This 3-day training will equip you with a toolbox of techniques for instrumenting apps and discovering low-level system internals on Apple's mobile devices, including the iOS security model and sandboxing. While covering the basics to get beginner reverse-engineers started, intermediate and advanced attendees are provided with appropriately challenging content and exercises. The course material is always kept up to date with the latest version of iOS, so you'll even learn about features introduced in iOS 27!
Starting with static reverse engineering and dynamic testing of iOS apps using Ghidra/IDA and Frida, we'll pivot to challenges posed by programs written in Objective-C and Swift, which use asynchronous programming via Grand Central Dispatch and Cross-Process Communication (XPC). We'll use Frida to trace control flow, find interesting code paths, manipulate data, and collect code coverage, everything you'll need to get started writing custom fuzzers for vulnerability discovery. Going deeper into the internals of iOS, the user-space analysis is followed by a dive into the XNU kernel. Starting with a broad overview of user- and kernel-space interactions, including Mach messages and syscalls, we'll take a closer look at IOKit, the common API used by iOS apps and daemons to communicate with drivers. We'll cover the latest mitigations (SPTM, TXM, Conclaves, MTE, and more), followed by a look into RTKit-based firmware and an overview of the network of Co-Processors in an iPhone. Throughout the training, we'll discuss how public security research and jailbreaks relate to the contents covered.
The training will include hands-on exercises on virtual or physical iOS devices. All attendees can borrow jailbroken device on iPadOS 18 for free during the training! Advanced iOS app internals are conveyed by breaking them down into small, easily comprehensible chunks and exercises building up on each other to form a general understanding of iOS concepts. Attendees will be guided through using free and open-source reverse-engineering software and frameworks (such as Ghidra/IDA and Frida) to understand the internals and perform security testing of closed-source apps and daemons. Attendees will be provided with slides, exercises, solutions including custom tooling, and cheat sheets to follow along the training. Furthermore, Hex-Rays is sponsoring free IDA Classroom licenses.
The following outline is intended to give an overview over what will expect you in the training. Minor adaptations can be made during the training to adjust to trainee questions, interests and progress, and therefore does not represent a guaranteed schedule.
Venue
This training will take place November 15-17 on Maui on-site at Objective By The Sea v9.0 (OBTS) located at the Hyatt Regency Maui in Maui, Hawaii. Discounted room rates are available through the OBTS website. Please book them while they last!
Booking
A limited number of seats is available at a price of USD 2999 (plus taxes, which are 4.712% GET). Please pre-register through our booking form to request a seat. We will reach out to you individually to confirm your booking with an invoice.
In addition to the training, attendees must separately purchase a ticket for the OBTS conference. While the conference is already sold out, there are reserved tickets for training attendees.
Cancellation Policy
Students can cancel their booking at a full refund (minus transaction and processing fees) up to 1 month before the training. Later cancellations cannot be refunded, but we will work with you to find the best outcome for all sides where possible.
We reserve the right to cancel individual registrations in duly justified cases at a full refund of the training costs. Conference attendance is not affected by this. The OBTS Code of Conduct applies to all attendees. In cases where attendees are removed from the training due to Code of Conduct violations, no refunds can be offered.
Outline
The following outline is intended to give an overview over what will expect you in the training. Minor adaptations can be made during the training to adjust to trainee questions, interests and progress, and therefore does not represent a guaranteed schedule. Training contents are up to date with the latest iOS version, including recent changes in iOS 27.
Day 1 - iOS App Fundamentals
Learning objectives:
At the end of Day 1, students will have the understanding and means to perform basic static and dynamic reverse-engineering of iOS apps to identify and trace the execution of interesting functions, and write scripts to exercise the corresponding code-paths.
Topic overview:
- Apple's public documentation and source code, public frameworks, and private frameworks.
- Attack surface and threat modeling: How to approach an App from a security point of view.
- The Apple App Store security model: Code signing, App Review, Entitlements, the iOS sandbox, and TCC.
- The internal structure of an iOS application: metadata and resources in Application Bundles, third-party frameworks, AppExtensions, and Mach-O internals, FairPlay DRM & decrypting iOS Apps.
- Static analysis: Introduction to Ghidra/IDA, navigating through larger binaries, Objective-C and Swift calling conventions and name mangling, tips & tricks for Swift reversing, dealing with obfuscation.
- Dynamic Analysis with Frida: initial approaches using frida-trace, combining static and dynamic analysis, writing stand-alone Frida scripts, hooking functions.
iOS User-Space Internals: Tracing Execution, Threads, Fuzzing
Learning objectives:
At the end of Day 2, students will be able to write basic fuzzers to find bugs, read the crash logs, and understand how to identify the underlying vulnerabilities. Students will furthermore understand asynchronous and multi-threaded programming on iOS and be able to follow execution both statically and dynamically. By applying their understanding of the iOS sandbox from Day 1 to XPC, students will be able to assess the security impact of communication between Apps, AppExtensions, and iOS daemons.
Topic overview:
- Analyzing the DYLD shared cache to explore private frameworks.
- Manually triggering bugs through custom scripts.
- Reading and interpreting crash logs to identify bugs.
- Discovering runtime state and calling the function with controlled arguments, injecting data.
- Introduction to fuzzing: corpus and input mutation, harnessing using Frida, in-place harnessing, coverage-guidance collecting coverage using Frida Stalker.
- Outlook to more advanced fuzzing techniques: sanitizers, persistent fuzzing, snapshot fuzzing, CmpCov & CmpLog, testcase & corpus minimization.
- Asynchronous programming: Grand Central Dispatch (GCD), threading, Static analysis of asynchronous programming patterns: reverse-engineering blocks in Objective-C and Swift.
- Apps & daemons: XPC, entitlements and access-control, tracing XPC messages.
Day 3 - Below User-Space: Kernel & Firmware
Learning Objectives:
At the end of Day 3, through their understanding of mach messages, syscalls, and IOKit calls, students will be able to follow how user-space applications interact with the iOS kernel through syscalls and IOKit. Students will be familiar with the latest iOS security features. Furthermore, students will be able to get started reverse engineering custom firmware implementations using Apple's RTKit RTOS. As an outlook, students are able to put the concepts of the complete three-day course in the context of current public security research.
Topic Overview:
- iOS kernel overview: main components, drivers, and open-source.
- Where user space meets kernel space: IOKit drivers and syscalls.
- Mach Messages everywhere – a look at what interactions are implemented via Mach Messages and how.
- Sandbox profiles and their enforcement in user and kernel space.
- Hardware-based protections and their evolution over time, e.g., PAC, PAN, PXN, CTRR, PPL, SPTM, TXM, Conclaves, Exclaves, (E)MTE, and more.
- A look into Conclaves and Exclaves in the latest iOS version.
- Beyond the AP – The Co-Processors in an iPhone.
- RTKit firmware – Apple's internal firmware formats (Mach-O, ftab), main RTKitOS components.
- Patch diffing of co-processor firmware updates.
- Discussion of real-world applicability of learned techniques using recent public research.
Who should attend?
This class is aimed at anyone interested in mobile app and system security, including pentesters, security or vulnerability researchers, or app developers.
Prerequisites
Students will need to feel comfortable using a Linux/macOS command-line. While familiarity with JavaScript and Python are helpful, understanding of common scripting language concepts is sufficient to follow the course and complete exercises, as we will be referring to examples and documentation and providing guidance where required. Note that this class is very hands-on and will need to write some code to follow along.
Required Hardware / Materials
Students need access either to a physical jailbroken iPhone/iPad (iPhone 8 or higher, iOS 16 or higher; iPad 7th Gen Wi-Fi with iPadOS 18 is recommended) or a virtual iOS device (Corellium, eShard, super-tart vphone, ...). A physical device is preferred over a virtual one, as some exercises close to hardware will not work on virtual devices. The trainer will borrow jailbroken iPhones/iPads for the duration of the training if needed.
The best tool support is available on macOS, but we aim to support Linux and Windows as well. Students on Windows will need to use a laptop capable of running a virtual machine with internet connectivity, USB pass-through (when using a physical device) at 16GB of RAM and 40GB of free disk space. Students on other platforms (macOS/Linux) can either install tools natively or use the VM.
Hex-Rays is sponsoring Free IDA Classroom licenses with a cloud decompiler for this training!
Trainer
Jiska Classen is a wireless and mobile security researcher and research group leader. The intersection of these topics means that she digs into iOS internals, reverse engineers wireless firmware, and analyzes proprietary protocols. Her practical work on public Bluetooth security analysis tooling uncovered remote code execution and cryptographic flaws in billions of mobile devices. She also likes to work on obscure and upcoming wireless technologies, for example, she recently uncovered vulnerabilities in Ultra-wideband distance measurement and reverse engineered Apple's AirTag communication protocol. She has previously spoken at Black Hat USA, DEF CON, RECon, hardwear.io, Chaos Communication Congress, Chaos Communication Camp, Gulasch Programmier Nacht, MRMCDs, Easterhegg, Troopers, Pass the Salt, NotPinkCon, gave various lectures and trainings, and published at prestigious academic venues.