Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Is Attestation All We Need? Fooling Apple's AppAttest API

Hack In The Box Security Conference via YouTube

Overview

Explore the intricacies of Apple's AppAttest API and its vulnerabilities in this Hack In The Box Security Conference talk. Delve into the technology from a reverse engineering perspective, examining weak implementations and bottlenecks that allow for easy bypassing of security checks. Gain insights into proper usage techniques for software developers, and understand the limitations and benefits of this anti-tampering solution. Learn about client-side protections, resource integrity checks, and various bypass scenarios. Discover the speaker's background in information security, covering areas such as bug hunting, penetration testing, and red team operations. Analyze the validation steps, risk metrics, and assertion object verification process involved in AppAttest API implementation. Consider the implications for iOS versions and evaluate whether this technology should be implemented in your projects.

Syllabus

Intro
Igors background
Agenda
Coverage
Clientside protections
What is tampering
Antitampering methods
Resource integrity check
Trust
AppAttest API
Sample App
Generate Initial Key
Generate Hash Value
TestKey Function
Apples Server
AppAttest Object
Validation Steps
Risk Metric
Assertion Object
Verification
Assertion Object Validation
Does it mean we are protected
Not clear acceptance
Possible hooking patching
Bypass scenarios
Bypass Scenario 1
Bypass Scenario 2
iOS Versions
Validation
Benefits
Limitations
Should you implement it
Caveats
In conclusion
Resources
Thank you

Taught by

Hack In The Box Security Conference

Reviews

Start your review of Is Attestation All We Need? Fooling Apple's AppAttest API

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.