Passkeys replace phishable passwords with cryptographic key pairs synced via iCloud Keychain.

In this episode, we implement ASAuthorizationController, break down the WebAuthn ceremony, and debug the specific Apple CDN caching issue that can accidentally brick your authentication flow for days.

Mobile apps demand long, persistent sessions, but long-lived access tokens are a major security risk. We break down the essential Dual-Token model—Access Token plus Refresh Token—and discuss why your secure storage choice (and rotation strategy) is the ultimate defense against compromised sessions.

Certificate pinning prevents attackers from intercepting your traffic, even if they compromise a Certificate Authority. But do it wrong, and you’ll brick your app for every single user. In this episode of Sandboxed, we break down the mechanics of pinning, the “Leaf vs. Root” debate, and how to implement a pinning strategy that secures your data without causing an operational disaster.

In this episode of Sandboxed – iOS Security for Builders, we unpack what jailbroken devices actually mean for your app’s threat model.

We’ll look at what changes once the sandbox is gone, how realistic different attack scenarios are, and which app categories should care the most.

You’ll walk away with a calm, practical checklist: how to think about jailbreak risk, how to add jailbreak awareness to your app, and how to respond without breaking the experience for legitimate users.

In this episode of Sandboxed – iOS Security for Builders, we zoom in on a deceptively simple question: where should you actually store tokens on iOS?

We compare Keychain, files, and UserDefaults with concrete examples from real apps, and walk through a practical decision framework you can use with your team.

By the end, you’ll know which storage makes sense for access tokens, refresh tokens, IDs, and app configuration – and you’ll have a short list of actions you can take this week to harden your app.

On iOS, your app’s most sensitive data is supposed to live in the Keychain and, sometimes, the Secure Enclave. But what does that actually mean in practice? In this episode, we unpack how Keychain storage works, what the Secure Enclave really is, and how they fit together to protect tokens, encryption keys, and other secrets in your app. You’ll leave with a concrete checklist you can apply to your own codebase this week.

iOS has a reputation for being “secure by default”, but what does that actually mean for your app? In this first episode I walk through a simple threat model for a typical iOS app, explain the main security guarantees Apple really gives you, and highlight the gaps where you’re still on your own.