Apple iOS 4 Security Evaluation

Apple iOS 4 Security EvaluationDino A. Dai ZoviTrail of Bits LLC

DisclaimersI have never worked for Apple, but I have a crippling addiction tobuying and tinkering with their products.I have never received any monetary compensation from Apple,but they have sent me some free shwagI have been mistaken by strangers on the street for being an offdutyApple Store employeeI hacked a Mac once, but don’t worry, it wasn’t yours.Charlie Miller and I wrote an entire book on hacking the Mac andI still have never met Steve Jobs. I blame Charlie.

AcknowledgementsiPhone jailbreak developer communityChronic Dev Team, Comex for releasing tools with sourceThe iPhone Wiki for excellent up-to-date documentationOther security researchers with great iOS researchJean-Baptiste Bedrune, Jean Sigwald (SOGETI ESEC)Dion BlazakisStefan Esser

Focus of This TalkWhat enterprise users need to know about iOS securityfeatures and properties to make informed deployment,configuration, usage, and procedure decisionsHow iOS security compares to competing mobileplatformsAssorted iOS implementation details and internalsInteresting places for reverse engineers and vulnerabilityresearchers to look (if they are paying close attention)

OverviewIntroductionASLRCode SigningSandboxingData Encryption

Introduction

Security ConcernsSensitive data compromise from lost/stolen deviceWhat data can be recovered by attacker?Malicious AppsWhat is the likelihood of DroidDream for iOS?Remote attacks through web browser, e-mail, etc.Is that a desktop (aka APT target) in your pocket?

Remote Attack GraphMaliciousDataExploit MemoryCorruptionVulnerabilityReturnorientedExecutionBypass CodeSigningEnforcementSandboxedNative CodeExecutionEscapeSandboxUnprivilegedNative CodeExecutionExploitPrivilege EscalationVulnerabilityExploit KernelVulnerabilityPrivileged NativeCode ExecutionTemporaryJailbreakJailbreakrunningkernelKernel ModeCode Execution

Persistence Attack GraphPrivileged NativeCode ExecutionDrop ExecutableThat Runs at BootBoot-timeBinaryExecutionExploit Incomplete CodeSigning VulnerabilityReturnorientedexecution...Kernelmode codeexecutionJailbreakrunningkernelObtainApple'sPrivate KeyOverwritekernelcacheUntetheredJailbreak

Address Space LayoutRandomization

Security ConcernsHow hard is it to remotely exploit built-in or thirdpartyapplications?Malicious web page in Safari or third-party appwith embedded browser (i.e Facebook, Twitter)Malicious e-mail message or attachment in MailMan-in-the-middle and corrupt networkcommunication of third-party apps

iOS 4.3 ASLRASLR is a common runtime security feature on desktopand server operating systems and is a good genericprotection against remote exploitsiOS 4.3 introduced ASLR supportiOS 4.3 requires iPhone 3GS and later (ARMv7)Apps must be compiled with PIE support for full ASLR,otherwise they only get partial ASLRiOS 4.3 built-in apps and executables are all PIE

ASLR with PIEExecutable Heap Stack Libraries Linker0xd2e48 0x1cd76660 0x2fecf2a8 0x35e3edd1 0x2fed00000xaae48 0x1ed68950 0x2fea72a8 0x35e3edd1 0x2fea80000xbbe48 0x1cd09370 0x2feb82a8 0x35e3edd1 0x2feb90000x46e48 0x1fd36b80 0x2fe432a8 0x35e3edd1 0x2fe440000xc1e48 0x1dd81970 0x2febe2a8 0x35e3edd1 0x2febf000Reboot0x14e48 0x1dd26640 0x2fe112a8 0x36146dd1 0x2fe120000x62e48 0x1dd49240 0x2fe112a8 0x36146dd1 0x2fe600000x9ee48 0x1d577490 0x2fe9b2a8 0x36146dd1 0x2fe9c0000xa0e48 0x1e506130 0x2fe9d2a8 0x36146dd1 0x2fe9e0000xcde48 0x1fd1d130 0x2feca2a8 0x36146dd1 0x2fecb000

ASLR without PIEExecutable Heap Stack Libraries Linker0x2e88 0x15ea70 0x2fdff2c0 0x36adadd1 0x2fe000000x2e88 0x11cc60 0x2fdff2c0 0x36adadd1 0x2fe000000x2e88 0x14e190 0x2fdff2c0 0x36adadd1 0x2fe000000x2e88 0x145860 0x2fdff2c0 0x36adadd1 0x2fe000000x2e88 0x134440 0x2fdff2c0 0x36adadd1 0x2fe00000Reboot0x2e88 0x174980 0x2fdff2c0 0x35e3edd1 0x2fe000000x2e88 0x13ca60 0x2fdff2c0 0x35e3edd1 0x2fe000000x2e88 0x163540 0x2fdff2c0 0x35e3edd1 0x2fe000000x2e88 0x136970 0x2fdff2c0 0x35e3edd1 0x2fe000000x2e88 0x177e30 0x2fdff2c0 0x35e3edd1 0x2fe00000

Partial vs. Full ASLRPIEMainExecutableHeapStackSharedLibrariesLinkerNoFixedRandomizedperexecutionFixedRandomizedper devicebootFixedYesRandomizedperexecutionRandomizedper execution(moreentropy)RandomizedperexecutionRandomizedper devicebootRandomizedperexecution

Identifying PIE supportotool -hv $ otool -hv MobileSafariMobileSafari:Mach headermagic cputype cpusubtype caps filetype ncmds sizeofcmds flagsMH_MAGIC ARM V7 0x00 EXECUTE 40 4560 NOUNDEFS DYLDLINKTWOLEVEL PIEhexdump$ hexdump -C MobileSafari | head00000000 ce fa ed fe 0c 00 00 00 09 00 00 00 02 00 00 00 |................|00000010 28 00 00 00 d0 11 00 00 85 00 20 00 01 00 00 00 |(......... .....|

PIE in Real-World Apps?

Top 10 Free AppsApp Version Post Date PIESongify 1.0.1 June 29, 2011 NoHappy Theme Park 1.0 June 29, 2011 NoCave Bowling 1.10 June 21, 2011 NoMovie-Quiz Lite 1.3.2 May 31, 2011 NoSpotify 0.4.14 July 6, 2011 NoMake-Up Girls 1.0 July 5, 2011 NoRacing Penguin, Flying Free1.2 July 6, 2011 NoICEE Maker 1.01 June 28, 2011 NoCracked Screen 1.0 June 24, 2011 NoFacebook 3.4.3 June 29, 2011 No

Bottom LineAll built-in apps in iOS 4.3 have full ASLR with PIE supportThird-party apps are rarely compiled with PIE support and runwith partial ASLRStatic location of dyld facilitates exploitation by providingknown executable material at a known place (code reuse,return-oriented programming, etc)Applications using a UIWebView are the highest risk(embedded browser in Twitter, Facebook, etc)

Code Signing

Security ConcernsCan this application be trusted to run on mydevice?Who (real-world entity) wrote it?How do we know it’s really them?Does it have any hidden functionality?Can it change functionality at run time?

Code SigningMandatory Code SigningEvery executable binary or application must have a validand trusted signatureEnforced when an application or binary is executedCode Signing EnforcementProcesses may only execute code that has been signedwith a valid and trusted signatureEnforced at runtime

Mandatory Code SigningCode Signing security modelCertificatesProvisioning ProfilesSigned ApplicationsEntitlements

CertificatesIdentify the real-world author or publisher of a piece ofsoftwarei.e. Apple verifies individual/company real-worldcredentialsMust be issued by and signed by AppleDevelopers are assigned unique application identifierprefixes

Provisioning ProfilesThe Provisioning Profile itself must be signed by AppleConfigures an iOS device to trust software signed bythe embedded certificateDefines which entitlements the developer ispermitted to give to applications they signProfile may be tied to one specific device or globalDevelopment vs. Distribution provisioning profiles

ApplicationIdentifierPrefix9ZJJSS7EFVCreationDate2010-08-20T02:55:55ZDeveloperCertificates...Entitlementsapplication-identifier9ZJJSS7EFV.*get-task-allowkeychain-access-groups9ZJJSS7EFV.*[ ... ]

Distribution ModelsOn-Device Development allows developers to build and testapplications on their own devicesAd-Hoc Distribution allows developers to beta test applicationson up to 100 other users’ devicesAppStore Distribution allows developers to publishapplications on the iTunes AppStoreIn-House Distribution allows Enterprise Developers todistribute their custom applications to any device

OTA App DistributionAd-Hoc and In-House Provisioning Profiles can bedistributed with the Application in a single archiveDeveloper must host the application .ipa archiveand manifest plist file on a web serverLink to manifest can be sent via e-mail, SMS, orother web pageWhen user clicks the link, iOS displays developerand application name in a cancel/allow dialog

Code Signing InternalsAppleMobileFileIntegrity kernel extension responsiblefor implementing code signing security policyInstalls MAC Framework policy hooks to enforceMandatory Code Signing and Code SigningEnforcementDynamic code signing implemented in xnu virtualmemory system (see kernel sources)Process’ code signing status tracked in proc.csflags

MAC Hook API Description AMFI Usagempo_vnode_check_signaturempo_vnode_check_execDetermine whether the givencode signature or codedirectory SHA1 hash are valid.Determine whether the subjectidentified by the credential canexecute the passed vnode.Checks for the given CDHashin the trust caches. If it is notfound, the full signature isvalidated by performing anRPC call to the userspaceamfid daemon. If a particularglobal flag is set(amfi_get_out_of_my_way),then any signature is allowed.Sets the code signingCS_HARD and CS_KILL flags,indicating that the processshouldn’t load invalid pagesand that the process shouldbe killed if it becomes invalid.mpo_proc_check_get_taskDetermine whether the subjectidentified by the credential canget the passed process's taskcontrol port.Allows if the target process hasthe get-task-allow entitlementand the source task hastask_for_pid-allow entitlement.

MAC Hook API Description AMFI Usagempo_proc_check_run_cs_invalidDetermine whether theprocess may executeeven though the systemdetermined that it isuntrusted (unidentified ormodified code)Allow execution if theprocess has the get-taskallow,run-invalid-allow, orrun-unsigned-codeentitlements or an RPCcall to amfid returnsindicating thatunrestricted debuggingshould be allowed.mpo_proc_check_map_anonDetermine whether thesubject identified by thecredential should beallowed to obtainanonymous memory withthe specified flags andprotections.Allows the process toallocate anonymousmemory if and only if theprocess has the dynamiccodesigningentitlement.

Normal Code SignatureExecutable=/.../9D3A8D85-7EDE-417A-9221-1482D60A40B7/iBooks.app/iBooksIdentifier=com.apple.iBooksFormat=bundle with Mach-O universal (armv6 armv7)CodeDirectory v=20100 size=14585 flags=0x0(none) hashes=721+5 location=embeddedHash type=sha1 size=20CDHash=ac93a95bd6594f04c209fb6bf317d148b99ac4d7Signature size=3582Authority=Apple iPhone OS Application SigningAuthority=Apple iPhone Certification AuthorityAuthority=Apple Root CASigned Time=Jun 7, 2011 11:30:58 AMInfo.plist entries=36Sealed Resources rules=13 files=753Internal requirements count=2 size=344

Ad-Hoc Code SignatureExecutable=/Developer/usr/bin/debugserverIdentifier=com.apple.debugserverFormat=Mach-O universal (armv6 armv7)CodeDirectory v=20100 size=1070 flags=0x2(adhoc) hashes=45+5 location=embeddedCDHash=6a2a1549829f4bff9797a69a1e483951721ebcbdSignature=adhocInfo.plist=not boundSealed Resources=noneInternal requirements count=1 size=152

Code SignatureVerificationiOS kernel has a static trust cache of CDHashesAMFI IOKit UserClient lets root load trust caches intodynamic trust cacheTrust cache must stored in a signed IMG3Kernel performs RPC call to usermode daemon toperform full binary code signature verificationKernel stores the CDHash of each verified binary in theMRU trust cache linked list

Code Signing Verificationvnode_check_signatureIsamfi_get_out_of_my_way true?NoIs CDHash in statictrust cache?NoIs CDHash indynamic trust cache?YesYesYesNoMove CDHashentry to front ofMRU linked listYesIs CDHash in MRUtrust cache?NoAdd CDHashentry to front ofMRU linked listSuccessRPC call to amfidverify_code_directoryFailureAllowYesIsamfi_allow_any_signaturetrue?NoDeny

AMFI Daemon/usr/libexec/amfidMessageIDSubroutineDescription1000 verify_code_directory1001 permit_unrestricted_debuggingVerifies the given code directory hashand signature for the executable at thegiven path. This checks whether thesignature is valid and that it should betrusted based on the built-in Applecertificates and installed provisioningprofiles (if any).Enumerates the installed provisioningprofiles and checks for a special Appleinternalprovisioning profile with theUDID of the current device that enablesunrestricted debugging on it.

Bypassing Code SigningIncomplete Code Signing 1 ExploitsManipulate dynamic linker to perform stack pivotand execute return-oriented payloadInterposition exploit (4.0), Initializers exploit (4.1)More recent exploits use relocations to dynamicallyadjust ROP payloads to compensate for ASLRiOS 4.3.4 strengthens iOS defenses against these1http://theiphonewiki.com/wiki/index.php?title=Incomplete_Codesign_Exploit

Code Signing EnforcementEnsure that process stays dynamically validNo introduction of new executable codeAlready loaded executable code can’t bechangedGuarantees that the app code that was reviewed iswhat runs on the deviceAlso just happens to prevent injecting shellcode

csopsint csops(pid_t pid, uint32_t ops, user_addr_t useraddr, user_size_t usersize);System call to interact with a process’ codesigning stateGet code signing statusSet code signing flags (CS_HARD, CS_KILL)Get executable pathname, code directory hash,active running slice

CS OpsFlag Value DescriptionCS_OPS_STATUS 0 Return process CS statusCS_OPS_MARKINVALID 1 Invalidate processCS_OPS_MARKHARD 3 Set CS_HARD flagCS_OPS_MARKKILL 4 Set CS_KILL flagCS_OPS_PIDPATH 5 Get executable’s pathnameCS_OPS_CDHASH 6 Get code directory hashCS_OPS_PIDOFFSET 7 Get offset of active Mach-O slice

CS Status FlagsFlag Value DescriptionCS_VALID0x00001 Process is dynamically validCS_HARD0x00100 Process shouldn’t load invalid pagesCS_KILLCS_EXEC_SET_HARDCS_EXEC_SET_KILLCS_KILLED0x002000x010000x020000x10000Process should be killed if it becomesdynamically invalidProcess should set CS_HARD on anyexec’d childProcess should set CS_KILL on any exec’dchildThe process was killed by the kernel forbeing dynamically invalid

iOS 4.3 Adds JavaScript JIT

# ldid -e /Applications/MobileSafari.app/MobileSafaricom.apple.coreaudio.allow-amr-decodecom.apple.coremedia.allow-protected-content-playbackcom.apple.managedconfiguration.profiled-accesscom.apple.springboard.opensensitiveurldynamic-codesigningkeychain-access-groupscom.apple.cfnetworkcom.apple.identitiescom.apple.mobilesafariplatform-applicationseatbelt-profilesMobileSafari

AMFI MAC HookMAC Hook API Description AMFI Usagempo_proc_check_map_anonDetermine whether thesubject identified by thecredential should beallowed to obtainanonymous memory withthe specified flags andprotections.Allows the process toallocate anonymousmemory if and only if theprocess has the dynamiccodesigningentitlement.

Dynamic Code SigningThe dynamic-codesigning entitlement allows theprocess to map anonymous memory with anyspecified protections.Only MobileSafari has this entitlement in iOS 4.3Necessary for JavaScript native JIT (“Nitro”)Previously MobileSafari did bytecode JIT

Bottom LineMandatory Code Signing in iOS is strong defense againstexecution of unauthorized binariesRequires incomplete code signing exploits to bypass andobtain return-oriented executionCode signing forces attackers to develop fully ROP payloadsDEP/NX only require a ROP stage to allocate newexecutable memory and copy shellcode into itJIT support in Safari reduces ROP requirements to a stage

Sandboxing

Security ConcernsCan an exploited app or malicious third-partyapp...Access or modify data belonging to otherapplications?Access or modify potentially sensitive userinformation?Break out of the sandbox and rootkit iOS?

Sandboxing in iOSBased on same core technologies as Mac OS X sandboxSee Dion’s “The Apple Sandbox” from BHDC 2011 formore information on internalsModified his tools to decompile iOS 4.3 profilesiOS only supports static built-in profilesProcess’ sandbox profile is determined by seatbeltprofilesentitlement

Sandbox Kernel ExtensionInstalls MAC Hooks on all secured operationsMAC hooks evaluate a binary decision tree tomake access determinationSandbox profiles consist of the set of decisiontrees defined for each defined operation withconditional filters based on requested resourcei.e. does file name match this regex?

Built-in Sandbox ProfilesBackground daemons: accessoryd, apsd,dataaccessd, iapd, mDNSResponder, etc.Built-in Apps: MobileMail, MobileSafari,MobileSMS, Stocks, YouTube, etc.Third-party Apps: container and container2(iBooks)

Third-Party ApplicationsAssigned a dedicated portion of the file system(“container” or “application home directory”) eachtime it is installedCan a rogue application escape the sandbox andread other applications’ data or modify the devicefirmware?

App Home DirectorySubdirectory.app/Documents/Library/DescriptionThe signed bundle containing the application code and staticdataApp-specific user-created data files that may be shared withthe user’s desktop through iTunes’s “File Sharing” featuresApplication support filesLibrary/Preferences/Library/Caches/tmp/Application-specific preference filesApp-specific data that should persist across successivelaunches of the application but not needed to be backed upTemporary files that do not need to persist across successivelaunches of the application

Container ProfileSee whitepaper for detailed description and tarball for fullydecompiled profileSummary:File access is generally restricted to app’s home directoryCan read media: songs, photos, videosCan read and write AddressBookSome IOKit User Clients are allowedAll Mach bootstrap servers are allowed

Mach Bootstrap ServersAll Mach tasks have access to a bootstrap port tolookup service ports for Mach RPC servicesOn iOS, this is handled by launchd141 RPC servers accessible from appsRisk of being exploited over RPCMay present risk of allowing apps to performunauthorized or undesirable actions

Example Serverscom.apple.UIKit.pasteboarddcom.apple.springboardcom.apple.MobileFileIntegritycom.apple.fairplaydcom.apple.mobile.obliterationcom.apple.iTunesStore.daemon

Bottom LineRemote exploits are most likely able to break out of sandbox byexploiting iOS kernel or IOKit UserClients permitted by sandboxprofileRogue applications would need to exploit and jailbreak thekernel to escape sandboxCould repurpose kernel exploits from JailbreaksApple’s review will likely catch thisOTA app distribution bypasses Apple’s review (target userinteraction required)

Data Encryption

Security ConcernsWhat sensitive data may be compromised if adevice is lost or stolen?What data is encrypted?What data is protected by the passcode?How hard is it to crack iOS passcodes?Can they be cracked off the device?

Data EncryptionWhat you need to know about Data Encryption iniOS to make informed deployment andconfiguration decisionsFor more internals and implementation details,refer to excellent “iPhone Data Protection inDepth” 1 from HITB Amsterdam 20111 http://esec-lab.sogeti.com/dotclear/public/publications/11-hitbamsterdam-iphonedataprotection.pdf

Encryption LayersEntire filesystem is encrypted using block-based encryption with File SystemKeyFSK is stored on the flash, encrypted using key derived from UID KeyEach file has a unique encryption key stored in an extended attribute,protected by Class KeyClass Keys are stored in the System KeyBagSome Class Keys are protected by a key derived from the user’s passcode(Passcode Key)Certain Class Keys are also protected by the device-specific UID Key that isembedded in hardware and inaccessible to code running on CPU

Data Protection APIApplications must specifically mark files on thefilesystem and Keychain items with a ProtectionClass in order for them receive greater protectionFiles and Keychain items can be madeinaccessible when the device is locked(protected by Passcode Key)Keychain items can be made non-migratable toother devices (protected by UID Key)

Data ProtectionCoverageIn iOS 4, DP is only used by the built-in Mail appProtects all mail messages, attachments, and indexesProtects passwords for IMAP, SMTP serversProtected items are only accessible when device is unlockedExchange ActiveSync passwords are accessible always topreserve remote wipe functionalityDP is also used for automatic UI screenshots generated whenuser hits the Home Button.

Attacking PasscodeWith knowledge of passcode, you can decrypt the data protectedby iOS Data ProtectionIncreasing incorrect passcode delay and forced device wipe aftertoo many incorrect guesses are enforced by UISpringboard -> MobileKeyBag Framework -> AppleKeyStoreIOKit UserClient -> AppleKeyStore Kernel ExtensionOn a jailbroken device, you can guess passcodes directly using theMKB Framework or AppleKeyStore IOKit User ClientJailbreak device using BootROM exploit, install SSH bundle,restart, and log in via SSH over USBMUX

Passcode KeyPasscode Key is derived using PBKDF2 using AESwith the Device Key as the hashing functionCannot derive key off of the device that createdit unless you can extract the UID Key from thehardwareIteration count of PBKDF2 is tuned to hardwarespeedRoughly 9.18 guesses/second on iPhone4

Worst-Case PasscodeGuessing Time (iPhone4)Passcode Length Complexity Time4 Numeric 18 minutes4 Alphanumeric 51 hours6 Alphanumeric 8 years8 Alphanumeric 13 thousand years8Alphanumeric,Complex2 million yearsAssuming 26 lowercase letters + 10 digits + 34 complex characters = 70 chars

Bottom Line6-character alphanumeric passcodes are probably sufficientUnless attacker can extract UID Key from hardwareLack of thorough Data Protection coverage is a serious issueWait to see what iOS 5 coversAudit third-party apps for Data Protection usageiPad2 and later have no public Boot ROM exploits, makingattacks on lost devices much more difficult and unlikely

Conclusion

FindingsThird-party applications without PIE support won’t get full ASLR andare easier to exploit, especially if they have an embedded web browserIn-House Distribution Certificates and Provisioning Profiles allow theirapps to run on all devices, Enterprise Developers should protect themAttackers could steal them and use OTA distribution and socialengineering to bypass Apple’s AppStore reviewAs of iOS 4.3, Safari’s dynamic-codesigning entitlement makesbrowser exploits require a ROP stage, not full ROPAll 140+ iOS Mach RPC servers are allowed through sandbox profile,may allow apps to perform undesirable actions

FindingsAlthough filesystem is encrypted with block-levelencryption, exploiting the device’s BootROM andbooting jailbroken can be used to read the dataIn iOS 4, Data Protection only protects Mailmessages and passwords (and screenshots) withuser’s passcodeWhile passcode must be cracked on-device, defaultsimple passcodes are brute-force cracked in lessthan 20 minutes

iOS vs. Android/BlackBerryHow does iOS security compare to Android andBlackBerry?iOS Data Protection not nearly as thorough asBlackBerry’s Content ProtectionBlackBerry’s browser is based on same WebKit asiOS and Android browsers, but has no sandbox (seePWN2OWN 2011)Android has no ASLR or NX, significantly weaker appisolation, and root can load kernel modules

Unique to iOSDynamic Code Signing EnforcementStronger defense against remote native codeinjection than DEP/NX/W^XKernel is secured against user mode codeEven the superuser (root) has to exploit thekernel in order to run kernel mode code

On JailbreakingModern jailbreaks require multiple exploits to defeat the layeredprotections in iOS1 BootROM exploit required for tethered jailbreak1 BootROM, 1 Incomplete Code Signing, and 1 Kernel exploitrequired for untethered jailbreak1 Safari, 1 Kernel exploit required for remote temporary jailbreak1 Safari, 1 Kernel, 1 Incomplete Code Signing exploit for remoteuntethered jailbreak (i.e. JailbreakMe)Jailbreaking essentially reduces iOS security to level of Android

Attacks You ShouldCare Most AboutLost/stolen deviceHow well is iOS and third-party app data protected?Repurposed jailbreak exploitsJailbreakMe PDF attacks via e-mail or webStolen Enterprise In-House Distribution Certificate andsocial engineering OTA app linksApps containing kernel exploit from JB

Hardware AdviceiPhone 3G and earlier shouldn’t be allowedNo longer supported by iOSNo device encryption supportPermanently jailbroken via Boot ROM exploitsiPad 2 has no public Boot ROM exploits, making itsafer than earlier iOS devices

Bottom LineShould you deploy iOS devices for enterprise use?Wait for iOS 5, hopefully DP API is more thoroughAudit any apps w/ enterprise data for Data Protection API usageor poor use of custom cryptographyPrefer iPad2 and to-be-released iPhone because they don’t haveknown BootROM exploitsUse an MDM product and apply security policy to all devicesDon’t let users jailbreak the devices or else you may as well justgive them Android devices

One more thing...

hobbyOne more thing...

previewhobbyOne more thing...

Google Trends: Mac, iPhone

$99

iOS Fuzz Farm

iOS Fuzz Farm• 4 x Apple TVs, switch, power strip = ~$500• Totally headless, only accessible via SSH• Perfect size for operating out of small NYCapartments• Nowhere near operational yet• Need to write iOS test harness• Some mechanism for testing GUI iOS apps

Questions?• Final slides and whitepaper available on blog:http://blog.trailofbits.com• @dinodaizovi / ddz@theta44.org