// Comparison

iOS Application Security vs Real-World Cryptography: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

3/52016

The Definitive Guide for Hackers and Developers

David Thiel

David Thiel on attacking and defending iOS apps: the platform sandbox, IPC surfaces, keychain semantics, transport security, and the patterns that introduce real bugs.

Intermediate

5/52021

Real-World Cryptography

David Wong

David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.

Read this if

Mobile security pentesters and iOS developers who need a practical guide to the platform's security surface. Thiel covers the sandbox, Keychain, runtime, code signing, and the typical class of mistakes shipped iOS apps make.

Working engineers who need to make crypto decisions in real systems: AEAD ciphers, key exchange, signatures, password hashing, PKI, end-to-end encryption, post-quantum migration. The new modern default and the book we recommend first to almost anyone touching cryptography in production.

Skip this if

Readers wanting current (post-2018) iOS specifics. The book pre-dates significant Apple platform changes (App Tracking Transparency, modern entitlement model, modern keychain access groups); principles transfer, specifics don't.

Cryptography researchers or readers wanting full mathematical proofs. The math is bounded to what an engineer needs to evaluate choices, not full constructions. For the next layer of depth read Serious Cryptography after this.

Key takeaways

Most iOS app vulnerabilities are at the app layer, not the platform layer; the book's framing aligns with what real pentests actually find.
Keychain misuse and insecure storage are still the dominant findings on real engagements; the book's chapter on them is the practical core.
Frida and Objection have largely replaced the older runtime-introspection tooling described here; the workflow translates, the tools have moved on.

Most crypto vulnerabilities are misuse, not broken primitives; Wong's framing of "what to use, what to avoid" is the cleanest in print.
TLS 1.3, Noise, and Signal-style protocols compose primitives in patterns engineers should recognise on sight, this book teaches the patterns.
Post-quantum cryptography is no longer optional reading; the book introduces the lattice and hash-based constructions you'll be deploying within a few years.

How they compare

We rate Real-World Cryptography higher (5/5 against 3/5 for iOS Application Security). For most readers, that means Real-World Cryptography is the primary pick and iOS Application Security is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

iOS Application Security and Real-World Cryptography both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

iOS Application Security

→ Alternatives to iOS Application Security → What to read after iOS Application Security