Based on unique and previously undocumented research, this book by noted forensic expert Jonathan Zdziarski shows the numerous weaknesses that exist in typical iPhone and iPad apps. Zdziarski shows finance companies, large institutions and others where the exploitable flaws lie in their code, and in this book he will show you as well, in a clear, direct, and immediately applicable style. If you're an app developer with a solid foundation in Objective-C, this book is an absolute must - chances are very high that your company's iOS applications are vulnerable to attack. That's because…mehr
Based on unique and previously undocumented research, this book by noted forensic expert Jonathan Zdziarski shows the numerous weaknesses that exist in typical iPhone and iPad apps. Zdziarski shows finance companies, large institutions and others where the exploitable flaws lie in their code, and in this book he will show you as well, in a clear, direct, and immediately applicable style.If you're an app developer with a solid foundation in Objective-C, this book is an absolute must - chances are very high that your company's iOS applications are vulnerable to attack. That's because malicious attackers now use an arsenal of tools to reverse-engineer, trace, and manipulate applications in ways that most programmers aren't aware of. This guide illustrates several types of iOS attacks, as well as the tools and techniques that hackers use. You'll learn best practices to help protect your applications, and discover how important it is to understand and strategize like your adversary. Examine subtle vulnerabilities in real-world applications - and avoid the same problems in your apps Learn how attackers infect apps with malware through code injection Discover how attackers defeat iOS keychain and data-protection encryption Use a debugger and custom code injection to manipulate the runtime Objective-C environment Prevent attackers from hijacking SSL sessions and stealing traffic Securely delete files and design your apps to prevent forensic data leakage Avoid debugging abuse, validate the integrity of run-time classes, and make your code harder to traceHinweis: Dieser Artikel kann nur an eine deutsche Lieferadresse ausgeliefert werden.
Jonathan Zdziarski is better known as the hacker "NerveGas" in the iOSdevelopment community. His work in cracking the iPhone helped lead theeffort to port the first open source applications to it, and his bookiPhone Open Application Development taught developers how to writeapplications for the popular device long before Apple introduced itsown SDK. Jonathan is also the author of many other books, includingiPhone SDK Application Development and iPhone Forensics. Jonathanpresently supports over 2,000 law enforcement agencies worldwide anddistributes a suite of iOS forensic imaging tools to obtain evidencefrom iOS devices for criminal cases. He frequently consults and trainslaw enforcement agencies and assists forensic examiners in theirinvestigations. Jonathan is also a full-time Sr. Forensic Scientist, where, amongother things, he performs penetration testing of iOS applications forcorporate clients.
Inhaltsangabe
Dedication Preface Audience of This Book Organization of the Material Conventions Used in This Book Using Code Examples Legal Disclaimer Safari® Books Online How to Contact Us Chapter 1: Everything You Know Is Wrong 1.1 The Myth of a Monoculture 1.2 The iOS Security Model 1.3 Storing the Key with the Lock 1.4 Passcodes Equate to Weak Security 1.5 Forensic Data Trumps Encryption 1.6 External Data Is at Risk, Too 1.7 Hijacking Traffic 1.8 Trust No One, Not Even Your Application 1.9 Physical Access Is Optional 1.10 Summary Hacking Chapter 2: The Basics of Compromising iOS 2.1 Why It's Important to Learn How to Break Into a Device 2.2 Jailbreaking Explained 2.3 End User Jailbreaks 2.4 Compromising Devices and Injecting Code 2.5 Exercises 2.6 Summary Chapter 3: Stealing the Filesystem 3.1 Full Disk Encryption 3.2 Copying the Live Filesystem 3.3 Copying the Raw Filesystem 3.4 Exercises 3.5 The Role of Social Engineering 3.6 Summary Chapter 4: Forensic Trace and Data Leakage 4.1 Extracting Image Geotags 4.2 SQLite Databases 4.3 Reverse Engineering Remnant Database Fields 4.4 SMS Drafts 4.5 Property Lists 4.6 Other Important Files 4.7 Summary Chapter 5: Defeating Encryption 5.1 Sogeti's Data Protection Tools 5.2 Extracting Encryption Keys 5.3 Decrypting the Keychain 5.4 Decrypting Raw Disk 5.5 Decrypting iTunes Backups 5.6 Defeating Encryption Through Spyware 5.7 Exercises 5.8 Summary Chapter 6: Unobliterating Files 6.1 Scraping the HFS Journal 6.2 Carving Empty Space 6.3 Commonly Recovered Data 6.4 Summary Chapter 7: Manipulating the Runtime 7.1 Analyzing Binaries 7.2 Encrypted Binaries 7.3 Abusing the Runtime with Cycript 7.4 Exercises 7.5 Summary Chapter 8: Abusing the Runtime Library 8.1 Breaking Objective-C Down 8.2 Disassembling and Debugging 8.3 Malicious Code Injection 8.4 Injection Using Dynamic Linker Attack 8.5 Summary Chapter 9: Hijacking Traffic 9.1 APN Hijacking 9.2 Simple Proxy Setup 9.3 Attacking SSL 9.4 Attacking Application-Level SSL Validation 9.5 Hijacking Foundation HTTP Classes 9.6 Analyzing Data 9.7 Driftnet 9.8 Exercises 9.9 Summary Securing Chapter 10: Implementing Encryption 10.1 Password Strength 10.2 Introduction to Common Crypto 10.3 Master Key Encryption 10.4 Geo-Encryption 10.5 Split Server-Side Keys 10.6 Securing Memory 10.7 Public Key Cryptography 10.8 Exercises Chapter 11: Counter Forensics 11.1 Secure File Wiping 11.2 Wiping SQLite Records 11.3 Keyboard Cache 11.4 Randomizing PIN Digits 11.5 Application Screenshots Chapter 12: Securing the Runtime 12.1 Tamper Response 12.2 Process Trace Checking 12.3 Blocking Debuggers 12.4 Runtime Class Integrity Checks 12.5 Inline Functions 12.6 Complicating Disassembly 12.7 Exercises Chapter 13: Jailbreak Detection 13.1 Sandbox Integrity Check 13.2 Filesystem Tests 13.3 Page Execution Check Chapter 14: Next Steps 14.1 Thinking Like an Attacker 14.2 Other Reverse Engineering Tools 14.3 Security Versus Code Management 14.4 A Flexible Approach to Security 14.5 Other Great Books
Dedication Preface Audience of This Book Organization of the Material Conventions Used in This Book Using Code Examples Legal Disclaimer Safari® Books Online How to Contact Us Chapter 1: Everything You Know Is Wrong 1.1 The Myth of a Monoculture 1.2 The iOS Security Model 1.3 Storing the Key with the Lock 1.4 Passcodes Equate to Weak Security 1.5 Forensic Data Trumps Encryption 1.6 External Data Is at Risk, Too 1.7 Hijacking Traffic 1.8 Trust No One, Not Even Your Application 1.9 Physical Access Is Optional 1.10 Summary Hacking Chapter 2: The Basics of Compromising iOS 2.1 Why It's Important to Learn How to Break Into a Device 2.2 Jailbreaking Explained 2.3 End User Jailbreaks 2.4 Compromising Devices and Injecting Code 2.5 Exercises 2.6 Summary Chapter 3: Stealing the Filesystem 3.1 Full Disk Encryption 3.2 Copying the Live Filesystem 3.3 Copying the Raw Filesystem 3.4 Exercises 3.5 The Role of Social Engineering 3.6 Summary Chapter 4: Forensic Trace and Data Leakage 4.1 Extracting Image Geotags 4.2 SQLite Databases 4.3 Reverse Engineering Remnant Database Fields 4.4 SMS Drafts 4.5 Property Lists 4.6 Other Important Files 4.7 Summary Chapter 5: Defeating Encryption 5.1 Sogeti's Data Protection Tools 5.2 Extracting Encryption Keys 5.3 Decrypting the Keychain 5.4 Decrypting Raw Disk 5.5 Decrypting iTunes Backups 5.6 Defeating Encryption Through Spyware 5.7 Exercises 5.8 Summary Chapter 6: Unobliterating Files 6.1 Scraping the HFS Journal 6.2 Carving Empty Space 6.3 Commonly Recovered Data 6.4 Summary Chapter 7: Manipulating the Runtime 7.1 Analyzing Binaries 7.2 Encrypted Binaries 7.3 Abusing the Runtime with Cycript 7.4 Exercises 7.5 Summary Chapter 8: Abusing the Runtime Library 8.1 Breaking Objective-C Down 8.2 Disassembling and Debugging 8.3 Malicious Code Injection 8.4 Injection Using Dynamic Linker Attack 8.5 Summary Chapter 9: Hijacking Traffic 9.1 APN Hijacking 9.2 Simple Proxy Setup 9.3 Attacking SSL 9.4 Attacking Application-Level SSL Validation 9.5 Hijacking Foundation HTTP Classes 9.6 Analyzing Data 9.7 Driftnet 9.8 Exercises 9.9 Summary Securing Chapter 10: Implementing Encryption 10.1 Password Strength 10.2 Introduction to Common Crypto 10.3 Master Key Encryption 10.4 Geo-Encryption 10.5 Split Server-Side Keys 10.6 Securing Memory 10.7 Public Key Cryptography 10.8 Exercises Chapter 11: Counter Forensics 11.1 Secure File Wiping 11.2 Wiping SQLite Records 11.3 Keyboard Cache 11.4 Randomizing PIN Digits 11.5 Application Screenshots Chapter 12: Securing the Runtime 12.1 Tamper Response 12.2 Process Trace Checking 12.3 Blocking Debuggers 12.4 Runtime Class Integrity Checks 12.5 Inline Functions 12.6 Complicating Disassembly 12.7 Exercises Chapter 13: Jailbreak Detection 13.1 Sandbox Integrity Check 13.2 Filesystem Tests 13.3 Page Execution Check Chapter 14: Next Steps 14.1 Thinking Like an Attacker 14.2 Other Reverse Engineering Tools 14.3 Security Versus Code Management 14.4 A Flexible Approach to Security 14.5 Other Great Books
Es gelten unsere Allgemeinen Geschäftsbedingungen: www.buecher.de/agb
Impressum
www.buecher.de ist ein Internetauftritt der buecher.de internetstores GmbH
Geschäftsführung: Monica Sawhney | Roland Kölbl | Günter Hilger
Sitz der Gesellschaft: Batheyer Straße 115 - 117, 58099 Hagen
Postanschrift: Bürgermeister-Wegele-Str. 12, 86167 Augsburg
Amtsgericht Hagen HRB 13257
Steuernummer: 321/5800/1497
