// Comparison

Black Hat GraphQL vs iOS Application Security: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52023

Attacking Next Generation APIs

Nick Aleks, Dolev Farhi

Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.

Intermediate

3/52016

iOS Application Security

The Definitive Guide for Hackers and Developers

David Thiel

David Thiel on attacking and defending iOS apps: the platform sandbox, IPC surfaces, keychain semantics, transport security, and the patterns that introduce real bugs.

Read this if

Anyone whose bug bounty or pentest scope includes GraphQL — and who keeps finding nothing because they're using web-app methodology. Aleks and Farhi cover introspection abuse, batching attacks, depth/complexity DoS, auth flaws, and the way GraphQL flattens the typical web threat model.

Mobile security pentesters and iOS developers who need a practical guide to the platform's security surface. Thiel covers the sandbox, Keychain, runtime, code signing, and the typical class of mistakes shipped iOS apps make.

Skip this if

Readers without GraphQL exposure in their work; the book is a specialization, not a general intro.

Readers wanting current (post-2018) iOS specifics. The book pre-dates significant Apple platform changes (App Tracking Transparency, modern entitlement model, modern keychain access groups); principles transfer, specifics don't.

Key takeaways

Disabled introspection is not a security control; the book explains how to enumerate schemas without it and why that matters.
Batching and aliasing attacks let one HTTP request do many things; classic rate-limit defenses fail unless GraphQL-aware.
Depth and complexity attacks are the GraphQL equivalent of regex DoS, usually possible, often forgotten, sometimes catastrophic.

Most iOS app vulnerabilities are at the app layer, not the platform layer; the book's framing aligns with what real pentests actually find.
Keychain misuse and insecure storage are still the dominant findings on real engagements; the book's chapter on them is the practical core.
Frida and Objection have largely replaced the older runtime-introspection tooling described here; the workflow translates, the tools have moved on.

How they compare

We rate Black Hat GraphQL higher (4/5 against 3/5 for iOS Application Security). For most readers, that means Black Hat GraphQL is the primary pick and iOS Application Security is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Black Hat GraphQL and iOS Application Security both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

Black Hat GraphQL

→ Alternatives to Black Hat GraphQL → What to read after Black Hat GraphQL