You are viewing content from a past/completed QCon

Presentation: Exploiting Common iOS Apps’ Vulnerabilities

Track: Trust, Safety & Security

Location: Seacliff ABC

Duration: 10:35am - 11:25am

Day of week: Wednesday

Slides: Download Slides

Share this on:

This presentation is now available to view on InfoQ.com

Watch video with transcript

What You’ll Learn

  1. Hear about some of the security vulnerabilities that are exploited in mobile apps.
  2. Learn how to address those vulnerabilities to make the application more secure.

Abstract

Many mobile developers still believe that it’s not possible to extract information embedded inside the application bundle. However, it's not true.  

My area of interest is the reverse engineering of mobile apps. In this talk, I'll walk through some of the most common vulnerabilities on iOS apps and show how to exploit them. All these vulnerabilities have been found on real production apps of companies that have (or don't have) bug bounty program. This talk is useful for those connected with mobile app development or those who do use mobile apps to work with sensitive data.

Question: 

Tell me a bit about your background.

Answer: 

I started about 10 years ago, and one day when I was working for a company that was hired by other companies to develop their apps, and we're working on a very secret project that we had to sign separate NDAs, and it was supposed to be super secret. And then we shipped it. At that time there was no other way to send it to the client, we were in a different state. We published the app and put it behind a log-in screen. Someone managed to download it, reverse engineered the app, and put in a blog some of the things that were happening in the app. Some of the secrets and we had no idea how they did that. How did they reverse engineer it? How do you extract information from a compiled app? And that's when I moved into security and I changed my role into the security side of things, specifically the application security. And then I was hired by a company called Shopify as the lead of a team to lead mobile security engineering. And from there I started doing anything that had to do with security.

Question: 

How are you going to address this talk?

Answer: 

I developed my own app that is vulnerable to these four or five vulnerabilities. We're gonna see how to attack that specific app. It's not a public app. I developed that one to showcase real world vulnerabilities. On a side, I work on bug bounty programs. For those that do not know, there are white hat hackers, hacking on someone else's systems, apps or something. If you find a vulnerability, you report to them, and they pay you money. I want to show real vulnerabilities that I found on real world apps.

Question: 

When you show these vulnerabilities, you also show the fix?

Answer: 

Yeah, and with each of them, it's going to be an advice on how to prevent these.

Question: 

Is it specific to iOS or Android too?

Answer: 

 I do this specific on iOS apps because that's I’ve focused the most. It's been easier for me to focus on that.

Question: 

Can you give me an example of one of the vulnerabilities?

Answer: 

The easiest one would be certificates that have private keys. I've found that there is a very common vulnerability around a mobile app where you have a web server that has a public API and might be a third party vendor. And they provide a certificate with private keys so they can SSH into their servers. And some developer would not put this on their server, they would put it directly in their app and connect directly to the third party. That's a problem. We're gonna see how that certificate can be extracted.

Question: 

Are you looking specifically for mobile developers or is it a broader audience that you want to reach?

Answer: 

The idea would be mobile developers, but anyone that could learn something out of this will definitely be welcome. Anyone that is involved in system’s architecture or design, or at least the mobile app that is part of that system, they might be interested.

Question: 

Will some of the things target the API itself that the mobile app uses, not just the actual code on the device?

Answer: 

The only one that exploits the API is the embedded certificate.

Question: 

What do you want this mobile developer to walk away from your talk with?

Answer: 

Having more ideas on how other people can use their apps to do something that they don't intend to. That's almost the definition of hacking because in the mobile space, at least from my perspective, on the app layer, there are two ways to hack. Someone can gain something out of your app for free. Let's say you have content that is behind a paywall or something. And I can bypass that and just get content free. Or someone can use your app to attack a broader audience, maybe your customers. I want people to understand how they can prevent many of these.

Speaker: Ivan Rodriguez

Software Engineer @Google

Ivan is an application security researcher with focus on mobile applications. He worked for many years as a mobile developer before changing his career and focusing on application security. Ivan is a Software Engineer at Google by day and a security researcher at night, he has found many vulnerabilities on different mobile applications and reported them through the popular bug bounty platforms HackerOne and Bugcrowd. Ivan tries to give back to the community by sharing most of his findings through blog posts at ivrodriguez.com and open-source tools on his GitHub account.

Find Ivan Rodriguez at

2020 Tracks

  • Remotely Productive: Remote Teams & Software

    More and more companies are moving to remote work. How do you build, work on, and lead teams remotely?

  • Operating Microservices

    Building and operating distributed systems is hard, and microservices are no different. Learn strategies for not just building a service but operating them at scale.

  • Distributed Systems for Developers

    Computer science in practice. An applied track that fuses together the human side of computer science with the technical choices that are made along the way

  • The Future of the API: REST, gRPC, GraphQL and More

    Web-based API continue to evolve. The track provides the what, how, and why of future APIs, including GraphQL, Backend for Frontend, gRPC, & ReST

  • Resurgence of Functional Programming

    What was once a paradigm shift in how we thought of programming languages is now main stream in nearly all modern languages. Hear how software shops are infusing concepts like pure functions and immutablity into their architectures and design choices.

  • Social Responsibility: Implications of Building Modern Software

    Software has an ever increasing impact on individuals and society. Understanding these implications helps build software that works for all users

  • Non-Technical Skills for Technical Folks

    To be an effective engineer, requires more than great coding skills. Learn the subtle arts of the tech lead, including empathy, communication, and organization.

  • Clientside: From WASM to Browser Applications

    Dive into some of the technologies that can be leveraged to ultimately deliver a more impactful interaction between the user and client.

  • Languages of Infra

    More than just Infrastructure as a Service, today we have librarys, languages, and platforms that help us define our infra. Languages of Infra explore languages and libraries being used today to build modern cloud native architectures.

  • Mechanical Sympathy: The Software/Hardware Divide

    Understanding the Hardware Makes You a Better Developer

  • Paths to Production: Deployments You've Always Wondered About

    Deployment pipelines allow us to push to production at ever increasing volume. Paths to production looks at how some of software's most well known shops continuous deliver code.

  • Java, The Platform

    Mobile, Micro, Modular: The platform continues to evolve and change. Discover how the platform continues to drive us forward.

  • Security for Engineers

    How to build secure, yet usable, systems from the engineer's perspective.

  • Modern Data Engineering

    The innovations necessary to build towards a fully automated decentralized data warehouse.

  • Machine Learning for the Software Engineer

    AI and machine learning is more approachable than ever. Discover how ML, deep learning, and other modern approaches are being used in practice by Software Engineers.

  • Inclusion & Diversity in Tech

    The road map to a inclusive and diverse tech organization. *Diversity & Inclusion defined as the inclusion of all individuals in an within tech, regardless of gender, religion, ethnicity, race, age, sexual orientation, and physical or mental fitness.

  • Architectures You've Always Wondered About

    How do they do it? In QCon's marquee Architectures track, we learn what it takes to operate at large scale from well-known names in our industry. You will take away hard-earned architectural lessons on scalability, reliability, throughput, and performance.

  • Architecting for Confidence: Building Resilant Systems

    Your system will fail. Build systems with the confidence to know when they do, you won't.