og-apple-security

This repository comprises my notes on Apple security—primarily macOS—with a focus on detection engineering, threat hunting, and reversing. High-level folders include a file prepended with “START,” which introduces the fundamentals of each topic and highlights relevant macOS/Apple security topics for detection workflows. Where hands-on experience is beneficial (for example, Objective-C programming or Xcode feature exploration), I link to external resources to gain these skills. To integrate these notes into your specific needs, I recommend extracting relevant sections and using AI to query details, create flashcards or adapt the material for your detection-engineering setup/workflow/whatnot. Also, some code in this repository is not mine, and are things I have learned from workshops or books; hence, GPLv3.0 license. The text in this repository is licensed CC BY-SA 4.0.

START topics

In the order I recommend:

• Objective-C
• [optional] Swift
• ESF
• cover Plists, launch agents, and daemons system daemons
• ARM
  • proof all arm
• EDR/EDX section
  • internals of them
• Reversing
  • Static
  • at some point do signature-based analysis of Apple binaries workshop
  • Dynamic
• Scripting

Resources

Websites

• papers.put.as
• themittenmac.com
• Objective-See Blog

Books

• The Art of Computer Virus Research and Defense by Peter Szor (Addison-Wesley, 2005)

macOS Internals

• MacOS and iOS Internals, Volume I: User Mode (v1.3) October 24, 2017 by Jonathan Levin
• MacOS and iOS Internals, Volume II: Kernel Mode October 24, 2019 by Jonathan Levin
• MacOS and iOS Internals, Volume III: Security & Insecurity January 1, 2016 by Jonathan Levin
• PW 1
• The Art of Mac Malware, Volume 2: Detecting Malicious Software by Patrick Wardle
• OS X Incident Response: Scripting and Analysis 1st Edition by Jaron Bradley
• Mac OS X and iOS Internals: To the Apple’s Core by Jonathan Levin 6 nov 2012
• MAC OS X Internals: A Systems Approach by by Amit Singh

iOS

• iOS Hacker’s Handbook 1st Edition by Charlie Miller, Dion Blazakis, Dino DaiZovi, & 3 more
• iOS Application Security: The Definitive Guide for Hackers and Developers 1st Edition by David Thiel

Reversing

• Reversing: Secrets of Reverse Engineering 1st Edition by Eldad Eilam
• The Ghidra Book: The Definitive Guide by Chris Eagle, Kara Nance
• The IDA Pro Book, 2nd Edition: The Unofficial Guide to the World’s Most Popular Disassembler Second Edition by Chris Eagle

ARM Assembly

• The Art of ARM Assembly, Volume 1: 64-Bit ARM Machine Organization and Programming by Randall Hyde 25 Feb 2025
• Blue Fox: Arm Assembly Internals and Reverse Engineering 1st Edition by Maria Markstedter 11 April 2023

Communities

• Objective by the Sea
• Objective for the We
• MacDevOpsYVR

Olivia’s TODOs

• document how folder is organized / setup doc navigation
• upload language docs
• make sure the macOS internals start links to the ARM START since ARM internals is covered in the languarge folde r

finish

• ARM book breakdown
• TOAMM 1 notes folder
• parellels setup for malware
• OSX PPC
• • vtable pointers, vtables

Create

• do a section on Grand Central Dispatch (GCD), how it relates to swift, objective-c, macos internals, and security
• descriptions of all the macOS frameworks like AppKit, Foundation, and newer Swift-only frameworks like SwiftUI
• TDE ESF coverage
• red canary research
• swift concurrency coverage / what category should I put this in?
• In kernel (EL1) and hypervisor (EL2) modes, Apple uses an implementation-defined PAC algorithm (a variant of ARM’s QARMA cipher with Apple’s customizations).
• quarinetine
• llvm, llvm ir, langauages IL steps in binja
• entitlements

• Kernel Integrity Protection

• Apple’s Automated Device Enrollment (ADE) and the 
• Apple Push Notification service (APNs)
• Apple Business Manager (ABM)
• Apple School Manager (ASM)
• filevault
• gatekeeper

Contributions

How to format books notes

We want definitions bold

• give AI prompt for this