iOS App Autopsy #3: What Government Apps Know About You (And Poorly Guard It)

What happens when a security researcher downloads a government app from the App Store and starts pulling it apart? In this live session, you'll find out — no slides, no theory, no mercy.
I'll take a real government or public-sector iOS application — digital ID, tax portal, public transport, municipal services — download it, and perform a full static security analysis live. You'll watch as exposed server endpoints, weak transport security configurations, unprotected API routes, and sensitive URLs embedded in the binary surface in minutes. Then, for a bonus round, we'll look at how network traffic from a government app behaves when someone is listening.

What you'll walk away with: — How government apps construct and expose their network requests — What a man-in-the-middle interception actually reveals in practice — Why the largest user base combined with the slowest update cycle is a security problem — How hardcoded server configurations become an attacker's roadmap.

Who this is for: developers in the public sector, civic tech practitioners, security professionals, and anyone who uses government apps daily and would prefer to know what's going on under the bonnet.

About the host: Sergii Koval — 15+ years in iOS/macOS security. Security architect for banking and enterprise platforms. Creator of Threat Explorer, a proprietary iOS security analysis platform. Based in Luxembourg.

Format: Live demo via Google Meet. ~60 minutes. Free. Recorded for YouTube. This is part of a monthly series. Each session, a different industry goes on the table.