Security - Ivan R Blog

Security

A collection of 10 posts

Why embedding secrets in mobile apps is not a good idea

Why embedding secrets in mobile apps is not a good idea

This is a somewhat complicated topic to cover, but I'll try to go into detail on why, generally, this is not a good idea and you should avoid embedding secrets in your mobile applications as much as possible. tl;dr Anyone motivated enough will get these secrets and impersonate your

OPSEC tips for the general public

OPSEC tips for the general public

It's always a good idea to properly configure your computer and smartphone, know how to securely communicate with others and how to read, write and share content while protecting your personal information. These practices are more relevant than ever. OPSEC stands for operations security [https://en.wikipedia.org/wiki/Operations_

Introducing security.plist

Introducing security.plist

tl;dr It's like security.txt [https://securitytxt.org/] but for iOS applications [https://securityplist.ivrodriguez.com/]. As probably you know by now, I spend a lot of my free time reverse engineering iOS applications. But when I find a vulnerability in one of them, it's a very, very difficult

What checkm8 means for stalkerware on iOS

What checkm8 means for stalkerware on iOS

On Friday, September 27th 2019 many of us on the mobile security community were surprised with the news of a SecureROM [https://www.theiphonewiki.com/wiki/Bootrom] vulnerability disclosed on Twitter [https://twitter.com/axi0mX/status/1177542201670168576] by @axi0mX [https://twitter.com/axi0mX]. axi0mX described it as "a permanent unpatchable

Analyzing iOS Stalkerware Applications

Analyzing iOS Stalkerware Applications

Stalkerware (a.k.a. Spouseware) applications are invasive applications that an individual installs on a target's device (usually their partner) to spy on them, snooping in as much data as they can. They aim to collect phone calls history, private messages, location data, browsing patterns, and many other private aspects

Investigating some subscription scam iOS apps

Reverse Engineering

Investigating some subscription scam iOS apps

For some reason Apple allows "subscription scam" apps on the App Store. These are apps that are free to download and then ask you to subscribe right on launch. It's called the freemium business model [https://developer.apple.com/app-store/freemium-business-model/], except these apps ask you to subscribe for "X"

Created an "age" mobile client

Created an "age" mobile client

A few days ago Filippo Valsorda [https://twitter.com/FiloSottile] twitted about a simple, secure and modern encryption tool that will hopefully substitute gpg [https://gnupg.org/]. Filippo, along with Ben Cox [https://twitter.com/Benjojo12], published a document detailing the output file and key formats as well as some

Mobile App Sec Assemble

Mobile App Sec Assemble

One of the reasons why I write blog posts about mobile app sec is for future me. I don't have a good memory so these posts help me refresh techniques and steps I need to perform to RE mobile applications, and more than once when I've shared one of my

Who's collecting analytics data from mobile apps?

Who's collecting analytics data from mobile apps?

I have the absolute pleasure and honour of being one of the beta testers of the GuardianApp [https://guardianapp.com/]. In an upcoming post I'll be explaining in more detail how it helps protect your privacy. For now, tl;dr: the GuardianApp creates a VPN connection between your device and

Announcing my very own course: "Reverse Engineer iOS Applications" 📱

Announcing my very own course: "Reverse Engineer iOS Applications" 📱

Big news! (or at least for me 😬) I've decided to create my own take on an online course to show beginner and intermediate researchers how to reverse engineer iOS applications. This course is 100% free and open source! Everything that I've accomplished so far in my professional career, since I