DescriptionThis class takes a deep dive into techniques for testing the security of iOS apps. Students will learn how to statically and dynamically analyze iOS apps for implementation as well as architectural security defects. After a brief description of the iOS hardware and software security architecture, the class steps through a myriad of security pitfalls made by many developers. Each weakness is described in detail and explored in hands-on labs to enable students to fully understand and internalize the details. The pitfalls covered start with simple problems and escalate steadily to more and more advanced problems, culminating in the use of “Man in the App” attacks against running apps. Using MitA techniques, the apps’ architecture is actively probed and explored via weaknesses in the underlying Objective C run-time environment to look for exploitable weaknesses in client-side security controls. This range of static and dynamic app analysis allows the tester to perform a broad range of security tests on any iOS app target. Requirements: In order to be able to participate in the hands-on exercises, each student will need a laptop computer with a complete iOS development environment (XCode) installed. (Available for free from Apple Computer, Inc.) To perform all exercises including the MitA attacks, a jailbroken iOS device is needed. We recommend using a dedicated test device for the testing.What you will learnA detailed working knowledge of Apple's iOS operating system's security architectureA detailed working knowledge of common iOS app security defectsHow to conduct static analysis of an iOS app to find common security defectsHow to conduct dynamic analysis of an iOS app to find architectural and communications security defectsA fundamental knowledge of how security remediations can be implemented to prevent common security defects in iOS appsMain TopicsIntroduction to the problemPlatform security architectureApplication architectureJailbreakingDynamic analysis of the run-timeBringing it all together