Unbreaking the iPhone: Bootchain Reversal, SEP Sabotage, and the iOS Kernel Frontier

I'd like to introduce Jack Sessions on unbreaking the iPhone boot chain reversal, SE sabotage, and the iOS kernel frontier. Over to you, Jack. >> Thanks much. [applause]

>> So, while the tech stuff happens, a little bit about me. You all are probably like, why the hell does the speaker have night vision? One, it's cool. And two, why not? Right. [gasps] >> You're not wrong. >> Exactly. I mean, built it $200 off AliExpress. Only caught fire seven times. Definitely a win. Okay. So, my talk is probably not going to be a normal one, right? It's going to have slides. Yes, of course. But it's going to have memes because memes are great at social currency exchanges, right? energy, emotion, just power. Apart from that, also to not bore y'all, I'm doing some demos. Now, Wi-Fi is a bit spotty, so bear with me, but I do have some

backups if they choose to fail. Although, it is Corellium, so it's probably going to fail. Uh, okay. Yep. Okay. Okay. Yep. This should be good. All right. So, welcome everybody to my talk, Unbreaking the iPhone. I am the one and only Jack Sessions. And yeah, let's get started. All right. So, what is this talk? Okay, fundamentally, this talk is a live iOS demo talk. There's going to be six in total. Depending on time, I have up to 12. Uh, it's gonna have a bunch of memes, logs, and chrono panics because that's a whole bunch of fun. And I'm also going to be demoing so something that's not really talked about in the iOS space is a chance to see

persistence actually explained and also watchd dogs cosplay like I got to represent. Apart from that, it's going to be interactive. So, you are absolutely free to heckle me. I do have a soundboard. So, you know, do you do do your best. All right. So, what this talk is not is not a polished corporate deck with 180 slides. Y'all would go to sleep. It is not a jailbreak walkthrough. Go to nullcon. It is not an all exploits revealed. I mean, I got to still have a job after this. And then apart from that, it's not a quiet academic lecture because it's full of memes. So, I'd firstly I'd like to take a moment to thank my sponsor. It's with great

privilege that we are sponsored by Nord Nobody. Okay, see I got you. Although NordVPN, if you are listening, please don't sue me again. All right. So, about me. I know beautiful picture. I am a computer science student. I'm still broke. Okay. I'm a computer science student. Still broke. I'm a mobile security researcher. Researcher. I mean, isn't everybody a re researcher these days? And my sub specialty in mobile security is forensics and counter intelligence. And I'm still waiting for Ubisoft to hire me for Watchd Dogs 4. I'm a rap battle enjoyer. Yes, there will be one later. More on that at the end of the talk. I mean, cyber security YouTuber, 21 subscribers, so please sub.

Thank you. So, uh, and I'm a failed Soundcloud rapper, you know. Okay. Apart from that, I'm not yet on an Interpol watch list, probably. Although after this talk, who knows? I mean, at least I'm worth being watched. All right, so why iOS? Okay, it is the most secure phone, but we all know that that the most secure phone is obviously the Windows phone. >> True. So, >> 100%. And it's private, right? Or or private. Now, now the reason why I say that is because of the asymmetric advantage that comes with iOS security, particularly in the information advantage space. So, say if you have a zero day exploit, you're not going to be talking at a con, hey, I have this zero

day exploit worth millions of dollars because attackers are going to be like, cool, let me use that in attacks. And then you have no money, which is sad because people need money. >> [sighs and gasps] [clears throat] >> Okay.

All right. And almost nobody talks about it. That again goes to the information uh advantage of adversaries. So if you're a researcher, it's very hard to be an iOS researcher because a lot of people share knowledge. Stuff like NSO groups, stuff like intelligence services are not going to be like, "Oh yeah, we have zero days. Here's a full paper. So the reality of iOS, we all know this is we have Pegasus spyware that is mercenary spyware designed by NSO group. It's an Israeli company. It's always the Israeli companies. And the CVE lists, the CVE lists up there are effectively the top last 6 weeks CVEEs within iOS, iPad, Mac, and Mac OS systems. And a lot of them are memory

corruption bugs, but there are other ones as well. And I'll be demoing and explaining why they are important. And yes, the Windows phone is obviously the best phone. Okay, so iOS architecture under the hood. So, we're going to be going over secure boot, secure ROM, which is not a PSP Jailbreak. As cool as that would be, it is. Then we're going after boot uh boot chain security the secure enclave processor and KTRR and pointer authentication codes or [gasps] KTRR is Kono text read only region which I will explain that later now secure boot okay so it is a hardware enforced trust anchor so effectively what that means is that it's built into hardware and nothing can happen without it being

validated apart from from that. Sorry. Okay. Apart from that, each stage verifies the next. So, it's signed with Apple's cryptographic keys at the factory. Now, if you were to fail a check, the device refuses to boot. It goes into a kernel panic and you have to reboot the device in order for it to work. Now secure ROM effectively verifies the low-level bootloadader which runs the kernel and user space and it's the first code that runs on the system and it's stored on the system on a chip. We will see that in the live demo of the boot logs and it's immutable. So something like the checkmate vulnerability which actually goes after the boot chain and it's persistent

across I believe iOS 10 devices and below that was susceptible to secure ROM issues in silicone. Okay. Lastly, vulnerabilities here are forever exploitable. All right. So the boot chain so fundamentally it goes secure ROM low-level bootloadader I boot and then kernel and then user land and all that but that's outside the scope of this talk. Now each verifies the signature of the next and fundamentally without those signatures in place it can't validate what code is stored. So from a security perspective it's fantastic. from an attack from an attacker's perspective, it's terrible and Apple should be destroyed. Okay. Now, if you were to break one link in the chain, so let's say you attack the iBoot, then going forward, you have

kernel space access, but you won't have the low-level boot loader because it's very very difficult to get backwards in the chain, but forwards in the chain. It's very easy once you control it. Now the diagram. Okay. Apparently half my diagram is missing. That's fun. All right. So effectively this is for Mac OS but it's very similar in principle because they run on the exact same technology stack. So the low-level bootloadader validates the system paired firmware and then it goes into validating a local policy. Now local policy is then defined by the secure enclave and that is effectively Apple's magic box when it comes to security and crypto and cryptography. So we don't actually know much about it because it's

designed that way and it doesn't really have many logs which you'll see that in the demos. Now after that it then validates the iBoot stage 2 signature according to the cryptographic material from the local policy and then that's passed in to actually booting into the kernel and all the fun stuff that comes within it. Okay, so now we get to the secure enclave processor. So fundamentally it handles cryptographic keys, biometrics and payments both from a [sighs] security perspective and also as a backup perspective cuz I mean how many people here today have an iPhone? Yeah. A lot. Okay. So I'm releasing a zero day. No. Um, [sighs and laughter] fundamentally whenever you, let's say, do an iCloud backup or a payment on like

Apple Pay or something, it will use a piece of the cryptographic material from the secure enclave to then route that payment in a secure way. So, it can't be reversed. Now, please stop me if you want me to explain a bit more. Okay? All right. Now, it is isolated from the main CPU on the chip, and it does that effectively to do one of two ways. It's much harder because all of the material is basically burned in at the factory. So, you can't change it as you would, let's say, on a CPU with hardware hacking. It runs its own firmware, which is interesting. It's kind of similar with Mac OS and their new ARM based

processors because they run the Secure Enclave within it. And within both Mac, I'm sorry, within both Mac OS and the real-time operating system, it then runs the secure enclave. Now, we don't know it because it's very similar to [sighs] car keys where it only rose forward. It can't go back due to each cryptographic material only lasting about 20 minutes before being destroyed. And there's also an anti-re replay feature embedded into that and it protects stuff like keyags. So keyags are fundamental to backing up your data. So Apple has one pair on their servers. You have your pair and the secure enclave matches them together. And hey, you have your cat images or whatever people have nowadays.

I don't know, memes. All right. And then it also touches on face ID and touch ID data biometrics. Does the math behind that which is fun. Now the SEP diagram. Wow, my slides are not working. Okay, effectively it was just going to show the way in which SEP works and fundamentally SEP works in a variety of way. Actually, give me one second please.

I planned this.

Okay, there we go. Thank god to whoever one of my friends said said to have a backup. Okay, sweet. So, the step demo. Now, let me zoom in. Can y'all see? Yes. >> All right. Great. Okay. So, effectively we have the nan flash storage which is like the storage chip on devices that then goes to the flash controller. Now the flash controller runs on the boot cycle and that then goes into the AES cryptographic engine and it's then managed by the application processor which is a Damon service running in iOS and on iOS devices that then does the math behind moving all that cryptographic object to the memory protection engine that then moves into the secure enclave processor

and then it does the math behind it and then sends it out again. Now issue with the secure enclave is like I said it is a system on a chip. So it's very very difficult to actually get data from it because it's designed to not really give logs unless you're on a jailbroken device which I am and I'll show in the demo. And at the very bottom here you can see in the uh green space you have the secure nonvolatile storage meaning that literally can never be changed once it's set. It is set.

Okay, now time for demos.

Now we are now using the best operating system known to man Among Us OS because SEP logs are sus. [laughter and gasps] All right. So fundamentally let me get here. Okay. iOS demo. Okay. All

right. [gasps] So this only has about 80,000 lines of code. So, quite easy like we can breeze pad past this. But effectively, believe it's on line 202.

Okay, that is the Damon. All right, so the whole point of SEP is you don't get logs. That was the point of what I just showed you is SEP doesn't give logs because it's not supposed to. Because as an attacker, if you have something like SEP logs, you can then build attack vectors around it by let's say fuzzing its firmware or building attack vectors from let's say it's spot in memory or how it handles input X Y and Z. Now, SEP logs are a very difficult thing to do, but there are services that handle SEP interaction, which I'll show you at the boot chain portion. Got to represent besides Pyongyang. Shout out to Kim. I did do this in a

virtual machine. It crashed about two hours ago because he revoked my USBC privileges. All right. >> [sighs] >> So okay so now we get to KTRR and PAC. So KTRR kernel text readonly region uh effectively pres prevents memory tampering whereas PAC is a new security mechanism and it blocks classic uh return objected programming attacks. Now the goal is simply to raise the bar for kernel exploitations because since like iPhone seven, I want to say. Yeah, SE 78. There's been a bunch of kernel protections because Apple didn't really care about it. Like, we missed the golden age of jailbreaking. I know it sucks to be in 2025. All right. So, entitlements. Entitlements are effectively uh allowances within what you're allowed

to do in Appspace. So, you know those like sketchy Chinese apps that you know need call history, location history, medical history, your firstborn son. Yeah. So, effectively what it's asking for is it's asking for permissions baked into the app set and that controls access to the private APIs and features within an app. Now, an example is something like uh com.apple.private.net network and delegate. So effectively, it's saying what app is allowed to have network access and what's not. That's the most simple way, but there's thousands, if not tens of thousands of permissions that it can ask for. So this is effectively a diagram of what it is. So you have the entitlements, you have the base profile.

Okay. Yep. All right. We then have what is the entitlement doing? So, is it asking for the microphone or audio input? And then it'll say, "Hey, do you allow this? Do you not allow this? This is super sketchy." And then after that, it then goes into effectively a sandbox profile. So, all entitlements are in a sandbox because you don't want, let's say, storage access on one app to immediately um read your mail or make phone calls or do what apps do. and and after that it then creates an app profile and permission list based on what you allow and don't allow and that profile is then recorded in the bite code at at runtime. Okay, so now we have sandboxing.

All right, so apps run in sandboxed profiles. Now that's designed to block lateral movement from one app to another. So for example, Safari cannot touch mail's files and vice versa. Although there was a zero day now. So with sandboxing it can access all user data kind of like on Android where you have an app and before uh Android 9 it didn't really sandbox that well. So any apps can call any other function and content providers and all that. So with unres with unrestricted access to the app sandbox, you are allowed all system resources. So you can read and write storage, make calls, do pretty much whatever you want. It's effectively a persistence mechanism as well.

Uh now with sandboxing it has unrestricted access within what you define. It is also used to segment uh user pro prof profiles and it lowers the demand for other system resources. All right. So code signing. So every binary that is on a device, so let's say an app or music or whatever has to be signed by Apple otherwise it will not run unless you have a jailbroken device. Now each binary is signed and enforced by what's called the AMFI or the Apple mobile file integrity damon. Now the use case of that damon is simply say hey you can't run malware.exe exe because that's suspicious and also exe files don't work. Uh but however, jailbreaks do patch the

AMFI to run unsigned code. So it's a lot. Oh wow. Okay. So So this is on Mac OS, but I will kind of direct your attention to this side of the screen. So whenever you're building an app, you then convert it to the Apple App Store that then goes past security reviews. It then gets signed by Apple's crypto cryptographic keys and then it's allowed to then make its way onto an IPA build or an iPhone packaged application. After that, you then have proision provisioning profiles. So, what it can and can't do, and you then can have a developer certificate to then license whatever app you're building. I recommend a VPN because it seems like everybody has a VPN now. And once that

is verified and installed on the iPhone device, your iPhone communicates with the developer certificate and you both share key material to then secure the application and then it runs. All right. So, now we're going to be using a demo on the North Korean operating system. [laughter] Wrong slide. All right. [sighs] So, hopefully if Corellium wants to work. Okay. >> [clears throat] >> Corellium. All right. Okay. So, for those of you that don't know, Corellium is a virtualization platform for ARM devices, particularly on iPhones. Now, they're one of the only ones, so we're kind of stuck with this. I mean, unless somebody has a open- source one, like, plea, please give it to me. All right. So, let me know if y'all can

see this. All right. Yeah. Okay. So, these are all boot logs. Now, I'm not going to scroll in here because it's going to be, you know, 100,000 lines of uh code and ain't nobody got time for that. All right. So, I captured this about 20 minutes before the talk. And we have very interesting stuff within there. So let me just zoom into it a little bit. Hi. So this is a boot log in iOS. So every time you reboot a phone, call it, do whatever, it will do this entire script. Now there's some really cool things. One of them is launching the Damon configuration service. So what that is is what it will run and what won't run. That is designed

by Apple when it boots. We then have the OS environment. We then have RAM disk. That is outside the scope of this talk because generally in a jailbreak you want to control RAM disk because that is part of the boot chain in order to effectively get control of well the volatile memory within the iOS device.

We then have the ignition sequence complete and effectively that just means that we are able to boot right everything that has worked. So all this crazy stuff is effectively it booting on and how it works. So we have the NVME model adapter that now that's the storage right? So storage will be asked to wake up and then it'll be asked to perform the boot checks that I spoke about before. Now we then get to initialization. Now this is there's thousands of services that get initialized upon boot. [sighs and gasps] But one of the more interesting ones particularly if you jailbreak is failure to bootstrap because on a non-J jailbroken device that'll actually be allowed but if it's on a

jailbroken device it it actually won't because you do not want file integrity or any service messing with your unsigned protection

So this right here is the Bluetooth module that is getting called up and it's a PCIe driver on Bluetooth that is a separate chip

and effectively this is all the boot log in the system. So it's tens of thousands of lines long. But the most interesting is the P list or the process list that allows it to run or not run. Okay, so that was the iOS demo. Now we get to reversing Apple's locks. So fuse locks are fundamentally hardware enforceable bits that are programmed in the factory and they are able to work or not work as boot flags. They're designed to stop rollback attacks and downgrade attacks and they can be bypassed with hardware bugs or boot exploits in order to gain control of boot flags and stuff that Apple wasn't intending.

>> [clears throat] >> So one example of that is checkmate where it was once in silicone. So once it was found it's always it can never be changed. Now, this is an example where there's programmable bits if we zoom in, but we can't where Apple purposely burns a section of the chip to set one flag or another. Now, we got two kernel level attacks. So, we have GPU drivers and they're a very huge, complex, and highly privileged attack surface. And if you're able to get that attack vector, you then have stuff like memory corruption and kernel readr access automatically. Now, historically, it's been chained into persistence. And yes, it does actually take that long for an exploit to work. Believe me, I've

tried. Now, okay, we then get to bassband and radio stack exploits. So, Bassband runs on its own real-time operating system and it's often neglected because it's way too difficult and security research is mainly focused on memory corruption because it's the easiest. But when it comes to the attack surface, stuff like SMS, Wi-Fi, LTE, and Bluetooth, if you were to get access to that attack vector, you own the phone. You don't need storage. you can pretty much man in the middle of the own device which would be a great band name. Now after you then compromise that you can then pivot into kernel space via let's say a sandbox escape or a variety of other means

and this is just an example. So the phone I have here is an iPhone SE. It's actually the one displayed on the right to you guys. Yes. Okay. And uh um you can notice that in the iPhone 8 there's only one chip. The reason why is cuz you can effectively go and actually JTAG it and pull data as it's being sent. So Apple engineers were like yo that's a bit suspicious. So they then spread it on multiple chips and it has to be validated within the SE to run its services. So apart from that we have pointer authentication codes. So pointer authentication codes is an ARM version 8.3 hardware extension feature and effectively it's used to stop classic

return and jump oriented programming. If you guys want to learn more about that there's a fantastic talk last year on I believe it's anybody can be an iOS hacker and it talked about all about pointer authentication attack vectors. Now in saying that bypasses do exist. You can leak cryptographic keys, you can brute force and you can also find logical bugs within it. So this is kind of a diagram of how that would work. So, a [sighs] for the sake of just a context, I'm going to skip over that because it's not really the premise of my talk, but it's there if you guys do want to take a picture. Okay. So, now we get to demo time. Okay. Using

the best operating system known to man, Hannah Montana Linux 100%. >> [laughter and gasps] >> Now, Hannah Montana is apparently a communist. [laughter]

Okay. So, you know how I said all of this was on boot logs and how that's very important for iOS to function. Now, what's very interesting is you can actually go and find the drivers and events and actually call them on devices to get logs, get information, get whatever. But what's very interesting is you can see what's running and where it's actually going. because if you can see where it's going, it's very easy to go and attack it, right? But that's kind of outside the scope of my talk. Mine is mostly on how you would go and find these attack vectors. There's a really awesome talk by nullcon uh 2023. It's the jailbreak apocalypse where they actually go in after finding

the attack vector. you then actually go get attacks in kernel space and get kernel readr. [gasps] So an example of let's say breaking this is the IOHF that is basically responsible for the frame buffer on GPU space. Okay. So what's very interesting about that is if you are able to corrupt it and cause a conop panic, you can then do a very interesting thing where the kernel panic logs show exactly what space in memory it's being used. And then you can go and use that to develop an exploit to then use that space in memory and build out upon it. Because the hardest thing for iOS researchers is finding that space in memory, not the actual attack path most

of the time. So, now we get to red teaming the walled garden. Now, a couple weeks ago, I developed a deterministic kernel exploit. Apple patched it literally a week ago. So, now I'm sad. The reason why that was important is because it caused a kernel panic reliably. And like I said, if you can cause a kernel panic, you can get that space in memory. doesn't understand what it's doing. And this is where I show you what I've been leading up to. So, kernel panic logs are the gold standard for iOS research. Thank you, Bernie Sanders. Don't forget to vote. And now we get to Colonel Panic Logs.

I planned that. Yes. I mean, my depth perception is kind of messed up, so like you got to give me some credit. >> Spell it. So that's that's okay. >> Could be it could be Icelandic. >> All right. So this is where it's very interesting when it comes to kernel text logs. Yes. Don't save. All right. So these right here are spaces in memory addresses. Now if you can reliably cause a kernel exploit, you can find these memory addresses and always say at this address start this action and you can then cause this corruption attack to happen or really whatever you want. Now what's very interesting is a lot of kernel panic logs will actually include

where it was the kernel the UU ID which is the device kernel identifier as well as the IB boot version which is good to see if there's any vulnerabilities that can be used. You then have time and zone information. This is the gold standard for for attackers. The reason why is if you have the zone map because effectively memory is managed in blocks or zones you can then go into that zone cause a corruption and then always return to that if you have the same repeatable action. You then have the CPU cores and their [clears throat] spaces in memory. You then go into the thread count. So what action was it performing when it died?

You then get into all the drivers. So you have USBC USB devices. You have the Bluetooth one which like I said if you're able to get Bluetooth attack vectors it's very easy to go and actually get corruptions and man in the middle the data.

>> All right. So this is cool. This is the mobile function manager right here. So this one effectively this controls what runs or doesn't run as a function. Meaning if you're able to get access to this you already have a persistence mechanism built in. So this is why kernel or panics provide a wealth of information not just for researchers but how you can actually map out your attack path.

All right. So now we get to practical paths to persistent surveillance. So it's kind of the holy grail in iOS security. You have something like jailbreaks which can launch dammons, dynamic library injection. You have enterprise provisioning abuse and update mechanisms. And the goal is to simply maintain a foothold without triggering user suspicion. Now let's look at a demo. Now unfortunately Corellium does not work because the Wi-Fi is so slow. But I do have a real life persistence mechanism in XML that if you have an iPhone right now, you can literally take a screenshot uh run it as an app and you'll now have persistence. Please use responsibly. Although lol [gasps] All right. So

every Damon that runs has to be in XML. So generally you have the encoding that's not important. You then have the P list or the process tree in Apple devices and you can then effectively run as whatever you want. So you then have the key label of let's say key and the string would be uh com uh besides demo and effectively that that that would then go to bin bash because correlium uses the bash shell. I know it's weird and once that runs you can then effectively write it to a file. So p so in this case persistence.txt txt and that will then go and whenever you reboot it'll then be a persistence mechanism. Now you can imagine how

attackers can pretty much do whatever they want with this. They can do Bluetooth attacks, they can do kernel space attacks, storage, whatever they want because because once you're a demon, you can become a demon. Damn, I just thought of that off the top of my head. Okay [snorts] so that was the persistence demo. Also, Corellium, if you're in the audience, uh please sponsor me. Uh shameless plug. All right, so now we get into Apple telemetry and DFIR resistance. Okay, so Apple constantly logs data. That's no surprise. But what's interesting is that Apple uses telemetry to detect comp compromised devices as well using a variety of means. One of them is if it's doing random behavior. So if you think

back earlier to the Apple mobile file integrity damon, it effectively will update that data of processes that are not signed to Apple. So the Apple engineers can be like, well that's weird. Although it's Apple, so they probably don't care. they'd probably like just buy a new one. Now, as red teamers, this is fantastic because we can wipe and poison the logs and erase footprints. Uh we then have something like for forensic tools. So, Celebrate and Grey Key rely on these logs in a in a very simple way because they're taught to do it in a in a simple way. But what's interesting is that I think a lot of you will be very surprised on how attackers

can actually remove logs. And now we get to covert IOS attacks. That's kind of outside the scope. Uh there's a much better talk by jailbreak apocalypse and coolar in noon 2023, but effectively uh cover iOS attacks like Pegasus are designed to deliver payloads silently. There's common techniques like side loading applications. enterprise certifications because if you're in an enterprise and you get a certification, you can just man in the middle whatever which is great for the enterprises and then you can then abuse the mobile device manager on a lot of common services like I know Kasperski has one and there's probably like 50 other ones. Now, it's commonly used in advanced spyware, so stuff from from NSO group

and predator. And it can actually be changed with sandbox escapes to have a fully covert install. Now, for demos.

[gasps] So what I was doing here, I was just echoing the system log file and then that then wrote to it using cat hello bides. So hello bides and I then listed out the file contents and then after that I was able to effectively just remove them using rm-var log system log and then now no more bides. I know quite sad. Okay, we now get to the future outlook. Ah so the comedic timing there was not great. But what I find interesting about iOS research is that you won't find a lot of speakers talking about it because of the asymmetric disadvantage it puts them at. fundamentally because Apple's a very cutthroat e ecosystem versus something

like Android where it's open source. You can pretty pretty much do whatever you want. If you're running something like iOS security, it's very very difficult to actually go and use it properly and not give away in information or intelligence. So how can we actually become better researchers? Fundamentally, we need to try to break into SE because it's isolated. It's mysterious and it's critical. You can fuzz its firmware. That's probably the safest way to do it without hardware hacking because we all probably don't have a million dollars to spend on iPhone boards. Although there is credit card fraud. Uh the easiest way is probably Corellium because you can emulate and build testpad OS. I'm actually speaking to

them about maybe implementing that so fingers crossed. We then have the bug bounty blues with Apple because it wouldn't be complete without mentioning their terrible I mean fantastic uh B bounty program. So it does exist. It's slow. The average payout time is roughly four to five months from initial report to pay out if they even choose to pay out at all. Now, a lot of researchers have been burned by bad communication and as a result, a lot of vulnerabilities go private or they're hoarded by three and four-letter security agencies. I mean, we are in CRA after all. Um, and defenders are left behind, although they're Apple, so you know, kind of deserve it. And fundamentally the real target is I

iOS and the framing around it being the most secure device. It's really not. It is the most closed source. Right? We've seen this time and time again with stuff that is secure when in reality it's absolutely not. >> It's obscure. >> Huh? >> It's obscure. Not secure. Security obscurity. >> Yes. Also known as propaganda. [laughter] So Android like I said it's it's a lot more open source. To put things into perspective around 70% of bug hunters on web around probably 2025 now according to bug crowd last year is around mobile security. About 80% of those are on Android. 1% is on the Windows phone. So we're still going strong. And uh the rest is on iOS.

Now, simplest solution, be become a nation state and develop your own spyware for the memes and or join a spyware crew. I mean, that's always another option if this doesn't work out. Now, how can you join the fight? Okay, so this jailbroken iPhones that can be your first lab. We then have stuff like Corellium and Docker OSX. It's a GitHub project completely free for security research. You can emulate a Mac OS device completely on Windows and it'll be kind of the next step in the evolution of what you are doing. You then have iOS static and dynamic app analysis if you're a broke college student like me and you need money. Uh you can then get into reversing

entitlements and sandbox profiles. You can also learn, share, and meme with the community. And also don't forget to collab because this community is built on a process of guildmanship and a master apprentice dynamic. So at the end of the day, we can all become the master if we just reach out and memes. So my hope fundamentally is for enough web security researchers to be converted into iOS security researchers. Choose the dark side, please. We need more. So, that's been Unbreak the iPhone. Remember, it's not unhackable. It just needs more rebels by Jack Sessions. Also, this will be on YouTube, so I'm legally required. You must subscribe now. Okay, at the very end, I've decided to do a PSP rap. Hopefully, audio should

work. Hopefully. Either way, win, lose, or draw, I become a meme, and memes get remembered. At least that's what I tell myself. All right.

You know what? Let's Let's have some fun. Let's do it on Hi Tux Miley. Let's do it on YouTube. All right. Okay.

again part of the meaning. [clears throat] >> Yeah, 100%.

Okay, this isn't working. So, can everyone drop me a beat?

You know what? I knew a device from 2004 would come in handy.

Is the audio turned up on your PC? >> Yeah, it is. Never mind. Hey guys. Yo, don't know. But I'm thinking about iOS flows. Zero [music] days exploits racism overflows. Okay. One of the coolest things I'm dropping about iOS exports, but same for free. All of you got a meme for me. One of the most coolest things I'm dropping iOS hints from boot log to SEP to GPU flows. I got the Ryman scheme. Don't you know? Okay, we drop. Oh my god, I'm caught lacking. I'm dropping off. I [music] cannot remember the flow. So, okay, let's drop a freestyle. Yo. Okay, bside. 1 2 3 let's go. [music] Okay, I'm 21, but everyone says, "Yo,

you're done. Oh my god, you got no flow." But I'm like, "Hold up, yo. Dropping iOS zero days on the pay. [music] Why? Cuz I'm living off no pay. Boom. [music] Be okay. It's good." So is the most Thank you. most scuffed rap ever. Okay. All right, guys. [music] Yo, [applause] I'm not done. So, okay. Yo, Dual Core, [music] I want to shout him out. Rap Battle right now, right here, because you know, you're so old school, man. This ain't no Watchd Dogs 2. You're like a 1994 Nokia ringtone. You like a man, you got dialup flow. Don't you know, man? [music] No one cares about dual core. I'm the new core, man. The best core.

iOS GPU attacks on the floor like bassband, Bluetooth, and zero day back doors. # NSO group. All right. Yo, so be if you messing with this, just make some noise. And remember, memes [music] are awesome.