Swift apps present some challenges for reverse engineering compared to Objective-C apps. The main challenges are that Swift is less dynamic and there is limited tooling available. To analyze Swift apps, one can disassemble the binary and demangle Swift function names using the swift-demangle utility. For apps with Objective-C code as well, the class-dump tool can provide some class information. Runtime inspection using debuggers is also possible but less straightforward than with Objective-C. Overall, while more difficult, many typical reverse engineering tasks can still be performed on Swift apps.
iPhone, the next generation mobile platform has revolutionized the way one uses phones as it's a combination of a phone, an iPod and an internet device. The iPhone is a richer platform for application delivery due to an exponential growth and wide spread usage.
The critical factor, for a successful mobile application is the end user experience: application usability, reliability, and performance which the iPhone delivers in style. There are thousands of applications created by hundreds of developers for the iPhone. This kind of innovation helps you start developing the next generation of innovative mobile applications now.
Topics Covered
* Current State of iPhone Development
* Fast Track to Objective C
* Fast Track to XCode and Interface Builder
* Getting Productive using OR-Framework, Testing, Serialization
Munjal Budhabhatti is a senior solution developer at ThoughtWorks. He possesses over 10 years of experience in designing large-scale enterprise applications and has implemented innovative solutions for some of the largest microfinance, insurance and financial organizations. He loves writing well-designed enterprise applications using Agile processes. His article on "Test-Driven Development and Continuous Integration for Mobile Applications" was recently published in the Microsoft Architecture Journal.
The Basic Over of Swift as a new programming language.
This presentation is general look at Swift, please disregard the fact and references to the Swift scripting language which at the time thought to similar or same.
One of the main reasons Titanium Mobile has been so successful is that the technology has significantly lowered the barrier to entry for native mobile development. A major force behind this is JavaScript, Titanium's primary programming language. The JavaScript programming language is small enough where the basics can be learned in a matter of hours, which has enabled developers from many different backgrounds to become productive using Titanium. But there's much more to JavaScript than just control structures and a handful of primitive data types - JavaScript is a beautiful functional programming language with great features you might not be using.
Most developers working on the web today have had some exposure to JavaScript, but there's a difference between using jQuery for DOM manipulation on a web page and writing an entire application in JavaScript. This talk, intended for beginner or intermediate JavaScript developers, will focus on the essential language features you will need to write professional JavaScript applications, including but not limited to:
Object Oriented Programming in JavaScript
The Good Parts and Bad Parts of JavaScript
Useful JavaScript Patterns, Tricks, and Style Guidelines
The JavaScript runtime in Titanium Mobile
Further Reading and ways to stay up to date on JavaScript
Practices and Tools for Building Better APIsPeter Hendriks
The most important part of well-designed Java code is a nice API. A good API helps developers be more productive and write high-quality code quickly. API design matters for any developer, especially in building larger systems with a team. Modern coding tools such as Eclipse and FindBugs contain advanced tooling to help with designing an API and checking for bad usage. This session demonstrates the latest innovations, including new capabilities in Java 8, by presenting realistic examples based on real experiences in large codebases. They show that just a few Java tricks and simple annotations can make all the difference for building a great API.
iPhone, the next generation mobile platform has revolutionized the way one uses phones as it's a combination of a phone, an iPod and an internet device. The iPhone is a richer platform for application delivery due to an exponential growth and wide spread usage.
The critical factor, for a successful mobile application is the end user experience: application usability, reliability, and performance which the iPhone delivers in style. There are thousands of applications created by hundreds of developers for the iPhone. This kind of innovation helps you start developing the next generation of innovative mobile applications now.
Topics Covered
* Current State of iPhone Development
* Fast Track to Objective C
* Fast Track to XCode and Interface Builder
* Getting Productive using OR-Framework, Testing, Serialization
Munjal Budhabhatti is a senior solution developer at ThoughtWorks. He possesses over 10 years of experience in designing large-scale enterprise applications and has implemented innovative solutions for some of the largest microfinance, insurance and financial organizations. He loves writing well-designed enterprise applications using Agile processes. His article on "Test-Driven Development and Continuous Integration for Mobile Applications" was recently published in the Microsoft Architecture Journal.
The Basic Over of Swift as a new programming language.
This presentation is general look at Swift, please disregard the fact and references to the Swift scripting language which at the time thought to similar or same.
One of the main reasons Titanium Mobile has been so successful is that the technology has significantly lowered the barrier to entry for native mobile development. A major force behind this is JavaScript, Titanium's primary programming language. The JavaScript programming language is small enough where the basics can be learned in a matter of hours, which has enabled developers from many different backgrounds to become productive using Titanium. But there's much more to JavaScript than just control structures and a handful of primitive data types - JavaScript is a beautiful functional programming language with great features you might not be using.
Most developers working on the web today have had some exposure to JavaScript, but there's a difference between using jQuery for DOM manipulation on a web page and writing an entire application in JavaScript. This talk, intended for beginner or intermediate JavaScript developers, will focus on the essential language features you will need to write professional JavaScript applications, including but not limited to:
Object Oriented Programming in JavaScript
The Good Parts and Bad Parts of JavaScript
Useful JavaScript Patterns, Tricks, and Style Guidelines
The JavaScript runtime in Titanium Mobile
Further Reading and ways to stay up to date on JavaScript
Practices and Tools for Building Better APIsPeter Hendriks
The most important part of well-designed Java code is a nice API. A good API helps developers be more productive and write high-quality code quickly. API design matters for any developer, especially in building larger systems with a team. Modern coding tools such as Eclipse and FindBugs contain advanced tooling to help with designing an API and checking for bad usage. This session demonstrates the latest innovations, including new capabilities in Java 8, by presenting realistic examples based on real experiences in large codebases. They show that just a few Java tricks and simple annotations can make all the difference for building a great API.
We've all seen the big "macro" features in .NET, this presentation is to give praise to the "Little Wonders" of .NET -- those little items in the framework that make life as a developer that much easier!
Survival Strategies for API Documentation: Presentation to Southwestern Ontar...Tom Johnson
This is a presentation I gave to the Southwestern Ontario STC chapter on API documentation on Feb 2, 2015. For more details, see my blog at http://idratherbewriting.com. You can listen to the recorded presentation here: http://youtu.be/I8rGe2w1sAo.
API Workshop: Deep dive into code samplesTom Johnson
See http://idratherbewriting.com for more details. This was the third slidedeck I used in my presentation. Most of these slides repeat what I presented as a soap! conference webinar in Poland.
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Joxean Koret
Often, when doing reverse engineering projects, one needs to import symbols from Open Source or "leaked" code bases into IDA databases. What everybody does is to compile to binary, diff and import the matches. However, it's often problematic due to compiler optimizations, flags used, etc... It can be even impossible because old source codes do not compile with newer compilers or, simply, because there is no full source, just partial source code. During the talk, I will discuss algorithms for importing symbols *directly* from C source codes into IDA databases and release a tool (that will run, most likely, on top of Diaphora) for doing so.
API Documentation Workshop tcworld India 2015Tom Johnson
This is a workshop I gave on API documentation at tcworld India 2015. The workshop covers 3 main areas:
- General overview of API documentation
- Deep dive into REST API documentation
- Deep dive into Javadoc documentation
Introduction to the Scala probramming language. The lecture was delivered in Hebrew. You can watch it at http://youtu.be/XBMbRZs7uFE.
More information about the Scala course I deliver can be found at scala.course.lifemichael.com
More information about the Java course I deliver can be found at java.course.lifemichael.com
More information about the PHP course I deliver can be found at php.course.lifemichael.com
More information about the Front End Development course I deliver can be found at fed.course.lifemichael.com
These slides focus on documentation for REST APIs. See http://idratherbewriting.com for more detail. For the video recording, see http://youtu.be/0yfNd7tzH2Q. This deep dive is the second slide deck I used in the presentation.
Showing the best features of C# 9 and 10, including the changes for nullable reference types since C# 8, records with classes and structs, top level statements with the enhancements for file-scoped namespaces, global using directives, and implicit usings, as well as source code generators including the JSON serializer source generator that comes with .NET 6
Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)Aniruddha Chakrabarti
Swift has gained widespread popularity in just an year. So much so that Swift have emerged as the de-facto standard programming language for all Apple platforms including iOS, watchOS, tvOS and OS X. Apple also open sources Swift and soon after IBM ported Swift to Linux. Swift incorporates the language innovations that have happened in the last two decades. Swift is a compiled programming language and belongs to the ‘C’ family of languages similar to C++, Java, C#, Objective-C and D. Swift is influenced by dynamic programming languages like Python, Ruby and functional programming languages like Haskell.
Better Swift from the Foundation up #tryswiftnyc17 09-06Carl Brown
Highlights of some useful Swift coding patterns and ways to avoid common sources of bugs and performance issues. These lessons learned are based on examination of Swift CoreLibs Foundation and other Open Source Swift libraries and projects, as he has contributed to helping bring Swift to the Server.
Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"Fwdays
It’s easy to underestimate a front-end project's complexity, which leads to shallow and thus incorrect implementation. Attempts to fix this problem result in uncontrolled complexity growth and undefined behavior in corner cases.
We'll discuss ways of revealing the inherent complexity of a problem and dealing with it both on theoretical and practical levels.
We've all seen the big "macro" features in .NET, this presentation is to give praise to the "Little Wonders" of .NET -- those little items in the framework that make life as a developer that much easier!
Survival Strategies for API Documentation: Presentation to Southwestern Ontar...Tom Johnson
This is a presentation I gave to the Southwestern Ontario STC chapter on API documentation on Feb 2, 2015. For more details, see my blog at http://idratherbewriting.com. You can listen to the recorded presentation here: http://youtu.be/I8rGe2w1sAo.
API Workshop: Deep dive into code samplesTom Johnson
See http://idratherbewriting.com for more details. This was the third slidedeck I used in my presentation. Most of these slides repeat what I presented as a soap! conference webinar in Poland.
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Joxean Koret
Often, when doing reverse engineering projects, one needs to import symbols from Open Source or "leaked" code bases into IDA databases. What everybody does is to compile to binary, diff and import the matches. However, it's often problematic due to compiler optimizations, flags used, etc... It can be even impossible because old source codes do not compile with newer compilers or, simply, because there is no full source, just partial source code. During the talk, I will discuss algorithms for importing symbols *directly* from C source codes into IDA databases and release a tool (that will run, most likely, on top of Diaphora) for doing so.
API Documentation Workshop tcworld India 2015Tom Johnson
This is a workshop I gave on API documentation at tcworld India 2015. The workshop covers 3 main areas:
- General overview of API documentation
- Deep dive into REST API documentation
- Deep dive into Javadoc documentation
Introduction to the Scala probramming language. The lecture was delivered in Hebrew. You can watch it at http://youtu.be/XBMbRZs7uFE.
More information about the Scala course I deliver can be found at scala.course.lifemichael.com
More information about the Java course I deliver can be found at java.course.lifemichael.com
More information about the PHP course I deliver can be found at php.course.lifemichael.com
More information about the Front End Development course I deliver can be found at fed.course.lifemichael.com
These slides focus on documentation for REST APIs. See http://idratherbewriting.com for more detail. For the video recording, see http://youtu.be/0yfNd7tzH2Q. This deep dive is the second slide deck I used in the presentation.
Showing the best features of C# 9 and 10, including the changes for nullable reference types since C# 8, records with classes and structs, top level statements with the enhancements for file-scoped namespaces, global using directives, and implicit usings, as well as source code generators including the JSON serializer source generator that comes with .NET 6
Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)Aniruddha Chakrabarti
Swift has gained widespread popularity in just an year. So much so that Swift have emerged as the de-facto standard programming language for all Apple platforms including iOS, watchOS, tvOS and OS X. Apple also open sources Swift and soon after IBM ported Swift to Linux. Swift incorporates the language innovations that have happened in the last two decades. Swift is a compiled programming language and belongs to the ‘C’ family of languages similar to C++, Java, C#, Objective-C and D. Swift is influenced by dynamic programming languages like Python, Ruby and functional programming languages like Haskell.
Better Swift from the Foundation up #tryswiftnyc17 09-06Carl Brown
Highlights of some useful Swift coding patterns and ways to avoid common sources of bugs and performance issues. These lessons learned are based on examination of Swift CoreLibs Foundation and other Open Source Swift libraries and projects, as he has contributed to helping bring Swift to the Server.
Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"Fwdays
It’s easy to underestimate a front-end project's complexity, which leads to shallow and thus incorrect implementation. Attempts to fix this problem result in uncontrolled complexity growth and undefined behavior in corner cases.
We'll discuss ways of revealing the inherent complexity of a problem and dealing with it both on theoretical and practical levels.
Exploring the power of Gradle in android studio - Basics & BeyondKaushal Dhruw
In this presentation we will explore the official build system of android studio. Gradle. We will discuss about Gradle basics, Gradle Wrapper and its usage in android studio. We will explore the possibilities with gradle by covering beginner and advanced level topics.
What you can expect:
1. Just enough gradle to get started.
2. Creating simple and custom gradle tasks.
3. Gradle in android studio
4. Exploring product flavors
5. Using product flavors to our advantage.
6. facebook's stetho debug bridge and configuration via flavors.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
3. Motivation
• Seeing more and more Swift being used in apps that we test (fan
boys like me tend to adopt new Apple technology quickly)
• Google is even considering using Swift as a first class language
on Android… (http://thenextweb.com/dd/2016/04/07/google-
facebook-uber-swift/)
• Wanted to dive into some of the key differences with Swift and
look at the challenges with respect to Swift app pen testing
• Focus is on “black box” app pen testing - for a deeper dive into
Swift language RE I recommend Ryan Stortz’s talk at Infiltrate
(http://infiltratecon.com/archives/swift_Ryan_Stortz.pdf)
4. How Does Swift Affect Testing?
• Will dive into the detail in the presentation but the
reality is not much in most areas, quite a bit in others?
• Most issues in iOS and OS X apps are due to poor
design decisions or misconfiguration and incorrect
implementation of Apple and third party frameworks
and libraries.
• The main thing that has changed is how you reverse
engineer the application
6. What is Swift?
• Compiled language created by Apple
• Released publicly in 2014 at WWDC and has seen
multiple revisions since.
• Open source with official implementations for iOS,
OS X and Linux.
• Intended to replace Objective-C eventually
11. Types
• All basic C and Objective-C types -> String, Bool,
Int , Float etc.
• Collection Types -> Array, Set, Dictionary
• Optional Types -> works with all types, no more nil
pointers like Objective-C
• Swift is a type safe language
12. Objective-C Compatibility
• Objective-C compatibility and interoperability
• Uses the same runtime environment
• Still supports C and C++ in the same app but
can’t be called from Swift like Objective-C
• Can allow for some dynamic features and
runtime manipulation
13. Other Language Features
• Barely scratched the surface
• Structs, Protocols, Extensions, Closures,
Enumerations, Optionals, Generics, Type Casting,
Access Control, Error Handling, Assertions….
• Automatic Reference Counting
• Unicode…
• var 💩 = 💩 💩 💩 💩 💩 ()
16. Challenges
• Less dynamic than Objective-C
• Less flexible than Objective-C in some areas
• Can make it harder to do some of the standard tasks you
would do on a standard app pen test
• Less of an issue now because most Swift apps will include
be mixed with Objective-C
• Limited tooling
• We will explore this in more detail
17. Challenges
• Rapidly evolving syntax, APIs and features and Apple doesn’t care
too much about breaking changes.
• v1.0 - September 2014
• v1.1 - October 2014
• v1.2 - April 2015
• v2.0 - September 2015 (Open Sourced, Linux)
• v2.2 - March 2016
• v3.0 - Late 2016
18. Reversing Swift Apps
• Two primary reverse engineering activities when
conducting a “black box” pen test
• Dumping and analysing class information
from the binary
• Retrieving information at runtime using
debuggers, function hooking, tracing etc.
20. Class Dump?
• The most common and easiest way to retrieve
class data from an Objective-C binary is the class-
dump utility
• class-dump retrieves class information and formats
to look like the equivalent of an Objective-C
header file
• Usually one of the first things you do when looking
at an app
26. Name Mangling
• Looks promising but it’s a far cry from the output
of class-dump and is kind of hard to make out
• Swift stores metadata about a function in it’s
symbols in the process “mangling” the name.
37. Return Types
a Array
b Boolean
c Unicode Scalar
d Double
f Float
i Integer
u Unsigned Integer
Q Implicitly Unwrapped Optional
S String
38. swift-demangle
• So now we know roughly the way the names are
mangle you could use this to create a script that
“de-mangles” the names
• Apple has already thought of that and includes a
utility called swift-demangle to do just that
40. swift-demangle
• With nm and swift-demangle and some shell
scripting you should be able to easily grab the
function signatures from an app
• Should be all you need to get basically the same
information you would from class-dump to start
assessing the app
41. class-dump-s
• Hacked together script that demangles names and
formats the output to approximate the output of
class-dump
• Written in Swift
• Demo
42. Stripped Binaries
• CAVEAT: If the developer stripped symbols from
the binary then these techniques obviously won’t
work.
• Reverse engineering stripped binaries is a bit
more complicated
43. Objective-C Compatibility
• Part of the reason it’s much easier to get class
information from Objective-C binaries is because
it’s necessary for the Objective-C runtime to have
that info
• So what happens when you import Objective-C
frameworks or use Objective-C in your app?
44. Revisiting Class Dump
• The latest branch of class-dump by Steven Nygard
(the original class-dump utility) has limited support
for Swift.
• Need to download and build from source (no
binary release yet)
• https://github.com/nygard/class-dump
49. Other Options
• Disassemblers (i.e. Hopper, IDA Pro)
• Necessary for lower level insight into the app
• To demangle Swift function names https://
github.com/Januzellij/hopperscripts
55. Hooking Swift Methods
• Certain functions in Swift are inlined and the class
constructor is one of them (which is directly setting
the instance variable)
• So in this case the setter will only be called again
by the top level code.
• If you call from there it works.
56. Hooking Swift Methods
• Changing the instance variable directly (works but
not a good idea probably)
58. Wrap Up
• So not all hope is lost when it comes to your
standard pen test workflows with Swift apps
• A bit more of a pain in the arse if you don’t get
access to the source code
• Most issues in iOS and OS X apps are due to poor
design decisions or misconfiguration and incorrect
implementation of Apple and third party
frameworks and libraries.
59. Next Steps
• Improve the class-dump-s script :)
• Runtime inspection (was going to demo this but ran
out of time :( )
• cycript works but not as straightforward as with
Objective-C
• LLDB works well if you are familiar with it
• Will hopefully write a blog post soon