iOS Hacker's Handbook -- Contents -- Chapter 1 iOS Security Basics -- iOS Hardware/Device Types -- How Apple Protects the App Store -- Understanding Security Threats -- Understanding iOS Security Architecture -- The Reduced Attack Surface -- The Stripped-Down iOS -- Privilege Separation -- Code Signing -- Data Execution Prevention -- Address Space Layout Randomization -- Sandboxing -- A Brief History of iOS Attacks -- Libtiff -- Fun with SMS -- The Ikee Worm -- Storm8 -- SpyPhone -- Pwn2Own 2010 -- Jailbreakme.com 2 ("Star") -- Jailbreakme.com 3 ("Saffron") -- Summary -- Chapter 2 iOS in the Enterprise -- iOS Configuration Management -- Mobile Configuration Profiles -- iPhone Configuration Utility -- Creating a Configuration Profile -- Installing the Configuration Profile -- Updating Profiles -- Removing Profiles -- Applications and Provisioning Profiles -- Mobile Device Management -- MDM Network Communication -- Lion Server Profile Manager -- Setting Up Profile Manager -- Creating Settings -- Enrolling Devices -- Summary -- Chapter 3 Encryption -- Data Protection -- Data Protection API -- Attacking Data Protection -- Attacking User Passcodes -- iPhone Data Protection Tools -- Installation Prerequisites -- Building the Ramdisk -- Booting Ramdisk -- Brute-Force Attacking Four-Digit Passcodes -- Dumping Keychain -- Dumping Data Partition -- Decrypting Data Partition -- Summary -- Chapter 4 Code Signing and Memory Protections -- Understanding Mandatory Access Control -- AMFI Hooks -- AMFI and execv -- How Provisioning Works -- Understanding the Provisioning Profile -- How the Provisioning File Is Validated -- Understanding Application Signing -- Inside Entitlements -- How Code Signing Enforcement Works -- Collecting and Verifying Signing Information -- How Signatures Are Enforced on Processes.

How the iOS Ensures No Changes Are Made to Signed Pages -- Discovering Dynamic Code Signing -- Why MobileSafari Is So Special -- How the Kernel Handles JIT -- Attacking Inside MobileSafari -- Breaking Code Signing -- Altering iOS Shellcode -- Using Meterpreter on iOS -- Gaining App Store Approval -- Summary -- Chapter 5 Sandboxing -- Understanding the Sandbox -- Sandboxing Your Apps -- Understanding the Sandbox Implementation -- Understanding User Space Library Implementation -- Into the Kernel -- Implementing TrustedBSD -- Handling Configuration from User Space -- Policy Enforcement -- How Profile Bytecode Works -- How Sandboxing Impacts App Store versus Platform Applications -- Summary -- Chapter 6 Fuzzing iOS Applications -- How Fuzzing Works -- The Recipe for Fuzzing -- Mutation-Based ("Dumb") Fuzzing -- Generation-Based ("Smart") Fuzzing -- Submitting and Monitoring the Test Cases -- Fuzzing Safari -- Choosing an Interface -- Generating Test Cases -- Testing and Monitoring the Application -- Adventures in PDF Fuzzing -- Quick Look Fuzzing -- Fuzzing with the Simulator -- Fuzzing MobileSafari -- Selecting the Interface to Fuzz -- Generating the Test Case -- Fuzzing and Monitoring MobileSafari -- PPT Fuzzing Fun -- SMS Fuzzing -- SMS Basics -- Focusing on the Protocol Data Unit Mode -- Using PDUspy -- Using User Data Header Information -- Working with Concatenated Messages -- Using Other Types of UDH Data -- Generation-Based Fuzzing with Sulley -- SMS iOS Injection -- Monitoring SMS -- SMS Bugs -- Summary -- Chapter 7 Exploitation -- Exploiting Bug Classes -- Object Lifetime Vulnerabilities -- Understanding the iOS System Allocator -- Regions -- Allocation -- Deallocation -- Taming the iOS Allocator -- Tools of the Trade -- Learning Alloc/Dealloc Basics -- Exploiting Arithmetic Vulnerabilities.

Exploiting Object Lifetime Issues -- Understanding TCMalloc -- Large Object Allocation and Deallocation -- Small Object Allocation -- Small Object Deallocation -- Taming TCMalloc -- Obtaining a Predictable Heap Layout -- Tools for Debugging Heap Manipulation Code -- Exploiting Arithmetic Vulnerabilities with TCMalloc - Heap Feng Shui -- Exploiting Object Lifetime Issues with TCMalloc -- ASLR Challenges -- Case Study: Pwn2Own 2010 -- Testing Infrastructure -- Summary -- ARM Basics -- iOS Calling Convention -- System Calls Calling Convention -- ROP Introduction -- ROP and Heap Bugs -- Manually Constructing a ROP Payload -- Automating ROP Payload Construction -- What Can You Do with ROP on iOS? -- Testing ROP Payloads -- Examples of ROP Shellcode on iOS -- Exfiltrate File Content Payload -- Using ROP to Chain Two Exploits (JailBreakMe v3) -- Summary -- Chapter 9 Kernel Debugging and Exploitation -- Kernel Structure -- Kernel Debugging -- Kernel Extensions and IOKit Drivers -- Reversing the IOKit Driver Object Tree -- Finding Vulnerabilities in Kernel Extensions -- Finding Vulnerabilities in IOKit Drivers -- Attacking through Device Properties -- Attacking through External Traps and Methods -- Kernel Exploitation -- Arbitrary Memory Overwrite -- Patching a Vulnerability into the Kernel -- Choosing a Target to Overwrite -- Locating the System Call Table -- Constructing the Exploit -- Uninitialized Kernel Variables -- Kernel Stack Buffer Overflows -- Kernel Heap Buffer Overflows -- Kernel Heap Zone Allocator -- Kernel Heap Feng Shui -- Detecting the State of the Kernel Heap -- Exploiting the Kernel Heap Buffer Overflow -- Summary -- Chapter 10 Jailbreaking -- Why Jailbreak? -- Jailbreak Types -- Jailbreak Persistence -- Tethered Jailbreaks -- Untethered Jailbreaks -- Exploit Type -- Bootrom Level -- iBoot Level -- Userland Level.

Understanding the Jailbreaking Process -- Exploiting the Bootrom -- Booting the Ramdisk -- Jailbreaking the Filesystem -- Installing the Untethering Exploit -- Installing the AFC2 Service -- Installing Base Utilities -- Application Stashing -- Bundle Installation -- Post-Installation Process -- Executing Kernel Payloads and Patches -- Kernel State Reparation -- Privilege Escalation -- Kernel Patching -- security.mac.proc_enforce -- cs_enforcement_disable (kernel) -- cs_enforcement_disable (AMFI) -- PE_i_can_has_debugger -- vm_map_enter -- vm_map_protect -- AMFI Binary Trust Cache -- Task_for_pid 0 -- Sandbox Patches -- Clearing the Caches -- Clean Return -- Summary -- Chapter 11 Baseband Attacks -- GSM Basics -- Setting up OpenBTS -- Hardware Required -- OpenBTS Installation and Configuration -- Closed Configuration and Asterisk Dialing Rules -- RTOSes Underneath the Stacks -- Nucleus PLUS -- ThreadX -- REX/OKL4/Iguana -- Heap Implementations -- Dynamic Memory in Nucleus PLUS -- Byte Pools in ThreadX -- The Qualcomm Modem Heap -- Vulnerability Analysis -- Obtaining and Extracting Baseband Firmware -- Loading Firmware Images into IDA Pro -- Application/Baseband Processor Interface -- Stack Traces and Baseband Core Dumps -- Attack Surface -- Static Analysis on Binary Code Like it's 1999 -- Specification-Guided Fuzz Testing -- Exploiting the Baseband -- A Local Stack Buffer Overflow: AT+XAPP -- The ultrasn0w Unlock -- An Overflow Exploitable 0ver the Air -- Summary -- Appendix References -- Index.