Preface

Data is stolen; this is no uncommon occurrence. The electronic information age has made the theft of data a very lucrative occupation. Whether it’s phishing scams or large-scale data breaches, criminals stand to greatly benefit from electronic crimes, making their investment well worth the risk. When I say that this occurrence is not uncommon, my goal isn’t to be dismissive, but rather to alarm you. The chances that your company’s applications will be vulnerable to attack are very high. Hackers of the criminal variety have an arsenal of tools at their disposal to reverse engineer, trace, and even manipulate applications in ways that most programmers aren’t aware. Even many encryption implementations are weak, and a good hacker can penetrate these and other layers that, so many times, present only a false sense of security to the application’s developers.

Take everything hackers collectively know about security vulnerability and apply it to a device that is constantly connected to a public network, wrapped up in a form factor that can fit in your pocket and is frequently left at bars. Your company’s applications, and the data they protect, are now subject to simpler forms of theft such as pickpocketing, file copies that can take as little as a few minutes alone with a device, or malicious injection of spyware and root kits—all of which can be performed as the device’s owner reaches for another drink. One way or another, software on a mobile platform can be easily stolen and later attacked at the criminal’s leisure, sometimes without the device’s owner even knowing, and sometimes without physical access to the device.

This book is designed to demonstrate many of the techniques black hats use to steal data and manipulate software in an attempt to show you, the developer, how to avoid many all too common mistakes that leave your applications exposed to easy attacks. These attacks are not necessarily limited to just the theft of data from the device, but can sometimes even lead to much more nefarious attacks. In this book, you’ll see an example of how some credit card payment processing applications can be breached, allowing a criminal to not only expose the credit card data stored on the device, but also to manipulate the application to grant him huge credit card refunds for purchases that he didn’t make, paid straight from the merchant’s stolen account. You’ll see many more examples, too, of exploits that have made mobile applications not just a data risk, but downright dangerous to those using them. The reader will also gain an understanding of how these attacks are executed, and many examples and demonstrations of how to code more securely in ways that won’t leave applications exposed to such attacks.

P.1. Audience of This Book

This book is geared toward iOS developers looking to design secure applications. This is not necessarily limited to government or financial applications, but may also pertain to applications with assets or other features that the developer is looking to protect. You’ll need a solid foundation of Objective-C coding on iOS to understand a majority of this book. A further understanding of C or assembly language will also help, but is not required.

While this book primarily focuses on iOS, much of the material can also be applied directly to the Mac OS X desktop. Given that both environments run an Objective-C environment and share many of the same tools, you’ll find much of this book can be used to expose vulnerabilities in your company’s desktop applications as well.

P.2. Organization of the Material

This book is split into two halves. The first half discusses hacking and exposes the many vulnerabilities in iOS and iOS applications, while the second half covers techniques to better secure applications.

Chapter 1 explains the core problem with mobile security, and outlines common myths, misconceptions, and overall flaws in many developers’ ways of thinking about security.

Chapter 2 introduces the reader to many techniques of compromising an iOS device, including jailbreaking. The reader will learn how to build and inject custom code into an iOS device using popular jailbreaking techniques and custom RAM disks.

Chapter 3 demonstrates how the filesystem of an iOS device can be stolen in minutes, and how developers can’t rely solely on a manufacturer’s disk encryption. You’ll also learn about some common social engineering practices that secure access to a device without the owner’s knowledge.

Chapter 4 covers the forensic data left by the operating system, and what kind of information one can steal from a device.

Chapter 5 explains how iOS’s keychain encryption and data protection encryption can be defeated, and the inherent problems of each.

Chapter 6 demonstrates how the HFS journal can be scraped for deleted files, and provides examples of how to securely delete files so they cannot be recovered.

Chapter 7 introduces you to tools for spying on and manipulating the runtime environment, and demonstrates how black hat hackers can manipulate your application’s objects, variables, and methods to bypass many layers of security.

Chapter 8 introduces you to tools and approaches for disassembling and debugging your application, injecting malicious code, and performing low-level attacks using a number of techniques.

Chapter 9 illustrates some of the tools used to hijack SSL sessions, and how to protect your application from falling victim to these attacks.

Chapter 10 elaborates on security and describes additional methods to protect your data with proper encryption techniques.

Chapter 11 explains how to help prevent forensic data leakage by designing your application to leave fewer traces of information.

Chapter 12 explains many best practices to increase the complexity needed for an attack on your applications.

Chapter 13 explains techniques used to detect when an application is running on a device jailbroken with some of the popular jailbreaking tools available.

Chapter 14 wraps up the book and explains how important it is to understand and strategize like your adversary.

P.3. Conventions Used in This Book

The following typographical conventions are used in this book:

Italic

Indicates new terms, URLs, email addresses, filenames, and file extensions.

Constant width

Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords.

Constant width
        bold

Shows commands or other text that should be typed literally by the user.

Constant width italic

Shows text that should be replaced with user-supplied values or by values determined by context.

---

Tip:

This icon signifies a tip, suggestion, or general note.

---

---

Warning:

This icon indicates a warning or caution.

---

P.4. Using Code Examples

This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.

We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Hacking and Securing iOS Applications by Jonathan Zdziarski. Copyright 2012 Jonathan Zdziarski, (ISBN 9781449318741).”

If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at permissions@oreilly.com.

P.5. Legal Disclaimer

The technologies discussed in this publication, the limitations on these technologies that the technology and content owners seek to impose, and the laws actually limiting the use of these technologies are constantly changing. Thus, some of the hacks described in this publication may not work, may cause unintended harm to equipment or systems on which they are used, or may be inconsistent with applicable law or user agreements. Your use of these projects is at your own risk, and O’Reilly Media, Inc. disclaims responsibility for any damage or expense resulting from their use. In any event, you should take care that your use of these projects does not violate any applicable laws, including copyright laws.

P.6. Safari® Books Online

With a subscription, you can read any page and watch any video from our library online. Read books on your cell phone and mobile devices. Access new titles before they are available for print, and get exclusive access to manuscripts in development and post feedback for the authors. Copy and paste code samples, organize your favorites, download chapters, bookmark key sections, create notes, print out pages, and benefit from tons of other time-saving features.

O’Reilly Media has uploaded this book to the Safari Books Online service. To have full digital access to this book and others on similar topics from O’Reilly and other publishers, sign up for free at http://my.safaribooksonline.com.

P.7. How to Contact Us

Please address comments and questions concerning this book to the publisher:

O’Reilly Media, Inc.

1005 Gravenstein Highway North

Sebastopol, CA 95472

800-998-9938 (in the United States or Canada)

707-829-0515 (international or local)

707-829-0104 (fax)

We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at:

http://www.oreilly.com/catalog/9781449318741

To comment or ask technical questions about this book, send email to:

bookquestions@oreilly.com

For more information about our books, courses, conferences, and news, see our website at http://www.oreilly.com.

Find us on Facebook: http://facebook.com/oreilly

Follow us on Twitter: http://twitter.com/oreillymedia

Watch us on YouTube: http://www.youtube.com/oreillymedia