Presentation Material
Abstract
OWASP iGoat is an open source self-learning tool for iOS developers, mobile app pentesters. The best thing about iGoat is that it follows client-server architecture and supports all iDevices including iPad, iPhone, iPod and Macbook simulator for iOS 8/9/10. It was inspired by the WebGoat project, and has a similar conceptual flow to it. As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson. The lessons are laid out in the following steps: Brief introduction to the problem. Verify the problem by exploiting it. Brief description of available remediations to the problem. Fix the problem by correcting and rebuilding the iGoat program. This talk is all about how iOS developers, security analysts can dive deep into iOS App Security using iGoat tool. This talk will start from setting up iGoat to exploiting latest exploits in iOS app. I’ll also release a new version of iGoat with tons of new exercises at Appsecusa 2017.
AI Generated Summary
iGoat is a free, open-source learning tool designed for iOS developers and penetration testers to understand and address mobile application security vulnerabilities. Inspired by the WebGoat project, it employs a structured lesson format where users first exploit a specific vulnerability within a controlled iOS application environment and then learn to remediate it by modifying and rebuilding the source code.
The tool covers a wide range of iOS-specific security issues through practical challenges. Key techniques demonstrated include insecure local data storage (e.g., plaintext credentials), flawed cryptographic key management (hard-coded keys, server-side key retrieval, and hardware-derived keys), URL scheme abuse for unauthorized actions, cloud service misconfigurations (such as publicly accessible S3 buckets), and injection attacks (SQL injection, cross-site scripting) within both local and backend contexts. The architecture is a client-server model, with the vulnerable iOS app communicating with a backend server, and it runs on all iOS devices and simulators without restriction.
A notable feature is the Keychain Analyzer, which allows developers to inspect the secure storage contents of their own applications. The project emphasizes a “learn by doing” approach, pairing each attack vector with its corresponding secure coding solution. This dual focus provides practical implications for both audiences: pen testers gain hands-on experience with common iOS exploit techniques, while developers learn defensive coding patterns and secure architecture choices directly within the relevant codebase. The project is community-driven, with contributions expanding its lesson library to include topics like code obfuscation and third-party library risks. iGoat is available on GitHub as an educational resource for improving iOS security practices throughout the development lifecycle.