With the extensive use of iOS devices all over the world, threats become more harmful. Think of a monoculture in food production: natural plagues become real menaces to subsistence when larger and larger tracts of land are dedicated to one single crop.
In the past, OS X has been shown to have serious security gaps. As time has passed and Apple has gained more experience and further developed its iOS mobile platform, many of these gaps have been closed, although new ones have been created. This book shows how iOS devices have acquired more effective mechanisms to avoid security attacks. In each chapter, the authors first describe a security building block in detail, and then detail the flaws found and ways a hacker could use each one to cause the most damage.
The book starts with a quick overview of the approaches Apple has taken to counteract the most important weaknesses of its security architecture. The authors go on to describe how iOS is deployed to access sensitive enterprise data, and make some specific recommendations to information technology (IT) administrators on how to manage remote access from personally owned devices and from company-provided devices.
The next chapter shows how the encryption application programming interface (API) works and how developers can make the most out of this interface to provide secure apps. It also gives some tips on how to mess up with four-digit codes. Code signing is the topic of the next chapter. Chapter 5 explains how sandboxing works and discusses alternatives to extract profiles to examine their permissions.
In chapter 6, the authors describe how to “fuzz” with default iOS applications to find vulnerabilities, which involves sending slightly erroneous data to an app to test its reactions. The next four chapters build on the subject, showing how to take advantage of the vulnerabilities discovered to build successful exploits while bypassing security mechanisms such as address space layout randomization, for example.
The book is based on iOS 5 and one can only assume and hope that the strategies, vulnerabilities, and tricks provided in the book will have limited success in newer versions of this platform. The authors give readers the ability to test every piece of code and every configuration. There is one major drawback: any test devices must be jailbroken.
The authors contend that if readers know the areas of weakness, they will eventually learn from them and find strategies to deal with them. For those interested in improving the security of the environment, this is a must read, but one does wonder about the logic of publicizing ways to take advantage of these vulnerabilities.
