Knock Knock: A Survey of iOS Authentication Methods

Presented at ShmooCon XI (2015), Jan. 17, 2015, 11 a.m. (60 minutes).

Almost all "interesting" mobile applications don't exist in a vacuum. They rely on external systems for much of their data, and as such, frequently need a method for identifying and authenticating the application's user to the server. How this happens varies widely.

As part of my day job, I frequently review mobile applications on iOS and so have seen many ways for applications to authenticate to the server -- some good, some great, some OMG awful. In this talk, I'll review some of the common (and not-so-common) techniques I've observed both on apps I've seen at work and just what's running on my own iStuff. I'll talk about what's good and what's bad, and most importantly, why. And finally, I'll try to suggest some general advice that you can follow when designing your own mobile apps, or when reviewing them for your own organization.


Presenters:

  • David Schuetz / Darth Null as David Schuetz (Darth Null)
    David (@DarthNull) is a Senior Consultant with Intrepidus Group (now part of NCC Group), where he performs web and iOS application security testing, iOS research, MDM reverse engineering, and other such fun. He's honored to have spoken at multiple security conferences on topics from rainbow tables to iOS and MDM to puzzle contests.

Similar Presentations: