Presentation: Exploiting Common iOS Apps’ Vulnerabilities

Track: Trust, Safety & Security

Location: Seacliff ABC

Duration: 10:35am - 11:25am

Day of week:

Slides: Download Slides

This presentation is now available to view on InfoQ.com

Watch video with transcript

What You’ll Learn

  1. Hear about some of the security vulnerabilities that are exploited in mobile apps.
  2. Learn how to address those vulnerabilities to make the application more secure.

Abstract

Many mobile developers still believe that it’s not possible to extract information embedded inside the application bundle. However, it's not true.  

My area of interest is the reverse engineering of mobile apps. In this talk, I'll walk through some of the most common vulnerabilities on iOS apps and show how to exploit them. All these vulnerabilities have been found on real production apps of companies that have (or don't have) bug bounty program. This talk is useful for those connected with mobile app development or those who do use mobile apps to work with sensitive data.

Question: 

Tell me a bit about your background.

Answer: 

I started about 10 years ago, and one day when I was working for a company that was hired by other companies to develop their apps, and we're working on a very secret project that we had to sign separate NDAs, and it was supposed to be super secret. And then we shipped it. At that time there was no other way to send it to the client, we were in a different state. We published the app and put it behind a log-in screen. Someone managed to download it, reverse engineered the app, and put in a blog some of the things that were happening in the app. Some of the secrets and we had no idea how they did that. How did they reverse engineer it? How do you extract information from a compiled app? And that's when I moved into security and I changed my role into the security side of things, specifically the application security. And then I was hired by a company called Shopify as the lead of a team to lead mobile security engineering. And from there I started doing anything that had to do with security.

Question: 

How are you going to address this talk?

Answer: 

I developed my own app that is vulnerable to these four or five vulnerabilities. We're gonna see how to attack that specific app. It's not a public app. I developed that one to showcase real world vulnerabilities. On a side, I work on bug bounty programs. For those that do not know, there are white hat hackers, hacking on someone else's systems, apps or something. If you find a vulnerability, you report to them, and they pay you money. I want to show real vulnerabilities that I found on real world apps.

Question: 

When you show these vulnerabilities, you also show the fix?

Answer: 

Yeah, and with each of them, it's going to be an advice on how to prevent these.

Question: 

Is it specific to iOS or Android too?

Answer: 

 I do this specific on iOS apps because that's I’ve focused the most. It's been easier for me to focus on that.

Question: 

Can you give me an example of one of the vulnerabilities?

Answer: 

The easiest one would be certificates that have private keys. I've found that there is a very common vulnerability around a mobile app where you have a web server that has a public API and might be a third party vendor. And they provide a certificate with private keys so they can SSH into their servers. And some developer would not put this on their server, they would put it directly in their app and connect directly to the third party. That's a problem. We're gonna see how that certificate can be extracted.

Question: 

Are you looking specifically for mobile developers or is it a broader audience that you want to reach?

Answer: 

The idea would be mobile developers, but anyone that could learn something out of this will definitely be welcome. Anyone that is involved in system’s architecture or design, or at least the mobile app that is part of that system, they might be interested.

Question: 

Will some of the things target the API itself that the mobile app uses, not just the actual code on the device?

Answer: 

The only one that exploits the API is the embedded certificate.

Question: 

What do you want this mobile developer to walk away from your talk with?

Answer: 

Having more ideas on how other people can use their apps to do something that they don't intend to. That's almost the definition of hacking because in the mobile space, at least from my perspective, on the app layer, there are two ways to hack. Someone can gain something out of your app for free. Let's say you have content that is behind a paywall or something. And I can bypass that and just get content free. Or someone can use your app to attack a broader audience, maybe your customers. I want people to understand how they can prevent many of these.

Speaker: Ivan Rodriguez

Software Engineer @Google

Ivan is an application security researcher with focus on mobile applications. He worked for many years as a mobile developer before changing his career and focusing on application security. Ivan is a Software Engineer at Google by day and a security researcher at night, he has found many vulnerabilities on different mobile applications and reported them through the popular bug bounty platforms HackerOne and Bugcrowd. Ivan tries to give back to the community by sharing most of his findings through blog posts at ivrodriguez.com and open-source tools on his GitHub account.

Find Ivan Rodriguez at

Similar Talks

Evolution of Edge @Netflix

Qcon

Engineering Leader @Netflix

Vasily Vlasov

Mistakes and Discoveries While Cultivating Ownership

Qcon

Engineering Manager @Netflix in Cloud Infrastructure

Aaron Blohowiak

Monitoring and Tracing @Netflix Streaming Data Infrastructure

Qcon

Architect & Engineer in Real Time Data Infrastructure Team @Netflix

Allen Wang

Future of Data Engineering

Qcon

Distinguished Engineer @WePay

Chris Riccomini

Coding without Complexity

Qcon

CEO/Cofounder @darklang

Ellen Chisa

Holistic EdTech & Diversity

Qcon

Holistic Tech Coach @unlockacademy

Antoine Patton