Chilik Tamir (Chief Scientist, AppSec Labs)

PRESENTATION TITLE:  iNalyzer: An End to Blackbox iOS Analysis

PRESENTATION ABSTRACT:

Performing security analysis of iOS applications is a tedious task – there is no source code and there is no true emulation available. Moreover, communication is usually signed or encrypted by the application, leaving the standard tampering and injection attacks worthless. Needless to say, time spent on testing such applications increases substantially due to the fact that not every automatic tool can be used on the captured signed-traffic, including the conventional scanners (such as Burp, Accunetix, Webinspect and AppScan).

In this presentation I will cover a new approach to performing security assessments of iOS applications utilizing iNalyzer – a free open-source framework for security assessment of iOS Applications.

iNalyzer collects all data from the iOS device application file and generates a Command & Control interface for Cycript, giving the pen-tester a full testing environment to the application. iNalyzer enables penetration testers to attack server side functionality by utilizing the application itself as a testing tool.

Instead of using a proxy to perform server side attacks like in regular web-based systems, iNalyzer turns the application into a spearhead in the testing process against the server.

ABOUT CHILIK TAMIR

Chilik Tamir is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. He has over two decades of experience in training, research, development, testing and consulting. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; as well as his lectures in conferences in Israel such as OWASP IL 2011 and OWASP IL 2012. Chilik holds a Biomedical Engineering B.Sc. degree.