Track: | OWASP MSTG |
---|---|
When: | Thu AM-1 |
Where: | Pedley |
Organizers | Sven Schleier Sven Schleier |
Participants | Ajy Gupta Ajy Gupta , Dominik de Smit Dominik de Smit , Jay Mbolda Yamdjeu Jay Mbolda Yamdjeu , Jeroen Willemsen Jeroen Willemsen |
This session is about creating a blueprint for an iOS build pipeline that includes security checks/tools.
Why
Security tools for iOS are usually very limited at the moment or have no wide coverage. Let’s identify the tools that work at the moment and bring value for an iOS pipeline.
What
We want to make a summary of best practices and tools that should be part of an iOS pipeline and want to answer the following questions:
- Which approach, scripts or (Open Source) tools can be used for an iOS pipeline:
- To detect secrets
- To do secret management
- To scan source code (Objective-C and Swift)
- To test if SSL Pinning is activated
- To test if Root detection is activated
- To test the configuration of ATS
- To check 3rd party libraries (CocoaPods and Carthage) and their licene
- How to maintain the certificates for signing an app?
The outcome of this session will be captures in the following public Github Repo: https://github.com/sushi2k/iOS_pipeline
Who
The target audience for this Working Session is:
- iOS developers
- Penetration Testers
- DevOps engineers
- Security engineers
From experts to beginners. Anybody who is passionate about iOS mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.
What do you need to bring with you?
Ideally a laptop (a MacBook is recommended, but not mandatory) to do research for tools, do PoC and contribute to the Github repo. Otherwise contributions can also be done verbally and the team will push to the repo.
The outcome is hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.
Outcomes
A summary of best pratices and tools on how to build an iOS pipeline.
References
- TBD
Register as participant
To register as participant add Creating an iOS build pipeline with security checks
to either:
- the
sessions
metadata field from your participant's page (find your participant page and look for the edit link). - or the
participants
metadata field from this git session page
Back to list of all Working Sessions