Blackbox iOS App Assessments Using idb
Daniel Mayer
Presented at Black Hat Mobile Security Summit, 2015
Abstract
More than ever, mobile apps are used to manage and store sensitive data by both corporations and individuals. In this paper, we review common iOS mobile app flaws involving data storage, inter-process communication, network communications, and user input handling as seen in real-world applications. To assist the community in assessing security risks of mobile apps, we introduce our recent tool called idb and show how it can be used to efficiently test for a range of iOS app flaws. We will explore a number of vulnerability classes. Each class will first be introduced and discussed before demonstrating how idb can enhance the testing for instances of it. With this we illustrate how apps commonly fail at safeguarding sensitive data and demonstrate how idb can arm security professionals and developers with the means necessary to uncover these flaws from a black-box perspective. Furthermore, we will provide illustration of how to mitigate each flaw. idb is open source and available to the public.
