Last updated 2 months ago

About the course

Work in progress




title: iOS security design and secure coding

audience: XOX

duration: 1 XL day (7hrs education time)

developed by: Zsombor Kovács


We assume that the developers attending the iOS secdev course:

  • are familiar with with the mobile apps development process and technologies

  • have a suitable IDE installed on their laptop (labs desktop)

    • a physical Apple computer

    • the latest Xcode with the corresponding SDKs

    • Apple Developer Account with a distribution profile

    • test devices that are included in the installed distribution profile



  • 'Into the middle of things' demo: "Bugs and flaws in your app help bad guys"

  • Security mechanisms in iOS

  • Application signing in iOS

Application design in iOS

  • Common design patterns

  • Architecture of an iOS app

  • Secure API design

  • Designing a reasonable communication flow

Secure data storage

  • iOS storage encryption

  • Protection classes, storage formats and security implications

  • Data storage and backups

  • Logging

  • Hands-on: (in)secure storage in applications

Network security

  • App Transport Security

  • Certificate pinning

  • Hands-on: certificate pinning implementation and bypass

Inter-process communication

  • Custom protocol handlers

  • Hands-on: attacking and securing an insecure custom protocol handler

    Secure crypto implementation

  • Hands-on: insecure crypto examples and hardcoded encryption key extraction

Secure implementation in

  • Swift

  • Objective C

  • Non-native/hybrid app development: Flutter, React, etc.

Tampering detection

  • Jailbreaking, implications of running on a jailbroken device

  • Dynamic hooking and method swizzling

  • Hands-on: bypassing jailbreak detection in several ways