fleet? Greg will discuss various hardening tweaks and a range of OS X defensive technologies including XProtect, Gatekeeper, Filevault 2, sandboxing, auditd, and mitigations for Java and Flash vulns.

A former pentester, incident responder, and forensic analyst, Greg Castle has been responsible for the security of Google’s OS X fleet for a couple of years, working closely with the Google MacOps team to harden and protect Google’s global Mac fleet. He is now working in Google’s incident response team on the GRR Rapid Response project: Google’s open source incident response framework.

Categories: Apple, Tech

CompTIA Mobile App Security+

October 19, 2013 Leave a comment

Well, I passed the CompTIA Mobile App Security+ certification exam! I found the test to be challenging and comprehensive in its coverage of iOS mobile security.

If you are planning on taking the iOS version of the exam, I’d highly suggest reviewing Jonathan Zdziarski’s Hacking and Securing iOS Applications. Note that this book focuses on iOS5, but much of the material directly applies to iOS6 and iOS7 as well.

The Mobile App Security+ exams will test a candidate’s knowledge and skill regarding:

  • Security principles, secure development life cycles, and threat models
  • Security features of software development kits and APIs
  • Service and network security
  • Data security and implementing encryption
  • Application hardening and reverse engineering
  • Secure coding practices
Categories: Apple, Tech

Secure Coding Guide from Apple

September 13, 2013 Leave a comment

[PDF] Secure Coding Guide

Secure coding is the practice of writing programs that are resistant to attack by malicious or mischievous people or programs. Secure coding helps protect a user’s data from theft or corruption. In addition, an insecure program can provide access for an attacker to take control of a server or a user’s computer, resulting in anything from a denial of service to a single user to the compromise of secrets, loss of service, or damage to the systems of thousands of users.

Secure coding is important for all software; if you write any code that runs on Macintosh computers or on iOS devices, from scripts for your own use to commercial software applications, you should be familiar with the information in this document.

Categories: Apple, Linux, Programming, Tech

Monitor a folder for filesystem changes on iOS

August 10, 2013 Leave a comment

iOS developers can use GCD (Grand Central Dispatch) to monitor a folder for changes.

There is no notification to be gotten if the user adds or removes files to your app’s documents folder. The only way to update your list of files in that case is to monitor the folder for changes. There are several different approaches to achieve this, the traditional one being the File System Events API.

But since iOS 4 – together with GCD – Apple added a simpler method for monitoring a vnode, dispatch sources.

If you’re on a jailbroken device and want to monitor all filesystem changes, check out filemon for iOS.

Categories: Apple, Tech


July 2, 2013 Leave a comment

NSHipster is great resource for learning Objective-C.

NSHipster is a journal of the overlooked bits in Objective-C and Cocoa. Updated weekly.

Categories: Apple, Tech


June 18, 2013 Leave a comment

This is pretty cool. Requires access to OS X and XCode to use.

iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.

As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.

The lessons are laid out in the following steps:

  1. Brief introduction to the problem.
  2. Verify the problem by exploiting it.
  3. Brief description of available remediations to the problem.
  4. Fix the problem by correcting and rebuilding the iGoat program.

Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don’t know how to fix a specific problem.

iGoat is free software, released under the GPLv3 license.

iGoat can be downloaded here:

Categories: Apple, Obj-C, Programming, Tech Tags: , ,