In the presentation, we will discuss how iOS third-party web browsers are built. We will go through the main properties and limitations of UIWebView, common features added by browser developers, and common design or programming flaws that result in security vulnerabilities. While security of the underlying WebKit engine is exposed to continuous research, and the imperfections of mobile browser UI are widely known, the publicly available resources dedicated to secure implementation of web views in iOS applications do not cover the challenges which a browser developer faces. We would like to fill this gap in at least a small part.
Apart from the theory and development advice, our talk will also be an opportunity to disclose a dozen of the most interesting examples of security vulnerabilities and weaknesses which we identified in the most popular iOS third-party web browsers, and in Safari/UIWebView itself. We will explain how did they arise, demonstrate their exploitation, show examples of vulnerable code (Objective C and JavaScript) and – where possible – patches that were issued to address these vulnerabilities. Finally, we will demonstrate a sample test suite which can be used to assess basic security properties of UIWebView implementations in iOS web browsers.
More details can be found here: http://haxpo.nl/hitb2014ams-pilorz-zmyslowski/
See you there :)
No comments:
Post a Comment