osx-security-awesome

---

A collection of OSX/iOS security related resources

• News

• Hardening

• Malware sample sources

• DFIR

• Reverse engineering

• Presentations and Papers

• Virus and exploit writeups

• Useful tools and guides

• Remote Access Toolkits

• Worth following on Twitter

---

News

---

iOS display bugs

• Regularly updated list of iOS display bugs

Mac Virus

• Frequently updated blog that provides a good summary of the latest unique mac malware.

Intego Mac Security Blog

• Intego's corporate Mac security blog often contains recent and in-depth analysis of mac malware and other security issues

Objective-See

• Objective-See's blog often contains in-depth breakdowns of malware they've reverse engineered and vulnarabilities they've discovered.

The Safe Mac

• Resource to help educate Mac users about security issues. Contains historical as well as timely security updates.

Mac Security

• Another Mac security blog. This often includes more in-depth analysis of specific threats.

OSX Daily

• Not strictly security-specific but it contains jailbreaking information which has security implications

Hardening

EFIgy

• A RESTful API and client that helps Apple Mac users determine if they are running the expected EFI firmware version given their Mac hardware and OS build version

Launchd

• Everything you need to know about the launchd service

OSX startup sequence

• Step-by-step guide to the startup process

Google OSX hardening

• Google's system hardening guide

Run any command in a sandbox

• How to for using OSX's sandbox system

Sandblaster

• Reversing the Apple sandbox
• Paper

OSX El Capitan Hardening Guide

• Hardening guide for El Capitan

OSX application hardening scorecard

• Useful checklist for hardening systems

Hardening hardware and choosing a good BIOS

• Protecting your hardware from "evil maid" attacks

Malware sample sources

Objective-See

• Curated list of malware samples. Use this list if you're looking for interesting samples to reverse engineer

Manwe Mac malware feed

• Regularly updated fresh mac malware feed

Alien Vault

Contagio malware dump

Digital Forensics / Incident Response (DFIR)

Artefacts for Mac OSX

• Locations of sensitive files

Pac4Mac

• Forensics framework

Inception

• Physical memory manipulation

Volafox

• Memory analysis toolkit

Mac4n6

• Collection of OSX and iOS artifacts

Keychain analysis with Mac OSX Forensics

OSX Collector

• Forensics utility developed by Yelp

OSX incident response

• OSX incident response at GitHub Slides

iOS Instrumentation without jailbreaking

• How to debug an iOS application that you didn't create

Certo

• Paid service for analyzing the iTunes backup of your iOS device

Blackbag Tech free tools

OSX (Mac) Memory Acquisition and Analysis Using OSXpmem and Volatility

mac-apt

• Mac Artifact Parsing Tool for processing full disk images and extracting useful information
• The author also has a collection of DFIR scripts

Reverse engineering

New OS X Book

• Frequently updated book on OSX internals

Collection of OSX reverse engineering resources

• Another Awesome-style list dedicated to OSX reverse engineering resources

The iPhone Wiki

Reverse engineering OSX

OSX crackmes

• A collection of puzzles to test your reverse engineering skills

Introduction to Reverse Engineering Cocoa Applications

• Walkthrough for Coca applications

iOS Kernel source

• Source code for iOS kernel

Reverse Engineering Challenges

• Very good list of various crackme challenges that is categorized by level and OS

Awesome Reversing

• Awesome list dedicated to reversing

Presentations and Papers

Writing Bad @$$ Malware for OSX

• Slides and another related video.

Methods of Malware Persistence on OSX

Advanced Mac OSX Rootkits

The Python Bytes Your Apple

• Fuzzing and exploiting OSX kernel bugs

Breaking iOS Code Signing

The Apple Sandbox - 5 years later

Practical iOS App Hacking

Behavioral Detection and Prevention of Malware on OS X

Security on OSX and iOS

• Slides

Thunderstrike

• Video, hacking Mac's extensible firmware interface (EFI)

Direct Memory Attack the Kernel

Don't trust your eye, Apple graphics is compromised

• security flaws in IOKit's graphics acceleration that lead to exploitation from the browser

Fuzzing and Exploiting OSX Vulnerabilities for Fun and Profit Complementary Active & Passive Fuzzing

Strolling into Ring-0 via I/O Kit Drivers

Juice Jacking

Attacking OSX for fun and profit tool set limiations frustration and table flipping Dan Tentler

• Follow-up from target

Building an EmPyre with Python

PoisonTap

Storing our Digital Lives - Mac Filesystems from MFS to APFS

Collection of mac4en6 papers/presentations

The Underground Economy of Apple ID

iOS of Sauron: How iOS Tracks Everything You Do

macOS/iOS Kernel Debugging and Heap Feng Shui

Billy Ellis iOS/OSX hacking YouTube channel

A Technical Autopsy of the Apple - FBI Debate using iPhone forensics | SANS DFIR Webcast

Jailbreaking Apple Watch at DEFCON-25

SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles

• An exploration of the sandbox protections policies
• Presentation

Virus and exploit writeups

Leveraging emond on macOS for persistence

APFS credential leak vulnerability

• A flaw in Unified Logs leaks the password for encrypted APFS volumes

A fun XNU infoleak

Meltdown

• CPU flaw allowing kernel memory to be accessed by hijacking speculative execution
• Proof of concept
• Apple's statement
• Measuring OSX meltdown patches performance
• iPhone performance after Spectre patch

Why gets your root

• An Apple update introduced a bug where a blank password was set for root, allowing attackers to easily gain root access

Flashback

• Detailed analysis

Flashback pt 2

iWorm

• Detailed analysis

Thunderbolt

• Firmware bootkit

Malware in firmware: how to exploit a false sense of security

• A post on the resurgence of bootkits and how to defend against them

Proton RAT

• Exploration of a Remote Access Toolkit

Mokes

MacKeeper

OpinionSpy

Elanor

Mac Defender

Wire Lurker

KeRanger

• First OSX ransomware

Proof-of-concept USB attack

Dark Jedi

EFI attack that exploits a vulnerability in suspend-resume cycle Sentinel One write-up

XAgent Mac Malware Used In APT-28

• Samples

Juice Jacking

Root a Mac with a Rubber Ducky

Hacking Mac with Empyre

Local Privilege Escalation for macOS 10.12.2 and XNU port Feng Shui

Ian Beer, Google Project Zero: "A deep-dive into the many flavors of IPC available on OS X."

• Deep dive into the interprocess communication and its design flaws

PEGASUS iOS Kernel Vulnerability Explained

Analysis of iOS.GuiInject Adware Library

Broadpwn

• Gaining access through the wireless subsystem

Reverse Engineering and Abusing Apple Call Relay Protocol

• Details the discovery of a vulnerability in Apple's Call handoff between mobile and desktop through analyzing network traffic.

Exploiting the Wifi Stack on Apple Devices

Google's Project Zero series of articles that detail vulnerabilities in the wireless stack used by Apple Devices

• Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)
• Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)
• Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices
• Over The Air - Vol. 2, Pt. 2: Exploiting The Wi-Fi Stack on Apple Devices
• Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices

ChaiOS bug

• A message that crashes iMessage
• Looks similar to previous bugs rendering Arabic characters

Useful tools and guides

mac-a-mal

• Automated malware analysis on macOS
• Paper

jrswizzle

• method interface exchange

MacDBG

• C and Python debugging framework for OSX

bitcode_retriever

• store and retrieve bitcode from Mach-O binary

machotools

• retrieve and change information about mach-o files

onyx-the-black-cat

• kernel module for OSX to defeat anti-debugging protection

create-dmg

• CLI utility for creating and modifying DMG files

dmg2iso

• convert dmg to iso

Infosec Homebrew

• Homebrew tap for security-related utilities

Awesome OSX Command Line

• Collection of really useful shell commands

Keychain dump

• Dump keychain credentials

KnockKnock

• Listing startup items. Also includes VirusTotal information

Lingon-X

• GUI for launchd

Hopper

• Excellent OSX debugger (requires license)

Symhash

• Python utility for generating imphash fingerprints for OSX binaries

KisMac2

• Wireless scanning and packet capturing

Passive fuzz framework

• Framework is for fuzzing OSX kernel vulnerability based on passive inline hook mechanism in kernel mode

Platypus

• GUI for generating .app bundles

createOSXinstallPkg

• CLI for generating .pkg installers

PoisonTap

Chipsec

• System firmware checker by Intel

Revisiting Mac OS X Kernel Rootkits by Phrack Magazine

• A collection of OSX rootkit ideas

iPhone Data Protection in Depth

Cycript

• Remote control library for fuzz testing iOS apps

ChaoticMarch

• Blackbox fuzz testing for iOS apps (requires jailbreak)

iOS backup decrypt script

• Contains a script for decrypting an encrypted iOS backup archive

Remote Packet Capture for iOS Devices

• Use a remote virtual interface to capture packets from a tethered iOS device
• Python utility
• Another python utility

Remote Access Toolkits

Empyre

Bella

Stitch

Pupy

EggShell surveillance tool - Works on OSX and jailbroken iOS

EvilOSX - Pure python post-exploitation toolkit

Worth following on Twitter

• @patrickwardle
• @objective_see
• @0xAmit
• @Morpheus______
• @osxreverser
• @liucoj
• @osxdaily
• @iamevltwin
• @claud_xiao
• @JPoForenso
• @patrickolsen
• @cheesecakeufo