Workshop

Seasides 2025 Edition

IOS Hacking Workshop

Understanding IOS Security

Architecture: Overview of the core security features, including secure boot, application signing, and sandboxing.
iOS Application Signing: Explanation of the code signing process that ensures app integrity.

Sandboxing: Discussion on how apps are isolated to minimize potential damage from vulnerabilities.
Penetration Testing

Techniques: The workshop will cover both static and dynamic analysis techniques for identifying vulnerabilities in iOS applications.

Hands-On Practice: Attendees will engage in practical exercises using a state-of-the-art training lab that simulates real-world scenarios.

IOS Security Workshop Agenda

1. iOS Security Architecture

  • Understanding iOS Security Architecture
  • iOS Application Signing
  • Understanding iOS Sandboxing

2. Introduction to Objective-C & Swift

  • Application Structure and Format
  • IPA Format
  • Application Components

3. Setting Up a Testing Environment

  • iOS Pentesting Tools
  • Setting up Mobexler
  • Using Linux/Windows for Pentesting iOS Apps
  • Setting up Frida with Jailbroken iOS Device

4. Jailbreaking

  • What is Jailbreaking?
  • How Jailbreaking Works!
  • Let’s Jailbreak Your Device
  • Finding a Jailbreak App for Every Device

5. Extracting and Analyzing IPA Files

  • Ways of Extracting IPA
  • Static Analyzing the App
  • Exploring the IPA
  • Encrypted and Unencrypted IPAs
  • In & Out of an Application Package

6. Reverse Engineering iOS Apps

  • Reversing the IPA
  • Finding Hardcoded Information Inside the App
  • Reversing App with Hopper | IDA Pro

7. Dynamic Analysis

  • Capturing & Analyzing Application Traffic
  • Understanding Need for SSL
  • SSL Pinning Implementation
  • Ways to Bypass SSL Pinning
  • SSL Kill Switch
  • Frida Scripts
  • Objection
  • Jailbreak Detection & Bypass (Using Frida & Objection)

8. Analyzing & Exploring iOS Local Storage

  • Different Ways of Storing Data Inside iOS Apps
  • Handling Sensitive Application Data
  • Secure and Insecure Storage
  • Unintentional Data Leakage
  • Dumping App Storage
  • iOS Pasteboard
  • Dumping Keychain Data
  • Dumping Pasteboard

9. Logging in iOS Applications

  • Deeplinking in iOS Apps
  • URI Schemes in iOS Applications
  • Security Issues with URI Schemes
  • Webviews and Vulnerabilities
  • Deeplink Implementations and Misconfigurations
  • Analyzing JavaScript Injection Vulnerabilities

10. Advanced Frida Usage

  • Using Frida
  • Writing Your First Frida Script
  • Finding Classes
  • Finding Methods
  • PIN Code Brute Forcing Using Frida
  • Using Frida to Trace Method Calls During Runtime
  • Extracting Unencrypted IPA Using Frida
  • Using Frida to Instrument an iOS Application
  • Identifying Cryptography API Usage with Frida
  • Heap Memory Dump with Frida
  • Doing More Than Just Class Dump

11. Using Objection

  • Local Storage Exploration Using Objection
  • Finding and Exploiting Security Controls Using Objection
  • Hacking Touch ID Local Authentication
  • Injecting Frida Inside an IPA

12. Other Common Security Issues in iOS Applications

  • Challenges in Real-World Penetration Testing and Bypassing the Challenges

Beginners interested in mobile application security.

Mobile application developers seeking to enhance their security knowledge.

Security researchers looking to expand their expertise in iOS penetration testing.