• Online, Self-Paced
Course Description

Each iOS application runs in a separate virtual machine, or sandbox, and applications may also be subjected to dynamic analysis, or fuzzing, whereby illegal input is intentionally applied to an application so as to test for security issues. Return oriented programming may also be used in attempts to reveal certain application vulnerabilities, and devices may be jailbroken so as to make them more open to developers who can then better evaluate system security. In this course, you will learn about sandboxes and how to initialize them, how to secure iOS applications and devices for enterprise, how to design and administer fuzz tests on iOS applications, how to defend applications against exploits, how to use return-oriented programming to reveal application vulnerabilities, and how to install and use jailbreaking tools on iOS devices.

Learning Objectives

Understanding the iOS Sandbox

  • start the course
  • identify iOS Sandbox components and describe how they are related
  • describe how runtime process security makes use of sandboxing to protect applications and their data on iOS 8 devices
  • describe how extensions are sandboxed to protect their files and memory space in iOS
  • describe how applications are launched under a sandbox and how applications are restricted to their own container directories in the App Store

Securing iOS for Enterprise

  • identify the contents of a configuration profile and how to identify configuration profile payload types
  • describe the general functionality of the Apple Configurator
  • use Apple Configurator to create a new configuration profile
  • use Apple Configurator to update and remove configuration profiles
  • configure and run the Profile Manager service
  • enroll a user device with the OS X Server mobile device management service using the user's Profile Manager web portal
  • enroll a user device with the OS X Server mobile device management service by downloading and installing an enrollment profile

Fuzzing iOS Applications

  • describe the basic idea behind fuzzing and how it is used to reveal security issues in iOS applications
  • describe steps for carrying out a fuzz test
  • carry out a fuzz test on Safari web browser for Mac OS X Yosemite

Defending Against Exploitation

  • describe how to exploit use-after-free and double free bugs
  • describe the concept of regions and how regions are allocated and deallocated
  • describe TCMalloc allocator as well as large and small object allocation and deallocation

Understanding Return-Oriented Programming

  • describe background on ROP and basics in ARM architecture
  • describe how system calls are invoked on ARM
  • describe the ARM calling convention on iOS

Practice: Working with Device Administration

  • create a new configuration profile using Apple Configurator and enroll a device using the OS X Profile Manager service

Framework Connections

The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.