With the release of iOS 8, Apple has relaxed the rules regarding how code can be packaged within an iOS App when submitting to the App Store. While in the pre-iOS 8 world, all code had to be statically linked into the Apps binary, Apple is now allowing third-party frameworks and libraries to be embedded in an Apps package and be dynamically loaded at runtime, as needed by the App.
We will describe what has changed exactly and why, and the new opportunities it provides to mobile and security engineers. While doing so, we will also provide a quick overview of the library loading mechanism on iOS as well as how to perform function hooking in a non-jailbroken environment, and how developers can take advantage of this functionality.We will then present a new open-source library for iOS that leverages these mechanisms: TrustKit.TrustKit provides universal SSL public key pinning (NSURLSession, NSURLConnection, UIWebView, Cordova, etc.) and can be deployed within an App in a matter of minutes, without having to modify the Apps source code. This work is a collaboration between Data Theorem and Yahoo's mobile engineers, and offers a novel and easy-to-use implementation; we call it drag & drop SSL pinning.Throughout the presentation, attendees will have the opportunity to understand how the rules regarding dynamic linking have changed in iOS 8 and how this change can be leveraged to solve security issues in a novel way. Additionally, as TrustKit will be released as an open-source library, attendees will also be able to discover and deploy this library in their own iOS Apps.