iOS 安全 攻防,英语好的直接撸就好了,英语不好的权当学英语了i0S应用安全攻防影印版Hacking and Securing iOS ApplicationsJonathan zdziarski著O'REILLYBeijing· Cambridge· Farnham·Koln· Sebastopol TokyoOReilly Media,Inc授权东南大学出版社出版东南大学出版社图书在版编目(c|P)数据Os应用安全政防:英文美)札德尔斯基( zdziarski,J)著.-影印本.一南京:东南大学出版社,20126书名原文: Hacking and Securing ioS ApplicationsISBN978-7-5641-34464L.①i…Ⅱ.①扎…I.①C语言一程序设计一英文②计算机网络一安全技术一英文ⅣV①TP312②1P9308中国版本图书馆CIP数据核字(2012)第089056号江苏省版权局著作权合同登记102012-157号92012 by O'Reilly Media, Inc.Reprint of the English Edition, jointly published by O'Reilly Media, Inc and Southeast University Press,2012. Authorized reprint of the original English edition, 2012 OReilly Media, Inc. the owner of all rightsAll rights reserved including the rights of reproduction in whole or in part in any form英丈原版由O' Reilly Media,lac.出版2012英文影印版由东南大学出版柱出崽2012。比影印版的出版和销售将到出版权和销售权的所有者—0 ReillyMedia,Inc,的许可,版权所有,未得书面许可,本书的任何部分和全部不得以任何形式重制10S应用安全攻防(影叩版)出版发行:东南大学出版社地址:南京四牌楼2号邮编:210096出版人:江建中电子邮件: press(supress.cor印刷:扬中市印刷有限公司开本:787毫米×980毫米16开本印张:2225字数:436千字版次:2012年6月第1版印次:2012年6月第1次印刷书号:ISBN978-7-5641-34464量问题,请直接与营销部联系。电话(传真):02583791830O' Reilly Media,nc.介绍OReilly Media通过图书、杂志、在线服务、调查研究和会议等方式传播创新知识。自1978年开始, OReilly-直都是前沿发展的见证者和推动者。超级极客们正在开创着未来,而我们关注真正重要的技术趋势·通过放大那些“细微的信号”来刺激社会对新科技的应用。作为技术社区中活跃的参与者, OReilly的发展充满了对创新的倡导、创造和发扬光大。O'Reilly为软件开发人员带来革命性的“动物书”;创建第一个商业网站(GNN);組组织了影响深远的开放源代码峰会,以至于开源软件运动以此命名;创立了Make杂志,从而成为DIY革命的主要先锋;一如既往地通过多种形式缔结信息与人的组带。 O Reilly的会议和峰会集聚了众多超级极客和高晗远瞩的商业领袖,共同描绘出开创新产业的革命性思想。作为技术人士获取信息的选择, O?现在还将先锋专家的知识传递给普通的计算机用户。无论是书籍出版、在线服务还是面授课程,每一项 O'Reilly的产品都反映了公司不可动摇的理念—一信息是激发创新的力量业界评论“ O Reilly Radar博客有口皆碑。wiredRely凭借一系列(真希望当初我也想到了)非凡想法建立了数百万美元的业务。O Reilly Conference是聚集关健思想领袖的绝对典范-CRN本 O'Reilly的书就代表一个有用、有前途、需要学习的主题-Irish TimesTim是位特立独行的商人,他不光放眼于最长远、最广阔的视野,并且切实地按照Yogi Berra的建议去做了:“如果你在路上遇到岔路口,走小路(岔路)。’回顾过去,Tim似乎毎一次都选抨了小路,而且有几次都是一闪即逝的机会,尽管大路也不错。Steve: The coolest cat. We loved the chase!Hackers and tinkerers everywherePrefaceData is stolen; this is no uncommon occurrence. The electronic information age hasmade the theft of data a very lucrative occupation. Whether it's phishing scams or largeale data breaches, criminals stand to greatly benefit from electronic crimes, makingtheir investment well worth the risk. When I say that this occurrence is not uncommonmy goal isn't to be dismissive, but rather to alarm you. The chances that your company'sapplications will be vulnerable to attack are very high. Hackers of the criminal varietyhave an arsenal of tools at their disposal to reverse engineer, trace, and even manipulateapplications in ways that most programmers aren't aware Even many encryption implementations are weak, and a good hacker can penetrate these and other layers thatso many times, present only a false sense of security to the application's developeTake everything hackers collectively know about security vulnerability and apply it tothat can fit in your pocket and is frequently left at bars. Your company's applications,and the data they protect, are now subject to simpler forms of theft such as pickpock-eting, file copies that can take as little as a few minutes alone with a device, or maliciousnjection of spyware and root kits-all of which can be performed as the device s ownerreaches for another drink. One way or another, software on a mobile platform can besily stolen and later attacked at the criminals leisure, sometimes without the device'sowner even knowing, and sometimes without physical access to the deviceThis book is designed to demonstrate many of the techniques black hats use to stealmany all too common mistakes that leave your app /ications exposed to os Tacksdata and manipulate software in an attempt to show you, the developer, how tThese attacks are not necessarily limited to just the theft of data from the device butcan sometimes even lead to much more nefarious attacks. In this book, you'll see anexample of how some credit card payment processing applications can be breached,owing a criminal to not only expose the credit card data stored on the device, butalso to manipulate the application to grant him huge credit card refunds for purchaseshat he didnt make, paid straight from the merchant's stolen account. You ll see manyore examples, too, of exploits that have made mobile applications not just a data riskright dangeronose using them. The reader will also gain an underof how thare executed, and many examples and demonstrationsof how to code more securely in ways that won't leave applications exposed to suchattacksAudience of this bookThis book is geared toward iOS developers looking to design secure applications. Thisis not necessarily limited to government or financial applications, but may also pertainto applications with assets or other features that the developer is looking to protectof this book. A further understanding of C or assembly language will also help, bur 2yYou'll need a solid foundation of Objective-C coding on ioS to understand a majorWhile this book primarily focuses on iOS, much of the material can also be applieddirectly to the Mac oS X desktop. Given that both environments run an Objective-Cevironment and share many of the same tools, you'll find much of this book can beused to expose vulnerabilities in your company's desktop applications as wellOrganization of the materivulnerabilities in iOS and iOS applications, while the second hla, exposes the manyThis book is split into two halves. The first half discusses hackingers techhapter l explains the core problem with mobile security, and outlines common mythsmisconceptions, and overall flaws in many deveiopers'ways of thinking about securityChapter 2 introduces the reader to many techniques of compromising an iOS device,including jailbreaking. The reader will learn how to build and inject custom code intoan ios device using popular jailbreaking techniques and custom RAM disks3 demonstrates how the filesystem of an ios device can be stolen in minutesdevelopers can t rely solely on a manufacturer's disk encryption. You'll alsoout some common social engineering practices that secure access to a devicethe owner's knowledgeChapter 4 covers the forensic data left by the operating system, and what kind of inChapter 5 explains how iOS's keychain encryption and data protection encryption canbe defeated, and the inherent problems of eachChapter 6 demonstrates how the HFS journal can be scraped for deleted files, andprovides examples of how to securely delete files so they cannot be recoveredronment, and demonstrates how black hat hackers can manipulate your applicatobjects, variables, and methods to bypass many layers of securityChapter 8 introduces you to tools and approaches for disassembling and debuggingnumber of techniques. ng malicious code, and performing low-level attacks using aour application, injeChapter 9 illustrates some of the tools used to hijack SSL sessions, and how to protectyour application from falling victim to these attacksChapter 10 elaborates on security and describes additional methods to protect yourdata with proper encryption techniques.Chapter 11 explains how to help prevent forensic data leakage by designing your ap-plication to leave fewer traces of informationChapter 12 explains many best practices to increase the complexity needed for an attackur applicationshapter 13 explains techniques used to detect when an application is running on alevice jailbroken with some of the popular jailbreaking tools availableChapter 14 wraps up the book and explains how important it is to understand andtraregize like your adversaryConventions Used in This BookThe following typographical conventions are used in this bookIndicates new terms, URLs, email addresses, filenames. and fileConstant widthUsed for program listings, as well as within paragraphs to refer to programelementssuch as variable or function names, databases, data types, environment variablesConstant width boldShows commands or other text that should be typed literally by theuserhows text that should be replaced with user-supplied values or by values determined by contexts icon signifies a tip, suggestion, or general note.This icon indicates a warning or cautionUsing Code ExamplesThis book is here to help you get your job done. In general, you may use the code inentation You do not need toforyou're reproducing a significant portion of the code For exampwriting a program that uses several chunks of code from this book does not requirepermission. Selling or distributing a CD-ROM of examples from O'Reilly books doesequire permission. Answering a question by citing this book and quoting examplede does not require permission. Incorporating a significant amount of example codefrom this book into your product's documentation does require permissionWe appreciate, but do not require, atribution. An attribution usually includes the titleauthor, publisher, and ISBN. For example: "Hacking and Securing iOS ApplicationsJonathan Zdziarski. Copyright 2012 Jonathan Zdziarski, (ISBN 9781449318741)If you feel your use of code examples falls outside fair use or the permission given abovefeelfreetocontactusatpermissions@oreilly.comLegal disclaimerThe technologies discussed in this publication, the limitations on these technologiesthat the technology and content owners seek to impose, and the laws actually limitingthe use of these technologies are constantly changing. Thus, some of the hacks described in this publication may not work, may cause unintended harm to equipmentagreements, Your use of these projects is at your own risk, and O'Reilly Media, Inc.disclaims responsibility for any damage or expense resulting from their use. In anyevent,you should take care that your use of these projects does not violate any appliSafari Books onlineSafariBooks Online is an on-demand digital library that lets you easilyche ver 7 500 technology and creative reference books and videosnswers you need quickly.With a subscription, you can read any page and watch any video from our library online.Read books on your cell phone and mobile devices. Access new titles before they areavailable for print, and get exclusive access to manuscripts in development and postfeedback for the authors. Copy and paste code samples, organize your favorites, download chapters, bookmark key sections, create notes, print out pages, and benefit fromons of other time-saving teaturexiv Preface