Uploaded byit-tour
PPTX, PDF357 views

iOS Development - Tips & Tricks

This document summarizes an iOS development tips and tricks presentation. It discusses why iOS development is challenging due to hardware limitations and usability requirements. It also covers iOS security best practices, including encrypting local storage, using SSL for server communication, and checking for debuggers to prevent runtime manipulation. The presentation provides code examples for implementing these security techniques.

Embed presentation

Download to read offline
iOS Development - Tips & Tricks iOS Development - Tips & Tricks Software Development Lead - iOS Galin Kardzhilov Software Development Manager - iOS Stefan Tsvyatkov
iOS Development - Tips & Tricks Agenda Why iOS Some challenges iOS Security
iOS Development - Tips & Tricks About Me Started with
iOS Development - Tips & Tricks About Me
iOS Development - Tips & Tricks Why iOS? -(NSString *)generateReasonsWhyiOS { NSMutableString *reasons = [[NSMutableString alloc] init]; [reasons appendString:@"It's new"]; [reasons appendString:@"It's challenging"]; [reasons appendString:@"It compiles to native"]; [reasons appendString:@"You have to deal with hardware limitations"]; [reasons appendString:@"You have to provide responsiveness"]; [reasons appendString:@"You have to provide usability"]; [reasons appendString:@"You have to provide security"]; [reasons appendString:@"0ften craftsmanship is required"]; [reasons appendString:@"Your code runs into people's pockets"]; return reasons; }
iOS Development - Tips & Tricks Table view Background image Custom drawn cells … flipped
iOS Development - Tips & Tricks
iOS Development - Tips & Tricks Scroll View Custom View
iOS Development - Tips & Tricks
iOS Development - Tips & Tricks Security in iOS Local Storage Communication with the server Binary analysis and manipulation
iOS Development - Tips & Tricks Local Storage Security NSUserDefaults Convenient Not encrypted by default Keeps the data in a plist file CoreData Not encrypted by default Keeps the data in sqlite db
iOS Development - Tips & Tricks Local Storage Security Keychain Access Encrypted by default A bit more complex for use Insecure on jailbroken devices Data encryption Crypto API Obfuscate the encryption key Use unique device information String constant [[UIDevice currentDevice] identifierForVendor] Custom algorithm Secure encryption key
iOS Development - Tips & Tricks Server Communication Security Use SSL Don’t accept self-signed certificates Client and server side data validation
iOS Development - Tips & Tricks Runtime Manipulation #import "AppDelegate.h" #import "ptrace.h" int main(int argc, char * argv[]) { #ifndef DEBUG ptrace(PT_DENY_ATTACH, 0, 0, 0); #endif @autoreleasepool { return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); } } ptrace Deny a debugger to attach Can be patched from binary Put it in multiple places
iOS Development - Tips & Tricks SEC_IS_BEING_DEBUGGED_RETURN_NIL () Check if a debugger is attached Hard to be patched from binary Make the check regularly and in critical parts Doesn’t work against Cycript Runtime Manipulation #ifndef DEBUG SEC_IS_BEING_DEBUGGED_RETURN_NIL(); #endif
iOS Development - Tips & Tricks Conclusion Keychain Access for storing SSL for transporting Check for debuggers 100% security does not exist
iOS Development - Tips & Tricks Thank you! Galin Kardzhilov @gravera Stefan Tsvyatkov @stsvyatkov

More Related Content

PDF
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
byAkeyless
 
PDF
iOS development - tips & tricks
byStefan Tsvyatkov
 
PDF
Streamline CI/CD with Just-in-Time Access
byAkeyless
 
PPTX
Moby and kubernetes entitlements
byMoby Project
 
PDF
Storage Visibility for Operations - A Ceph Story
byDebojyoti Dutta
 
PDF
Building Automated Infrastructure Policy and Trust Systems
byAndres Vega
 
PPT
Wordpress Security Tips
byLalit Nama
 
PDF
No, wait, not that way! - Real-world lessons from an OBIA 11g implementation
byjpiwowar
 
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
byAkeyless
 
iOS development - tips & tricks
byStefan Tsvyatkov
 
Streamline CI/CD with Just-in-Time Access
byAkeyless
 
Moby and kubernetes entitlements
byMoby Project
 
Storage Visibility for Operations - A Ceph Story
byDebojyoti Dutta
 
Building Automated Infrastructure Policy and Trust Systems
byAndres Vega
 
Wordpress Security Tips
byLalit Nama
 
No, wait, not that way! - Real-world lessons from an OBIA 11g implementation
byjpiwowar
 

Viewers also liked

PDF
10 good reasons to invest your time in FP
byJoel Corrêa
 
PPTX
Simple past tense
byNur Ashikin Mohd Sa'ay
 
PPTX
PRESENTATION
byบีเวอร์ อยากมียูเอฟโอ
 
PDF
Do lidar bulletin_2070
bySam Ranjit
 
PDF
Humrich shane ignite_slideshow
byShane Humrich
 
PDF
Evolucion de la empresa en colombia (1)
byRuben Castellanos Sanchez
 
PDF
Lift web framework
byJoel Corrêa
 
PPTX
Ooad presentation
byJoel Corrêa
 
PPTX
Social class dialects
byNur Ashikin Mohd Sa'ay
 
PPT
Book review To Kill A Mockingbird
byNur Ashikin Mohd Sa'ay
 
PDF
Real world Python+django
byJoel Corrêa
 
PPTX
Concurrent paradigms - Paralelism approaches
byJoel Corrêa
 
PDF
The pragmatic programmer
byJoel Corrêa
 
PDF
Zippers presentation
byJoel Corrêa
 
PDF
LXC outline
byJoel Corrêa
 
PDF
GraphQL
byJoel Corrêa
 
PPT
Task based language teaching
byNur Ashikin Mohd Sa'ay
 
PPTX
The grammar translation method
byNur Ashikin Mohd Sa'ay
 
10 good reasons to invest your time in FP
byJoel Corrêa
 
Simple past tense
byNur Ashikin Mohd Sa'ay
 
PRESENTATION
byบีเวอร์ อยากมียูเอฟโอ
 
Do lidar bulletin_2070
bySam Ranjit
 
Humrich shane ignite_slideshow
byShane Humrich
 
Evolucion de la empresa en colombia (1)
byRuben Castellanos Sanchez
 
Lift web framework
byJoel Corrêa
 
Ooad presentation
byJoel Corrêa
 
Social class dialects
byNur Ashikin Mohd Sa'ay
 
Book review To Kill A Mockingbird
byNur Ashikin Mohd Sa'ay
 
Real world Python+django
byJoel Corrêa
 
Concurrent paradigms - Paralelism approaches
byJoel Corrêa
 
The pragmatic programmer
byJoel Corrêa
 
Zippers presentation
byJoel Corrêa
 
LXC outline
byJoel Corrêa
 
GraphQL
byJoel Corrêa
 
Task based language teaching
byNur Ashikin Mohd Sa'ay
 
The grammar translation method
byNur Ashikin Mohd Sa'ay
 

Similar to iOS Development - Tips & Tricks

PDF
CocoaConf Austin 2014 | Demystifying Security Best Practices
byMutual Mobile
 
PDF
iOS (Vulner)ability
bySubho Halder
 
PPT
iOS Application Penetration Testing for Beginners
byRyanISI
 
PPTX
Hacking & Securing of iOS Apps by Saurabh Mishra
byOWASP Delhi
 
PDF
iOS Application Security
byEgor Tolstoy
 
PDF
iOS Application Penetation Test
byJongWon Kim
 
PPT
iOS Application Pentesting
byn|u - The Open Security Community
 
PPTX
iOS Application Exploitation
byPositive Hack Days
 
PDF
Hacking and Securing iOS Applications
byn|u - The Open Security Community
 
PPTX
Hacking and Securing iOS Applications by Satish Bomisstty
byClubHack
 
PDF
Ruxmon April 2014 - Introduction to iOS Penetration Testing
byeightbit
 
PPTX
Pentesting iOS Applications
byjasonhaddix
 
PDF
Ios 4 Programming Cookbook Solutions Examples For Iphone Ipad And Ipod Touch ...
byheddaraduson
 
PPTX
iPhone Workshop Mobile Monday Ahmedabad
bymomoahmedabad
 
PDF
Learning the iPhone SDK for JavaScript Programmers Create Native Apps with Ob...
bymatbarnargis59
 
PPTX
iOS Beginners Lesson 3
byCalvin Cheng
 
PDF
OWASP Melbourne - Introduction to iOS Application Penetration Testing
byeightbit
 
PDF
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
bySeth Law
 
PDF
Programming iOS 5 2nd Edition Matt Neuburg
bysaertahai
 
PDF
Learning the iOS 4 SDK for JavaScript Programmers Create Native Apps with Obj...
bythoramenzab0
 
CocoaConf Austin 2014 | Demystifying Security Best Practices
byMutual Mobile
 
iOS (Vulner)ability
bySubho Halder
 
iOS Application Penetration Testing for Beginners
byRyanISI
 
Hacking & Securing of iOS Apps by Saurabh Mishra
byOWASP Delhi
 
iOS Application Security
byEgor Tolstoy
 
iOS Application Penetation Test
byJongWon Kim
 
iOS Application Pentesting
byn|u - The Open Security Community
 
iOS Application Exploitation
byPositive Hack Days
 
Hacking and Securing iOS Applications
byn|u - The Open Security Community
 
Hacking and Securing iOS Applications by Satish Bomisstty
byClubHack
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
byeightbit
 
Pentesting iOS Applications
byjasonhaddix
 
Ios 4 Programming Cookbook Solutions Examples For Iphone Ipad And Ipod Touch ...
byheddaraduson
 
iPhone Workshop Mobile Monday Ahmedabad
bymomoahmedabad
 
Learning the iPhone SDK for JavaScript Programmers Create Native Apps with Ob...
bymatbarnargis59
 
iOS Beginners Lesson 3
byCalvin Cheng
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
byeightbit
 
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
bySeth Law
 
Programming iOS 5 2nd Edition Matt Neuburg
bysaertahai
 
Learning the iOS 4 SDK for JavaScript Programmers Create Native Apps with Obj...
bythoramenzab0
 

Recently uploaded

PDF
final.pdf
byomarbishtawi04
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
final.pdf
byomarbishtawi04
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
apidays New York 2025 | AI in Application Security
byapidays
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 

iOS Development - Tips & Tricks

  • 1.
    iOS Development -Tips & Tricks iOS Development - Tips & Tricks Software Development Lead - iOS Galin Kardzhilov Software Development Manager - iOS Stefan Tsvyatkov
  • 2.
    iOS Development -Tips & Tricks Agenda Why iOS Some challenges iOS Security
  • 3.
    iOS Development -Tips & Tricks About Me Started with
  • 4.
    iOS Development -Tips & Tricks About Me
  • 5.
    iOS Development -Tips & Tricks Why iOS? -(NSString *)generateReasonsWhyiOS { NSMutableString *reasons = [[NSMutableString alloc] init]; [reasons appendString:@"It's new"]; [reasons appendString:@"It's challenging"]; [reasons appendString:@"It compiles to native"]; [reasons appendString:@"You have to deal with hardware limitations"]; [reasons appendString:@"You have to provide responsiveness"]; [reasons appendString:@"You have to provide usability"]; [reasons appendString:@"You have to provide security"]; [reasons appendString:@"0ften craftsmanship is required"]; [reasons appendString:@"Your code runs into people's pockets"]; return reasons; }
  • 6.
    iOS Development -Tips & Tricks Table view Background image Custom drawn cells … flipped
  • 7.
    iOS Development -Tips & Tricks
  • 8.
    iOS Development -Tips & Tricks Scroll View Custom View
  • 9.
    iOS Development -Tips & Tricks
  • 10.
    iOS Development -Tips & Tricks Security in iOS Local Storage Communication with the server Binary analysis and manipulation
  • 11.
    iOS Development -Tips & Tricks Local Storage Security NSUserDefaults Convenient Not encrypted by default Keeps the data in a plist file CoreData Not encrypted by default Keeps the data in sqlite db
  • 12.
    iOS Development -Tips & Tricks Local Storage Security Keychain Access Encrypted by default A bit more complex for use Insecure on jailbroken devices Data encryption Crypto API Obfuscate the encryption key Use unique device information String constant [[UIDevice currentDevice] identifierForVendor] Custom algorithm Secure encryption key
  • 13.
    iOS Development -Tips & Tricks Server Communication Security Use SSL Don’t accept self-signed certificates Client and server side data validation
  • 14.
    iOS Development -Tips & Tricks Runtime Manipulation #import "AppDelegate.h" #import "ptrace.h" int main(int argc, char * argv[]) { #ifndef DEBUG ptrace(PT_DENY_ATTACH, 0, 0, 0); #endif @autoreleasepool { return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); } } ptrace Deny a debugger to attach Can be patched from binary Put it in multiple places
  • 15.
    iOS Development -Tips & Tricks SEC_IS_BEING_DEBUGGED_RETURN_NIL () Check if a debugger is attached Hard to be patched from binary Make the check regularly and in critical parts Doesn’t work against Cycript Runtime Manipulation #ifndef DEBUG SEC_IS_BEING_DEBUGGED_RETURN_NIL(); #endif
  • 16.
    iOS Development -Tips & Tricks Conclusion Keychain Access for storing SSL for transporting Check for debuggers 100% security does not exist
  • 17.
    iOS Development -Tips & Tricks Thank you! Galin Kardzhilov @gravera Stefan Tsvyatkov @stsvyatkov

Editor's Notes

  • #11 Здравейте. Аз съм Стефан Цвятков - iOS Development Manager в МенторМейт. Ще продължа темата с няколко съвета как да подобрим сигурността в iOS приложенията. Тъй като това е твърде обширна тема дори и за часове, а ние имаме минути, днес ще засегна само основите. Най-уязвимите места в едно приложение са мястото, където съхраняваме данните, комуникацията със сървъра и самото байнъри. Това и са нещата, чиято защита ще разгледаме.
  • #12 Започваме със съхранението на данни в мобилното устройство. Често ни се налага да записваме потребителски имена, сешън токъни и дори пароли локално в приложението. Например когато имплементираме офлайн логин за различни потребили в едно устройство. Най-удобният начин за записване на информация е NSUserDefaults. Използва се лесно - съхраняваме и четем данни с един ред код. Нека видим обаче колко сигурен е този подход. NSUserDefaults съхранява данните в plist файл, който съдържа плйейн текст списък от кий-велю записи. В интернет има голям избор от приложения, които инсталирани на компютър със свързано мобилно устройство, показват данните от всяко инсталирано приложение. Аз например използвам DiskAid. Тук съм отворил съдържанието на едно от приложенията, които разработваме и както виждате имам списък с файловете в него. Дори съм отворил плист файла, който съхранява данните на NSUserDefaults. Понеже приложението е написано качествено, тук не виждаме данни, които изглеждат важни. Нека разглеждаме друго популярно място за съхранение на данни - CoreData. Обикновено тук се съхраняват данни, които имат по-сложна структура и по-голям обем. Използването е малко по-трудоемко понеже трябва да си създадем дейта модел и да си имплементираме основните методи, нужни за CoreData имплементацията. Но нас пак ни интересува по-скоро колко сигурен е този метод. CoreData, подобно на NSUserDefaults, съхранява инфорамацията във файл в бъндъла на приложението. Това файл преставлява sqllite database. За да видя данните, аз просто трябва да намеря програма, която отваря sqlite файлове - такива колкото искаш в интернет. Дори файърфокс може да го направи. До какъв извод стигаме - най-популярните места за съхранение на данни са с много ниска степен на сигурност.
  • #13 И сега правилния начин за съхранение -