1. InfoconDB
  2. OWASP
  3. AppSec USA 2013
  4. BASHing iOS Applications: dirty, s*xy, cmdline tools for mobile auditors

BASHing iOS Applications: dirty, s*xy, cmdline tools for mobile auditors

Presented at AppSec USA 2013, Nov. 20, 2013, noon (50 minutes)

Video of session: https://www.youtube.com/watch?v=Ef_YeULnw1k&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=8 The toolchain for (binary) iOS application assessment is weak BUT, like an island of misfit toys, there can be stregnth in numbers. Join us as we explore what actually needs to be done in a mobile assessment and how we can do it right from our SSH prompt on our iOS device. Our tool is simple yet effective and as you learn to do mobile assessments you'll also teach yourself the fundamentals of the OWASP Mobile Top 10. Topics explored will be binary analysis, app decryption, data storage, endpoint parsing, class inspection, file monitoring, and more! Heck we might even release some sort of ghetto BASH Obj-c source parser!

Presenters:

  • Dawn Isabel - HP ShadowLabs
    Dawn Isabel is currently a Mobile Security Consultant at HP ShadowLabs, where she tests iOS and Android applications and develops in-house tools for static and dynamic analysis of mobile apps. Prior to that, she designed and ran a penetration testing service at the University of Michigan, and developed Python automation for vulnerability management with Nessus. Dawn was team lead of the Computer Incident Response Team (CIRT) at Ford Motor Company and developed global standards for incident response while there, as well as performing penetration tests of internal applications. As an experienced security analyst, Dawn has a background in incident response, penetration testing, and vulnerability management. Her work focuses on mobile and web application penetration testing and developing tools for test automation.
  • Jason Haddix - Head of Penetration Testing - Fortify
    I currently facilitate information security consulting at HP which includes developing test plans for Fortune 100 companies and competing in "bake-offs" against other top tier consulting vendors. My strengths are web, network, and mobile assessments. I write for my own infosec website (www.securityaegis.com) that reviews industry training, interviews security professionals, and provides anecdotal/practical advice related to offensive security. I also write articles for security publications and speak at security conferences whenever possible. I am a semi-regular player on the capture the flag team Shellphish, an academic hacking group based out of the University of California, Santa Barbara.

Links:

Similar Presentations: