SandJacking: Profiting from iOS Malware


Recently Apple introduced “Sign In With Apple Account” Development track, allowing anyone to write application for an i-Device and execute it, under the radar, no identification process required (e.g. anonymously).

In this presentation I will show new vulnerabilities that are now re-introduced into the Apple devices eco-system. I will demonstrate how easy it is to create an iOS evil client / malware application that targets both the personal and the corporate markets.

Evil client can be used as a “Spy Phone” application, which stealthy monitors the presence of an Ex’, monitoring a spouses social private messages and communications and steal a target credentials and personal information.

Last but not least I will unveil a new vulnerability – “SandJacking” – An attack which may be used to extract sensitive information from a targeted device, without leaving any visible trace. A tool will be released to demonstrate an evil client application that will extract sensitive information from the application sandbox.

In the talk we will cover the new aspects of these introduced threats and how an organization and individuals can mitigate against them.

Location: Track 2 Date: May 26, 2016 Time: 3:00 pm - 4:00 pm Chilik Tamir