This talk demonstrates how modern day financial applications, password and credit card managers, and other applications handling sensitive data are attacked on the iOS platform, and sometimes all too easily breached in as little as seconds. Attendees will learn how iOS applications are infected, how low-level classes and objects are manipulated and abused, logic checks bypassed, and other dark techniques used to steal data.
The electronic information age has made the theft of data a very lucrative occupation. Criminals stand to greatly benefit from electronic crimes, making their investment well worth the risk. The chances that your applications will be vulnerable to attack are very high. Due to a number of common vulnerabilities in the iOS monoculture, attackers can easily reverse engineer, trace, and manipulation applications in ways that even most iOS developers aren't aware of. Even many encryption implementations are weak, and a good hacker can penetrate these and other layers that, so many times, present only a false sense of security to the application's developers.
This talk is designed to demonstrate many of the techniques black hats use to steal data and manipulate software, so that developers will better know the fight they're up against, and hopefully how to avoid many all-too common mistakes that leave your applications exposed to easy attacks. These attacks are not necessarily limited to just the theft of data from the device, but can sometimes even lead to much more nefarious attacks. The audience will also learn about some techniques to better secure applications, such as counter debugging techniques, attack response, implementing better encryption, etc.
In this talk, the audience will see an example of how some credit card payment processing applications have been breached, allowing a criminal not only to expose the credit card data stored on the device, but also to manipulate the application to grant him huge credit card refunds for purchases that he didn't make, paid straight from the merchant's stolen account. You'll see many more examples, too, of exploits that put data at risk, such as password and credit card managers, and other applications. Attendees will gain a basic understanding of how these attacks are executed, and many examples and demonstrations of how to code more securely in ways that won't leave applications exposed to such attacks.
Jonathan is Sr. Forensic Scientist for viaForensics, a Chicago-based consulting firm where, among other things, he performs research and development, and penetration testing of iOS applications for corporate clients. Jonathan gets paid, in part, to hack things for a living. Jonathan Zdziarski is better known as the hacker ""NerveGas"" in the iPhone development community. His work in cracking the iPhone helped lead the effort to port the first open source applications, and his first iOS-related book, iPhone Open Application Development, taught developers how to write applications for the popular device long before Apple introduced its own SDK. Jonathan has since written several books on iOS, including iPhone Forensics, iPhone SDK Application Development, and his latest book, Hacking and Securing iOS Applications. Jonathan frequently trains and consults law enforcement agencies to assist forensic examiners in high profile criminal cases.