Introducing idb - Simplified Blackbox iOS App Pentesting

Presented at ShmooCon X (2014), Jan. 19, 2014, noon (60 minutes).

More than ever, mobile apps are used to manage and store sensitive data by both corporations and individuals. In this talk, we review common iOS mobile app flaws involving data storage, inter-process communication, network communications, and user input handling as seen in real-world applications. To assist the community in assessing security risks of mobile apps, we introduce a new tool called 'idb' and show how it can be used to efficiently test for a range of iOS app flaws indicated above.

During our presentation, we will explore a number of vulnerability classes. Each class will first be introduced and discussed before demonstrating how idb can enhance the testing for instances of it. With this we illustrate how apps commonly fail at safeguarding sensitive data and demonstrate how idb can arm security professionals and developers with the means necessary to uncover these flaws from a black-box perspective. Furthermore, we will provide illustration of how to mitigate each flaw. At the conclusion of this ShmooCon talk, idb will be made open source and released to the public.


Presenters:

  • Daniel Mayer as Daniel A. Mayer
    Daniel is a consultant with Matasano Security. His experience includes penetration testing, cryptographic protocol analysis and design, security research, and system and network administration.

Similar Presentations: