IOS Hacker's Handbook

ISBN-10: 1118204123

ISBN-13: 9781118204122

Edition: 2012

Authors: Dion Blazakis, Dino Dai Zovi, Stefan Esser, Vincenzo Iozzo, Charlie Miller

List price: $35.99 Buy it from $13.99
30 day, 100% satisfaction guarantee

If an item you ordered from TextbookRush does not meet your expectations due to an error on our part, simply fill out a return request and then return it by mail within 30 days of ordering it for a full refund of item cost.

Learn more about our returns policy


This book discusses the internals of iOS.  It explains how the operating system works, security risks associated with it, how it can be used in the Enterprise, and the overall security architecture of the operating system. It explains how vulnerabilities can be found in it, exploits developed for it, and rootkits and other payloads developed for it. There is no other book that comes close to covering iOS on this level and the book is written by a panel of some of the world’s leading experts in iOS.OverviewiOS Security ArchitectureiOS vulnerability hunting and exploit writingiOS enterprise and encryptionHow iOS jailbreaks workSpecifically, the book will cover: iOS in the Enterprise , Encryption, Code signing and memory protections, Sandboxing, iPhone Fuzzing, Exploitation , ROP payloads, Rootkits, Kernel Debugging and Exploitation, Jailbreaking , Baseband attacks
New Starting from $33.34
what's this?
Rush Rewards U
Members Receive:
You have reached 400 XP and carrot coins. That is the daily max!
Study Briefs

Limited time offer: Get the first one free! (?)

All the information you need in one place! Each Study Brief is a summary of one specific subject; facts, figures, and explanations to help you learn faster.

Customers also bought

Book details

List price: $35.99
Copyright year: 2012
Publisher: John Wiley & Sons, Limited
Publication date: 5/4/2012
Binding: Paperback
Pages: 408
Size: 7.25" wide x 9.00" long x 1.25" tall
Weight: 1.298
Language: English

CharlIe Millerwon the second CanSecWest Pwn2Own contest in 2008 and was named one of the Top 10 Computer Hackers of 2008 by Popular Mechanics.Dino Dai Zovi won the first CanSecWest Pwn2Own contest in 2007 and was named one of the 15 Most Influential People in Security by eWEEK.

iOS Security Basics
iOS Hardware/Device Types
How Apple Protects the App Store
Understanding Security Threats
Understanding iOS Security Architecture
The Reduced Attack Surface
The Stripped-Down iOS
Privilege Separation
Code Signing
Data Execution Prevention
Address Space Layout Randomization
A Brief History of iOS Attacks
Fun with SMS
The Ikee Worm
Pwn2Own2010 2 ("Star") 3 ("Saffron")
iOS in the Enterprise
iOS Configuration Management
Mobile Configuration Profiles
iPhone Configuration Utility
Creating a Configuration Profile
Installing the Configuration Profile
Updating Profiles
Removing Profiles
Applications and Provisioning Profiles
Mobile Device Management
MDM Network Communication
Lion Server Profile Manager
Setting Up Profile Manager
Creating Settings
Enrolling Devices
Data Protection
Data Protection API
Attacking Data Protection
Attacking User Passcodes
iPhone Data Protection Tools
Installation Prerequisites
Building the Ramdisk
Booting Ramdisk
Brute-Force Attacking Four-Digit Passcodes
Dumping Keychain
Dumping Data Partition
Decrypting Data Partition
Code Signing and Memory Protections
Understanding Mandatory Access Control
AMFI Hooks
AMFI and execv
How Provisioning Works
Understanding the Provisioning Profile
How the Provisioning File Is Validated
Understanding Application Signing
Inside Entitlements
How Code Signing Enforcement Works
Collecting and Verifying Signing Information
How Signatures Are Enforced on Processes
How the iOS Ensures No Changes Are Made to Signed Pages
Discovering Dynamic Code Signing
Why MobileSafari Is So Special
How the Kernel Handles JIT
Attacking Inside MobileSafari
Breaking Code Signing
Altering iOS Shellcode
Using Meterpreter on iOS
Gaining App Store Approval
Understanding the Sandbox
Sandboxing Your Apps
Understanding the Sandbox Implementation
Understanding User Space Library Implementation
Into the Kernel
Implementing TrustedBSD
Handling Configuration from User Space
Policy Enforcement
How Profile Bytecode Works
How Sandboxing Impacts App Store versus Platform Applications
Fuzzing iOS Applications
How Fuzzing Works
The Recipe for Fuzzing
Mutation-Based ("Dumb") Fuzzing
Generation-Based ("Smart") Fuzzing
Submitting and Monitoring the Test Cases
Fuzzing Safari
Choosing an Interface
Generating Test Cases
Testing and Monitoring the Application
Adventures in PDF Fuzzing
Quick Look Fuzzing
Fuzzing with the Simulator
Fuzzing MobileSafari
Selecting the Interface to Fuzz
Generating the Test Case
Fuzzing and Monitoring MobileSafari
PPT Fuzzing Fun
SMS Fuzzing
SMS Basics
Focusing on the Protocol Data Unit Mode
Using PDUspy
Using User Data Header Information
Working with Concatenated Messages
Using Other Types of UDH Data
Generation-Based Fuzzing with Sulley
SMS iOS Injection
Monitoring SMS
SMS Bugs
Exploiting Bug Classes
Object Lifetime Vulnerabilities
Understanding the iOS System Allocator
Taming the iOS Allocator
Tools of the Trade
Learning Alloc/Dealloc Basics
Exploiting Arithmetic Vulnerabuities
Exploiting Object Lifetime Issues
Understanding TCMalloc
Large Object Allocation and Deallocation
Small Object Allocation
Small Object Deallocation
Taming TCMalloc
Obtaining a Predictable Heap Layout
Tools for Debugging Heap Manipulation Code
Exploiting Arithmetic Vulnerabilities with TCMalloc - Heap Feng Shui
Exploiting Object Lifetime Issues with TCMalloc
ASLR Challenges
Case Study: Pwn20wn 2010
Testing Infrastructure
Return-Oriented Programming
ARM Basics
iOS Calling Convention
System Calls Calling Convention
ROP Introduction
ROP and Heap Bugs
Manually Constructing a ROP Payload
Automating ROP Payload Construction
What Can You Do with ROP on iOS?
Testing ROP Payloads
Examples of ROP Shellcode on iOS
Exfiltrate File Content Payload
Using ROP to Chain Two Exploits (JailBreakMe v3)
Kernel Debugging and Exploitation
Kernel Structure
Kernel Debugging
Kernel Extensions and IOKit Drivers
Reversing the IOKit Driver Object Tree
Finding Vulnerabilities in Kernel Extensions
Finding Vulnerabilities in IOKit Drivers
Attacking through Device Properties
Attacking through External Traps and Methods
Kernel Exploitation
Arbitrary Memory Overwrite
Patching a Vulnerability into the Kernel
Choosing a Target to Overwrite
Locating the System Call Table
Constructing the Exploit
Uninitialized Kernel Variables
Kernel Stack Buffer Overflows
Kernel Heap Buffer Overflows
Kernel Heap Zone Allocator
Kernel Heap Feng Shui
Detecting the State of the Kernel Heap
Exploiting the Kernel Heap Buffer Overflow
Why Jailbreak?
Jailbreak Types
Jailbreak Persistence
Tethered Jailbreaks
Untethered Jailbreaks
Exploit Type
Bootrom Level
iBoot Level
Userland Level
Understanding the Jailbreaking Process
Exploiting the Bootrom
Booting the Ramdisk
Jailbreaking the Filesystem
Installing the Untethering Exploit
Installing the AFC2 Service
mstalling Base Utilities
Application Stashing
Bundle Installation
Post-Installation Process
Executing Kernel Payloads and Patches
Kernel State Reparation
Privilege Escalation
Kernel Patching
cs_enforcement_disable (kernel)
cs_enforcement_disable (AMFI)
AMFI Binary Trust Cache
Task_for_pid 0
Sandbox Patches
Clearing the Caches
Clean Return
Baseband Attacks
GSM Basics
Setting up OpenBTS
Hardware Required
OpenBTS Installation and Configuration
Closed Configuration and Asterisk Dialing Rules
RTOSes Underneath the Stacks
Nucleus PLUS
Heap Implementations
Dynamic Memory in Nucleus PLUS
Byte Pools in ThreadX
The Qualcomm Modem Heap
Vulnerability Analysis
Obtaining and Extracting Baseband Firmware
Loading Firmware Images into IDA Pro
Application/Baseband Processor Interface
Stack Traces and Baseband Core Dumps
Attack Surface
Static Analysis on Binary Code Like it's 1999
Specification-Guided Fuzz Testing
Exploiting the Baseband
A Local Stack Buffer Overflow: AT+XAPP
The ultrasn0w Unlock
An Overflow Exploitable Over the Air
Appendix References
Free shipping on orders over $35*

*A minimum purchase of $35 is required. Shipping is provided via FedEx SmartPost® and FedEx Express Saver®. Average delivery time is 1 – 5 business days, but is not guaranteed in that timeframe. Also allow 1 - 2 days for processing. Free shipping is eligible only in the continental United States and excludes Hawaii, Alaska and Puerto Rico. FedEx service marks used by permission."Marketplace" orders are not eligible for free or discounted shipping.

Learn more about the TextbookRush Marketplace.