More than ever, mobile apps are used to manage and store sensitive data by both corporations and individuals. In this talk, we review common iOS mobile app flaws involving data storage, inter-process communication, network communications, and user input handling as seen in real-world applications. To assist the community in assessing security risks of mobile apps, we introduce a new tool called 'idb' and show how it can be used to efficiently test for a range of iOS app flaws indicated above. During our presentation, we will explore a number of vulnerability classes. Each class will first be introduced and discussed before demonstrating how idb can enhance the testing for instances of it. With this we illustrate how apps commonly fail at safeguarding sensitive data and demonstrate how idb can arm security professionals and developers with the means necessary to uncover these flaws from a black-box perspective. Furthermore, we will provide illustration of how to mitigate each flaw. idb will be made open source and released to the public.
Daniel is a consultant with Matasano Security. His experience includes penetration testing, cryptographic protocol analysis and design, security research, and system and network administration. Prior to joining Matasano, Daniel was a researcher at the Stevens Institute of Technology working on applied cryptography and privacy. He presented his research at several international security conferences. Daniel holds a Ph.D. degree in Computer Science from Stevens and a Masters degree in Physics from Rutgers.