Security - Ivan R Blog

Why embedding secrets in mobile apps is not a good idea

This is a somewhat complicated topic to cover, but I'll try to go into detail on why, generally, this is not a good idea and you should avoid embedding secrets in your mobile applications as much as possible. tl;dr Anyone motivated enough will get these secrets and impersonate your

Privacy

OPSEC tips for the general public

It's always a good idea to properly configure your computer and smartphone, know how to securely communicate with others and how to read, write and share content while protecting your personal information. These practices are more relevant than ever. OPSEC stands for operations security, taken from wikipedia: "Operations security

iOS

Introducing security.plist

tl;dr It's like security.txt but for iOS applications. As probably you know by now, I spend a lot of my free time reverse engineering iOS applications. But when I find a vulnerability in one of them, it's a very, very difficult process to figure out how to contact

Privacy

What checkm8 means for stalkerware on iOS

On Friday, September 27th 2019 many of us on the mobile security community were surprised with the news of a SecureROM vulnerability disclosed on Twitter by @axi0mX. axi0mX described it as "a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices" and called it checkm8 (read 'checkmate'). Here

Privacy

Analyzing iOS Stalkerware Applications

Stalkerware (a.k.a. Spouseware) applications are invasive applications that an individual installs on a target's device (usually their partner) to spy on them, snooping in as much data as they can. They aim to collect phone calls history, private messages, location data, browsing patterns, and many other private aspects

Reverse Engineering

Investigating some subscription scam iOS apps

For some reason Apple allows "subscription scam" apps on the App Store. These are apps that are free to download and then ask you to subscribe right on launch. It's called the freemium business model, except these apps ask you to subscribe for "X" feature(s) immediately when you launch

Cryptography

Created an "age" mobile client

A few days ago Filippo Valsorda twitted about a simple, secure and modern encryption tool that will hopefully substitute gpg. Filippo, along with Ben Cox, published a document detailing the output file and key formats as well as some examples. They are calling it age (which might be an acronym

Android

Mobile App Sec Assemble

One of the reasons why I write blog posts about mobile app sec is for future me. I don't have a good memory so these posts help me refresh techniques and steps I need to perform to RE mobile applications, and more than once when I've shared one of my

Mobile

Who's collecting analytics data from mobile apps?

I have the absolute pleasure and honour of being one of the beta testers of the GuardianApp. In an upcoming post I'll be explaining in more detail how it helps protect your privacy. For now, tl;dr: the GuardianApp creates a VPN connection between your device and their servers and

iOS

Announcing my very own course: "Reverse Engineer iOS Applications" 📱

Big news! (or at least for me 😬) I've decided to create my own take on an online course to show beginner and intermediate researchers how to reverse engineer iOS applications. This course is 100% free and open source! Everything that I've accomplished so far in my professional career, since I