Gave a Talk at iOSDC 2024

It's been quite a while, but I attended iOSDC 2024 as a speaker, held from August 22 to 24, 2024.

My talk was titled “Start Securing Your iOS Apps from Zero”.

In this article, I'd like to briefly summarize my presentation materials, as well as my thoughts and reflections after the talk, as a personal memo.

I gave a talk titled "Start Securing Your iOS Apps from Zero: Learning About Vulnerability from OWASP Mobile Top 10" and covered the following topics:

• Introduction
  • About MASVS / MASTG
  • About OWASP Mobile Top 10
• M9: Insecure Data Storage
  • How to store sensitive information securely
  • Countermeasures
• M1: Improper Credential Usage
  • About obfuscation
  • Encrypting hardcoded information
  • Analysis using a debugger
• Summary
  • How developers should approach vulnerabilities

In this presentation, my primary objective was to spark interest in security and use this as a hook to convey the importance of "accurately assessing risks."

This is because, within the 20-minute time frame, I could only cover a portion of security topics related to native applications.

Additionally, I personally believe that developers should be able to make informed decisions on whether to accept or mitigate risks after properly evaluating them. (Of course, security engineers should also be capable of making such assessments, but developers are often the ones who have the most comprehensive understanding of the business and development requirements or context.)

Even if a security engineer points out a "vulnerability," blindly following their recommendations leads to an unbalanced dynamic. It's essential to engage in healthy discussions and reach decisions collaboratively, and I hope to see more of such interactions in practice.

I currently work as a security engineer at a business company, but I originally started out developing jailbroken iOS apps (Tweaks).

Additionally, since I conduct vulnerability assessments for mobile apps within the company, the mobile app development team encouraged me to apply as a speaker for iOSDC 2024. (Of course, I was already familiar with iOSDC and had a strong personal interest in this field.)

To be honest, there aren't many security talks at iOSDC, so I felt it could stand out and offer something fresh.

With that in mind, I submitted just one CfP on a security topic, which fortunately got accepted. (That said, as I'll mention later, I feel there was room for improvement in terms of originality.)

During preparation, given the 20-minute time limit, I focused on narrowing down the content while aiming to make it clear, engaging, and enjoyable for the audience.

Regarding the materials, I created the slides in English, anticipating that some attendees might be English speakers, while delivering the talk in Japanese.

Since the majority of literature on mobile app security is available in English, I plan to continue creating English materials for conferences, especially considering post-event publication opportunities.

I was initially anxious, wondering, “Will anyone actually be interested in security?” However, on the day of the talk, the room was packed to the point where some attendees couldn't get in. I was thrilled by the overwhelming turnout.

I also had the chance to chat with many people during the "Ask the Speaker" session and at the networking event, which made for a truly enjoyable experience.

Opportunities to speak about mobile app security outside my company are rare, so being able to discuss this topic with so many people was an invaluable experience.

While I've written mostly positive things, being my first time speaking at a conference, I do have several points of reflection.

• Lack of originality in the talk content

  • I thought there hadn't been many security talks at iOSDC before, but as it turns out, several speakers had covered similar topics in the past. My content didn't introduce much that was new.

• Content was neither broad nor deep

  • To fit within the 20-minute time limit, I narrowed down the topics too much, which meant I couldn't delve deeply into them.
  • I had previously written an article titled “What Goes Into a Mobile App Vulnerability Assessment? (iOS Edition),” which caused me some confusion about the scope of the talk.

In summary, the talk ended up being more of an introduction to security, which I see as my biggest area for improvement. This might partly be because I've attended conferences that focus on deeply exploring single topics, and I also tend to assume, “Everyone probably already knows what I know.”

Of course, the target audience for this talk was “mobile app engineers attending iOSDC,” not “security engineers with experience in mobile app vulnerability assessments.”

From that perspective, it's understandable that the talk didn't go very deep. However, I feel that covering only two vulnerabilities was something I could have handled better with a bit more creativity.

Regarding the discussion on debuggers, while it was a topic I could have explored in depth, I'm not sure it was worth allocating such a significant portion of the time to it.

I included a demonstration on how “you could break encryption this way!” to pique interest, but in hindsight, since the demonstration didn't offer particularly actionable information, I might have been better off focusing on other topics.

Naturally, I had to limit the scope to content appropriate for a TLP:CLEAR classification. Deciding the scope at the CfP submission stage was already challenging, and figuring out how much to cover within a 20- or 40-minute time slot is always tricky.

While there are areas to improve, as it was my first time speaking at a conference, it was an incredibly enjoyable experience. If I have the chance to speak again in the future, I'll make sure to apply these reflections to deliver an even better talk.