// Comparison

iOS Application Security vs Threat Modeling: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

3/52016

The Definitive Guide for Hackers and Developers

David Thiel

David Thiel on attacking and defending iOS apps: the platform sandbox, IPC surfaces, keychain semantics, transport security, and the patterns that introduce real bugs.

Intermediate

5/52014

Threat Modeling

Designing for Security

Adam Shostack

Adam Shostack's practitioner-oriented introduction to threat modeling: STRIDE, attack trees, and how to fit the practice into a real software-development lifecycle.

Read this if

Mobile security pentesters and iOS developers who need a practical guide to the platform's security surface. Thiel covers the sandbox, Keychain, runtime, code signing, and the typical class of mistakes shipped iOS apps make.

Anyone who designs systems and wants to ship fewer bugs in production. Threat modeling is the highest-leverage security practice for developers; this is the book that finally made it teachable.

Skip this if

Readers wanting current (post-2018) iOS specifics. The book pre-dates significant Apple platform changes (App Tracking Transparency, modern entitlement model, modern keychain access groups); principles transfer, specifics don't.

Readers wanting a quick checklist or a one-pager. Shostack is comprehensive: STRIDE, attack trees, data-flow diagrams, the kill chain, all with extended worked examples. Skim-reading is a waste of the book.

Key takeaways

Most iOS app vulnerabilities are at the app layer, not the platform layer; the book's framing aligns with what real pentests actually find.
Keychain misuse and insecure storage are still the dominant findings on real engagements; the book's chapter on them is the practical core.
Frida and Objection have largely replaced the older runtime-introspection tooling described here; the workflow translates, the tools have moved on.

STRIDE is a forcing function for systematic thinking, not a complete model; the book teaches you when to use it and when to switch frames (attack trees, attacker personas, kill chains).
Most "threat modeling tools" are spreadsheet-with-diagrams; the actual lift is the conversation those tools structure, not the document.
Threat modeling fits inside agile and works at PR-review timescale once you've done it three or four times; the book makes the case repeatedly with examples.

How they compare

We rate Threat Modeling higher (5/5 against 3/5 for iOS Application Security). For most readers, that means Threat Modeling is the primary pick and iOS Application Security is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

iOS Application Security and Threat Modeling both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

iOS Application Security

→ Alternatives to iOS Application Security → What to read after iOS Application Security