Book Review: Hacking and Securing iOS Applications
About the Book
Hacking and Securing iOS Applications is a recently released book by Jonathan Zdziarski. This book is aimed to teach you how to
- Compromise an iOS device
- Steal the filesystem of an iOS device
- Abuse the Objective-C runtime
- Defeat iOS built in encryption
- Protect your own applications
and much, much, more! The book comes in at just shy of 400 pages. Each chapter is broken into a specific topic and builds on previous chapters. However, there are a few chapters which are self contained and could be read without prior knowledge (e.g. Chapter 13 – Jailbreak Detection).
Audience, Skill Level, & Prereqs
This book is targeted at app developers and the how-does-ios-work-and-how-can-I-manipulate-it type person (I try not to use the term “Hacker”). Jonathan also uses the term tinkers – I like that one too!
The book mentions that a solid foundation in Objective-C is necessary, however, personally I think that knowledge of the syntax and some basic Foundation Kit API usage is sufficient. An understanding of standard C, some assembly language, using a debugger, and a comfortable ability to use a shell is needed. A very thin knowledge of Operating Systems is needed to know what syscalls are but you should be able to Google that.
What did I think about the book?
Well, let’s start with the cover: a weasel (definition: weasel – a sneaky and cunning person). Let’s just say it’s definitely a fitting title. It made me laugh.
Past the cover, you’re in for a real good time. I had an absolute blast reading this book. What I liked most about the book is that it got down to the knitty-gritty details really fast. By the end of Chapter 2, you’ve already jailbroken your device and wrote a custom C program to steal your address book. Come Chapter 3, you’ve stolen the whole file system of your device.
With the exception of a few very obvious typos, the book is clear and concise and walks you step-by-step through each exercise. In addition to the numerous hands-on exercises, there’s a wealth of knowledge scattered throughout this book. I personally learned a lot about the internals of iOS. First, the numerous caches in iOS are really working against application security. Let’s just say they leak like a sieve. Another interesting weakness is due to the HFS journal filesystem. Journaling file systems kind of work like version control. They keep a previous copy of the file and the edits made on it. Because of this, deleting an encrypted file’s encryption key is not enough to remove a file (the default when a file is deleted) since old copies in the journal will retain the key.
If I had one criticism for the book, I’d say that overall the material in securing applications is somewhat lacking. The book really focuses on hacking. There are 9 chapters on hacking and 5 chapters on securing. Realistically though, learning to hack is an important part of learning to secure. I just would have liked to have seen more concrete securing exercises.
If you’re curious with tinkering around with the internals of iOS or if you’re an application developer looking to secure your application, you’ll definitely find this book useful. All in all, I highly recommend this book to any developer or security professional.
Thanks to Regina Wilkinson at O’Reilly for the review copy!
Comments are closed.