iOS Application Security
The Definitive Guide for Hackers and Developers
David Thiel on attacking and defending iOS apps: the platform sandbox, IPC surfaces, keychain semantics, transport security, and the patterns that introduce real bugs.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- David Thiel
- Published
- 2016
- Publisher
- No Starch Press
- Pages
- 296
- Language
- English
Read this if
Mobile security pentesters and iOS developers who need a practical guide to the platform's security surface. Thiel covers the sandbox, Keychain, runtime, code signing, and the typical class of mistakes shipped iOS apps make.
Skip this if
Readers wanting current (post-2018) iOS specifics. The book pre-dates significant Apple platform changes (App Tracking Transparency, modern entitlement model, modern keychain access groups); principles transfer, specifics don't.
Key takeaways
- Most iOS app vulnerabilities are at the app layer, not the platform layer; the book's framing aligns with what real pentests actually find.
- Keychain misuse and insecure storage are still the dominant findings on real engagements; the book's chapter on them is the practical core.
- Frida and Objection have largely replaced the older runtime-introspection tooling described here; the workflow translates, the tools have moved on.
Notes
Pair with the OWASP Mobile Application Security Testing Guide for current tooling and with the iOS Hacker's Handbook (Miller et al) for the deeper platform internals. For 2026-era iOS pentests, supplement heavily with current Apple documentation and Frida-cookbook resources.
What to read before
What to read before iOS Application Security →Intermediate · 2015
The Mobile Application Hacker's Handbook
Chell, Erasmus, Colley, and Whitehouse's reference on iOS and Android application security from the early-mid 2010s — runtime hooking, transport security, IPC abuse, and the platform-specific surface of mobile pentesting.
Beginner · 2020
Alice and Bob Learn Application Security
Tanya Janca's hands-on AppSec primer covering threat modeling, secure design, secure coding, testing, deployment, and the social side of running an AppSec program — through a friendly, narrative-driven structure.
Beginner · 2020
Web Security for Developers
Malcolm McDonald's developer-side primer on the OWASP-class issues, framed around real attacks and defended with code patterns rather than vendor products.
What to read next
What to read after iOS Application Security →Intermediate · 2015
The Mobile Application Hacker's Handbook
Chell, Erasmus, Colley, and Whitehouse's reference on iOS and Android application security from the early-mid 2010s — runtime hooking, transport security, IPC abuse, and the platform-specific surface of mobile pentesting.
Advanced · 2006
The Art of Software Security Assessment
The 1200-page reference on auditing C/C++ codebases for security: parsing complex memory and integer interactions, language pitfalls, and how vulnerabilities arise from interactions between layers.
Advanced · 2011
The Tangled Web
The deepest book ever written on the strange, accreted security model of the web browser.
Explore similar books
Alternatives to iOS Application Security →Intermediate · 2015
The Mobile Application Hacker's Handbook
Chell, Erasmus, Colley, and Whitehouse's reference on iOS and Android application security from the early-mid 2010s — runtime hooking, transport security, IPC abuse, and the platform-specific surface of mobile pentesting.
Intermediate · 2021
Real-World Cryptography
David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.
Intermediate · 2021
Designing Secure Software
Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.