Application security

Enhancements in Damn Vulnerable iOS app version 2.0

Prateek Gianchandani
June 16, 2015 by
Prateek Gianchandani

In this article, I would like to give a quick walkthrough of the new vulnerabilities and challenges that we have added in version 2.0 of Damn Vulnerable iOS app.

In the Insecure Data storage section, we have added challenges for the following databases.

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

  • Realm Database
  • Couchbase Lite
  • YapDatabase

1

2

3

 

We have also added a new section on Extension vulnerabilities, which covers vulnerabilities in different application extensions, a feature that was introduced with iOS 8.

4
5

In the Runtime Manipulation section, we have added a challenge where you can write a cycript script to brute force a login screen.

6

Another new section is Attacks on third party libraries, which demonstrates the security gaps that can occur in your application when you use third party libraries in your project.

7

8

9

10

11

12

 

In the section on Side Channel Data leakage, we have added another vulnerability demonstrating insecure storage of cookies.

13

The current downloadable IPA file from the website is a fat binary that will work on both 32 bit and 64 bit devices. This app will work on all iOS versions starting from iOS 7.0.

Some important links

  1. Official Website
  2. Github Page
  3. Downloads Page

We are working on getting the new solutions out as soon as possible so please be patient. For previous vulnerabilities, you can download the solutions for free from here.

For any bugs, suggestions etc, please don't hesitate to contact me. Also, a very special thanks to Egor for his contributions to the project.

Prateek Gianchandani
Prateek Gianchandani

Prateek Gianchandani, a recent IIT graduate, has interests in the field of Penetration Testing, Web Application Security and Intrusion Detection. He is currently a researcher for InfoSec Institute. In the past he has worked for security-based startups.

You can contact him at prateek.searchingeye@gmail.com and on twitter @prateekg147 or you can visit his personal website at highaltitudehacks.com