Understanding Input RisksDuration: 14:13
In this segment, we learn the difference between trusted and untrusted data, as well as how to identify and diagram trust boundaries both within and outside our app.
AutoCorrect And AutoFillDuration: 10:43
In this segment, we examine the specific risks associated with iOS autocorrection and autofill, and how to programmatically address those risks.
Activity: Disabling AutoCorrectionDuration: 10:53
In this activity, we practice disabling autocorrection in Swift.
Special CharactersDuration: 14:23
In this segment, we examine what special characters are and the risk they pose when included in an input string. We also learn about string literals in Swift and how to escape special characters. We are also introduced to raw string examples in Swift 5.1.
Special Characters, Part 2Duration: 7:28
In this segment, we continue our exploration of Swift 5.1 raw strings. We also examine what Unicode scalar values are and list how to deal with unsafe characters.
Format String AttackDuration: 7:58
In this segment, we learn what format strings are and work with examples in Swift.
Format String Attack, Part 2Duration: 8:38
In this segment, we continue our study of format strings in Swift.
Format String Attack, Part 3Duration: 6:49
In this segment, we learn how format strings can be abused by attackers. We examine the most common NSString parameters that are used in format string attacks. We also learn which C, Core Foundation and Cocoa functions are the most vulnerable to format string attacks.
Activity: Playing With Format StringsDuration: 9:53
In this activity, we practice working with format strings in Swift.
Input SanitizationDuration: 12:42
In this segment, we learn what input sanitization is and how to achieve it using the filter() method and regular expressions in Swift.
Input Sanitization: Regular ExpressionsDuration: 8:18
In this segment, we continue our study of how to use regular expressions, including escaping characters and practical everyday examples.
Input Sanitization: Regular Expressions, Part 2Duration: 6:59
In this segment, we conclude our study of regular expressions, including examining some practical examples used in Swift.
Activity: Regular ExpressionsDuration: 8:17
In this activity, we use a Swift playground with NSPredicate to test various regex filters to match password requirements and US/Canada phone numbers.
Activity: Regular Expressions, Part 2Duration: 6:53
In this activity, we continue with our Swift playground to match international phone numbers, URLs and emails.
Activity: Regular Expressions, Part 3Duration: 7:31
In this activity, we continue with our Swift playground to test US Social Security numbers and number formats for popular credit cards.
Activity: Sanitizing InputDuration: 10:44
In this activity, we practice sanitization of various text input fields in our Swift mobile app.
Activity: Sanitizing Input, Part 2Duration: 13:45
In this activity, we continue working with input sanitization in our mobile app.
Property WrappersDuration: 9:27
In this segment, we learn about the new Swift 5.1 feature called property wrappers. We learn how to use property wrappers to clamp values, trim whitespace and newlines and sanitize input.
Activity: Trimming Whitespace And Newlines With a Property WrapperDuration: 6:38
In this activity, we use a Swift playground to practice using property wrappers to trim out whitespaces and newlines.
Activity: Value Clamping With a Property WrapperDuration: 6:48
In this activity, we continue to practice with property wrappers to clamp values to upper and lower boundaries.
Activity: Sanitizing Input With a Property WrapperDuration: 7:18
In this activity, we continue to work with property wrappers to sanitize input.
Null BytesDuration: 7:27
In this segment, we learn about the dangers of null bytes, how they are represented in different programming languages, how they are used in poison null byte attacks and how they are mitigated in Swift.
Cross-Site AttacksDuration: 12:08
In this segment, we learn about cross-site scripting and cross-site request forgery attacks, and how to protect against them.
Activity: Exploring XSS AttacksDuration: 10:10
In this activity, we explore the mechanisms of cross-site scripting and the potential damage it can cause.
Malicious Code InjectionDuration: 14:51
In this segment, we learn about malicious code injection of various types, including SQL, directory traversal, null terminating bytes, JSON, HTML and XML strings, script tags in HTML, and QR codes. We also learn best practices to protect against client-side injection attacks.
Activity: Filtering a Malicious QR CodeDuration: 12:11
In this activity, we work with the original malicious QR code responsible for exploiting the notorious iOS 11 camera app vulnerability. We learn how to filter malicious content from a QR code, thus rendering the exploit harmless.
Activity: Filtering a Malicious QR Code, Part 2Duration: 5:31
In this activity, we conclude our exercise into filtering malicious content from a QR code.
SQL Injection and iOSDuration: 11:04
In this segment, we learn about SQL injection, including the basics of the SQL language and the code involved in a SQL injection exploit. We learn how to mitigate this risk in SQLite by parameterizing queries.
SQL Injection and iOS, Part 2Duration: 4:13
In this segment, we examine server-side SQL stored procedures as another mechanism to protect against SQL injection.
Object DeserializationDuration: 7:20
In this segment, we learn what it means to serialize and deserialize and object from Swift to JSON. We learn about the risks of deserialization and how to protect against those risks.
Activity: Installing Alamofire and SwiftyJSON PodsDuration: 3:36
In this activity, we learn how to use CocoaPods to install the external libraries we will use to work with JSON.
Activity: Securely Working With JSONDuration: 12:49
In this activity, we learn how to deserialize incoming data from a server and display it in our app.
Activity: Securely Working With JSON, Part 2Duration: 9:23
In this activity, we continue with the previous app to learn about the underlying mechanism of using an API key to make a call to a server and how to utilize it in our app.
WebView ProtectionDuration: 4:48
In this segment, we study the infamous UIWebView vulnerability, including full code and results of the exploit. We also discuss how to protect against the UIWebView vulnerability.
Activity: Protecting Users Against Insecure UIWebViewDuration: 10:44
In this segment, we test the UIWebView vulnerability for ourselves.