// Comparison

Designing Secure Software vs iOS Application Security: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

5/52021

A Guide for Developers

Loren Kohnfelder

Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.

Intermediate

3/52016

iOS Application Security

The Definitive Guide for Hackers and Developers

David Thiel

David Thiel on attacking and defending iOS apps: the platform sandbox, IPC surfaces, keychain semantics, transport security, and the patterns that introduce real bugs.

Read this if

Senior developers and architects who already write code well and now want to design systems that don't ship CVEs. Kohnfelder is the author who literally wrote the X.509 paper; the book is a career's worth of design wisdom in 312 pages.

Mobile security pentesters and iOS developers who need a practical guide to the platform's security surface. Thiel covers the sandbox, Keychain, runtime, code signing, and the typical class of mistakes shipped iOS apps make.

Skip this if

Beginners or readers wanting hands-on tooling. The book is design-level: principles, patterns, and case studies. Pair with implementation-level books for the line-of-code view.

Readers wanting current (post-2018) iOS specifics. The book pre-dates significant Apple platform changes (App Tracking Transparency, modern entitlement model, modern keychain access groups); principles transfer, specifics don't.

Key takeaways

Secure-by-design is mostly avoided pitfalls; the book's enumeration of common-but-fatal mistakes is the cleanest mental checklist a designer can carry.
Trust boundaries are the single most useful concept in secure design; the book teaches you to see them in any architecture.
Most security debates inside engineering organizations resolve to a handful of repeated trade-offs (defense in depth vs. simplicity, blocking vs. logging, fail-open vs. fail-closed); the book names them and provides the language for the conversation.

Most iOS app vulnerabilities are at the app layer, not the platform layer; the book's framing aligns with what real pentests actually find.
Keychain misuse and insecure storage are still the dominant findings on real engagements; the book's chapter on them is the practical core.
Frida and Objection have largely replaced the older runtime-introspection tooling described here; the workflow translates, the tools have moved on.

How they compare

We rate Designing Secure Software higher (5/5 against 3/5 for iOS Application Security). For most readers, that means Designing Secure Software is the primary pick and iOS Application Security is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Designing Secure Software and iOS Application Security both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

Designing Secure Software

→ Alternatives to Designing Secure Software → What to read after Designing Secure Software