Professional Documents
Culture Documents
The Iphone: A Case For Software Security: Dwayne Bates
The Iphone: A Case For Software Security: Dwayne Bates
Software Security
Dwayne Bates
Acknowledgements
Graham Cluley’s Blog
http://www.sophos.com/blogs/gc/g/2009/11/
03/hacked-iphones-held-hostage-5-euros/
Nicolas Seriot (SpyPhone)-
http://seriot.ch/blog.php?article=20100203
Apple’s Developer Site-
developer.apple.com
Overview
What is the iPhone?
History of Privacy Issues for the iPhone
Spyware and the iPhone
iPhone Applications
How did this information affect the development
process?
Closing Remarks
References
What is the iPhone?
Features:
iPod
Phone
Internet QuickTime™ and a
decompressor
are needed to see this picture.
Security Overview
History of Security and Privacy Issues:
Root exploits and Personal Data Harvesting
Jailbreaking and Worms
Security Overview cont.'d..
Spyware and the iPhone: SpyPhone
/var/mobile/Library/Keyboard/
/
var/mobile/Library/Preferences/com.apple.accoun
tsettings.plist
/
var/mobile/Library/Preferences/com.apple.commc
enter.plist
/
var/mobile/Library/Preferences/com.apple.mobile
phone.settings.plist
/
var/mobile/Library/Preferences/com.apple.mobile
phone.plist
/
var/mobile/Library/Preferences/com.apple.mobiles
afari.plist
/
var/mobile/Library/Preferences/com.apple.prefere
nces.datetime.plist
/
var/mobile/Library/Preferences/com.apple.weathe
r.plist
/
var/mobile/Library/Preferences/com.apple.youtub
iPhone Applications
Development Process
Enroll in iPhone Developer Program
Download iPhone SDK
Gain working knowledge of Objective-C
iPhone Applications cont.'d..
Development Tools
QuickTime™ and a
decompres s or
are needed to s ee this picture. Xcode- Development Environment
QuickTime™ and a
decompress or
are needed to see this picture.
iPhone Simulator- Simulation of the application
in it's environment
QuickTime™ and a
decompres sor
Interface Builder- Used to build the user
interface
are needed to see this picture.
- if ([myCharSet characterIsMember:c]) {
- return NO; }
- } return YES;}
- acceptable=textField.text;}
- else{
- [self getUserNameErrorMSG:YES];}
- if((acceptable!=nil)){[self stringForHS:YES];}}
Buffer Overflow
Input Validation
File Modification
File Modification
-(void) saveSettings{
NSString * path = [[NSBundle mainBundle] bundlePath];
NSString * file = [path stringByAppendingPathComponent:@"settings.plist"];
[path release];
[file release];
}
-(void) saveHighScores{
NSString * path = [[NSBundle mainBundle] bundlePath];
NSString * file = [path stringByAppendingPathComponent:@"highscores.plist"];
[path release];
[file release];
}
Memory Leaks
CLANG- Static Analysis Results
Memory Leaks
Conclusion
CLANG
Security Related Bugs
File Validation
File Paths
File Read function enhancement