Presentation: Exploiting Common iOS Apps’ Vulnerabilities

I started about 10 years ago, and one day when I was working for a company that was hired by other companies to develop their apps, and we're working on a very secret project that we had to sign separate NDAs, and it was supposed to be super secret. And then we shipped it. At that time there was no other way to send it to the client, we were in a different state. We published the app and put it behind a log-in screen. Someone managed to download it, reverse engineered the app, and put in a blog some of the things that were happening in the app. Some of the secrets and we had no idea how they did that. How did they reverse engineer it? How do you extract information from a compiled app? And that's when I moved into security and I changed my role into the security side of things, specifically the application security. And then I was hired by a company called Shopify as the lead of a team to lead mobile security engineering. And from there I started doing anything that had to do with security.

I developed my own app that is vulnerable to these four or five vulnerabilities. We're gonna see how to attack that specific app. It's not a public app. I developed that one to showcase real world vulnerabilities. On a side, I work on bug bounty programs. For those that do not know, there are white hat hackers, hacking on someone else's systems, apps or something. If you find a vulnerability, you report to them, and they pay you money. I want to show real vulnerabilities that I found on real world apps.

Yeah, and with each of them, it's going to be an advice on how to prevent these.

 I do this specific on iOS apps because that's I’ve focused the most. It's been easier for me to focus on that.

The easiest one would be certificates that have private keys. I've found that there is a very common vulnerability around a mobile app where you have a web server that has a public API and might be a third party vendor. And they provide a certificate with private keys so they can SSH into their servers. And some developer would not put this on their server, they would put it directly in their app and connect directly to the third party. That's a problem. We're gonna see how that certificate can be extracted.

The idea would be mobile developers, but anyone that could learn something out of this will definitely be welcome. Anyone that is involved in system’s architecture or design, or at least the mobile app that is part of that system, they might be interested.

The only one that exploits the API is the embedded certificate.

Having more ideas on how other people can use their apps to do something that they don't intend to. That's almost the definition of hacking because in the mobile space, at least from my perspective, on the app layer, there are two ways to hack. Someone can gain something out of your app for free. Let's say you have content that is behind a paywall or something. And I can bypass that and just get content free. Or someone can use your app to attack a broader audience, maybe your customers. I want people to understand how they can prevent many of these.