The document discusses iOS security best practices. It warns against storing sensitive data like crypto keys or API keys in insecure locations like NSUserDefaults, the Info.plist file, or hardcoded in code. Instead, it recommends storing critical data in the keychain which is encrypted or handling it server-side if possible. It also cautions that simply encrypting or encoding data locally may not prevent attacks and that important logic should be checked server-side rather than in the app alone.

1. iOS Security
Bruno Rocha
iOS Developer @ Movile

2. 🙂
😡 😡 😡 😡 😡
Bad people

3. Crypto keys in
NSUserDefaults/Keychain
Secret API Keys in the
Info.plist or hardcoded
CoreData/SQLite with
sensitive data
var isSubscribed: Bool

4. NSUserDefaults - Documents folder, not encrypted
CoreData - Documents folder, not encrypted
Info.plist - Exposed in your .ipa/.app
Keychain - Encrypted, but exploitable
NSKeyedArchiver - A plist in hex format

7. var isSubscribed: Bool {
let subscription = getSubscription()
return subscription.isExpired == false
}
var swizzled__isSubscribed: Bool {
return true
}

9. Demo 1: Insecure Data Storages

10. Protecting apps from Storage Attacks
• Encrypt/Encode data before saving/
hardcoding (Careful! This will not
prevent attacks, only slow them down.)
• Treat critical data (like secret API keys)
server-side if possible
• Open Source “String obfuscation" libs:
Hackers have Google too.

11. Demo 2: Runtime Manipulation

12. Protecting apps from Runtime Manipulation
Important logic should be treated/
checked server-side! (eg: API Tokens)

13. Protecting apps from Runtime Manipulation

14. Protecting apps from Runtime Manipulation

15. What about the real world?