OWASP, profile picture
Uploaded byOWASP
PDF, PPTX2,422 views

Introduction to iOS Penetration Testing

The document provides an introduction to iOS penetration testing. It discusses the speaker's background in mobile and web penetration testing with a focus on iOS. The agenda outlines that the talk will cover introduction to iOS, Objective-C runtime basics, setting up a testing environment, and fundamentals of application testing with a focus on black-box testing. It will not cover jailbreak development, Swift, white-box testing, or webapp pentesting. The document then delves into various aspects of iOS including the security model, application sandboxing, Objective-C, and the iOS runtime. It also discusses tools and techniques for static analysis, runtime manipulation, bypassing protections, and investigating local storage.

Embed presentation

Download as PDF, PPTX
Introduction to iOS Penetration Testing OWASP 15/11/2016 | Slawomir Kosowski
○ Working as Mobile and Web pentester ○ Focused on iOS ○ Previously worked on wide range of security projects ○ Educational background in Telecommunications About Me 2 https://www.linkedin.com/in/skosowski
Introduction How many iOS developers do we have here? How many of you are actually writing in Swift? Any pentesters? Android folks? 3
Agenda 4 What we will cover: ○ Introduction to iOS ○ Basics of Objective-C runtime ○ Setting up testing environment ○ Fundamentals of app testing ● Focus on black-box testing What we will not cover: ○ Jailbreak development ○ Swift (not in detail) ○ White box testing / code review ○ Webapp pentesting
Introduction to iOS - Mobile operating system from Apple - Based on XNU kernel from Darwin OS (Unix) - iOS is closed-source with some exceptions* - Applications written in Objective-C (and Swift) - Cocoa Touch - main API for iOS handling user interaction 5 * https://opensource.apple.com
Apple controls both hardware and software to provide end-to-end security, with following key features: ○ Secure Boot Chain ○ Secure Enclave (and Touch ID) ○ Encryption and Data Protection ○ Trusted Code Execution ○ Network Security Introduction to iOS security model 6 User Partition Application A Application B Data Protection Class Data Protection Class OS Partition software Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf Kernel
Keychain ○ Stores sensitive data such as passwords, certificates, tokens, etc. ○ Is implemented as SQLite database ○ Application can access only items in its keychain-access-group ○ Can be arbitrarily read on a jailbroken device using keychain-dumper 7
Application Sandbox ○ iOS Sandbox derives from TrustedBSD MAC framework ○ Each third-party application runs as mobile user ○ Only a few system daemons/apps run as root ○ Application can access only its own files and data ○ IPCs are very limited 8
Objective-C ○ Superset of C, adding object-oriented functionality ● This means you can include C code in your apps ○ Based on Smalltalk language, supporting message passing, dynamic typing and infix notation ○ Uses interface and implementation file ● Think about .h and .cpp files in C++ 9
Objective-C Objective-C is using infix notation with arguments listed after colon: 10 [Object method:argument] [NSString stringWithString:@”Hello World!”]
Class vs Instance Methods ○ Class method can be called on its own ○ Instance method must use instance of an object 11 @interface MyClass : NSObject + (void)aClassMethod; - (void)anInstanceMethod; @end [MyClass aClassMethod]; MyClass *object = [[MyClass alloc] init]; [object anInstanceMethod];
Objective-C - Message Passing When you pass method, a special function objc_msgSend() is called: 12 SaySomething *saySomething = [ [ SaySomething alloc ] init ]; [ saySomething say: @"Hello, world!" ]; [ saySomething release ]; Which gets translated into C calls: objc_msgSend( objc_msgSend( objc_msgSend( objc_msgSend( objc_getClass("SaySomething"), NSSelectorFromString(@"alloc")), NSSelectorFromString(@"init")), NSSelectorFromString(@"say:"), @"Hello, world!"), NSSelectorFromString(@"release:")); Source: Hacking and Securing iOS Applications - J. Zdziarski
Objective-C Call Graph 13 Source:http://blog.zynamics.com/2010/04/27/objective-c-reversing-i
Objective-C Runtime ○ Objective-C runtime is written in C and assembly ○ Very interesting subject on its own! ○ Calls are cached so that subsequent messages are dispatched quicker ○ Decision on which method will be called is resolved dynamically ○ This is called Method Swizzling ○ It will help us during black-box testing and runtime manipulation Read more: https://mikeash.com/pyblog/friday-qa-2009-03-20-objective-c-messaging.html http://cocoasamurai.blogspot.com/2010/01/understanding-objective-c-runtime.html http://www.friday.com/bbum/2009/12/18/objc_msgsend-part-1-the-road-map/ 14
Introduction to Application Analysis 15
Static Binary Analysis ○ IDA Pro ○ Hopper (demo closing after 30 minutes) ○ class-dump ○ otool ○ strings 16
Runtime Manipulation 1. Cycript a. injects into process and enables to manipulate the runtime with interactive console b. supports mixed Objective-C and Javascript syntax 2. Frida a. injects Javascript V8 Javascript Duktape engine into process runtime b. can inject a hook into starting process 17
Runtime Manipulation - Cont’d 3. Debugger a. Apple moved from GCC and GDB to LLVM and LLDB b. GDB is fully supported until iOS7 c. iOS8 and onwards uses LLDB d. Some key features are still missing in LLDB i. info mach-regions ii. Symbols from stripped ObjC Mach-O binary are not loaded in LLDB 18
Setting up Pentesting Lab ○ Bare minimum is one iDevice, e.g. iPad running iOS 8.x ● Recommended at least two or more iDevices ○ You will need to jailbreak it ○ Ideally grab another pair of iPads/iPhones running older iOS for any legacy apps ○ OS X and XCode is very useful, but not mandatory ○ Alternatively, grab your favourite Linux 19
Setting up Pentesting Lab - Cont’d ○ Beware: if you fail to JB your device correctly you can restore it and upgrade with iTunes ○ Semi-restore might be handy if your JB fails: https://semi-restore.com/ ○ No possibility to downgrade iOS version 20
Jailbreaking ○ Get appropriate jailbreak - https://ipsw.me might be handy ○ Jailbreak will install Cydia - the alternative application store as well as couple of useful services ○ From Cydia install aptitude and openssh ○ Install additional packages with aptitude 21
Jailbreaking - cont’d ○ SSH to your iDevice ● Two users are root and mobile ● Default password: alpine ○ Install additional packages with aptitude 22 inetutils syslogd less com.autopear.installipa class-dump com.ericasadun.utilities odcctools cycript sqlite3 adv-cmds bigbosshackertools
Install Frida ○ Check install guide: www.frida.re/docs/ios ○ Basically add https://build.frida.re to Cydia repo ○ Then install Frida with Cydia 23
IPA file and Binary ○ IPA file is simply a ZIP archive ● Think of APK but for iOS ● Contains all relevant files like binary itself, graphics, certificates, default data, etc. ○ For static analysis, the Mach-O Binary is interesting ○ Usually it contains two architectures ARM7(s) and ARM64 Read more about Mach-O File Format: https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/index.html 24
Important File Location You can find system applications in /Applications For all the rest use installipa: 25 iOS8-jailbreak:~ root# installipa -l me.scan.qrcodereader iOS8-jailbreak:~ root# installipa -i me.scan.qrcodereader Bundle: /private/var/mobile/Containers/Bundle/Application/09D08A0A-0BC5-423C-8CC3-FF9499E0B19C Application: /private/var/mobile/Containers/Bundle/Application/09D08A0A-0BC5-423C-8CC3-FF9499E0B19C/QR Reader.app Data: /private/var/mobile/Containers/Data/Application/297EEF1B-9CC5-463C-97F7-FB062C864E56
Usual Test Approach 1. Obtain IPA file 2. Bypass jailbreak detection (if present) 3. Bypass certificate pinning (if present) 4. Inspect HTTP(S) traffic - usual web app test 5. Abuse application logic by runtime manipulation 6. Check for local data storage (caches, binary cookies, plists, databases) 7. Check for client-specific bugs, e.g. SQLi, XSS 8. Other checks like: logging to ASL with NSLog, application screenshots, no app backgrounding 26
Binary Encryption - Each app in Apple AppStore uses FairPlay DRM, hence is encrypted - You must decrypt it before doing static analysis - Easiest way to do it is to use Clutch - Alternatively you can use lldb and dump process memory once encrypted - Broadly documented in the Internet - If you are doing a pentest, you will get most likely unencrypted IPA file 27
Binary Security Features ○ ARC - Automatic Reference Counting - memory management feature ● adds retain and release messages when required ○ Stack Canary - helps preventing buffer overflow attacks ○ PIE - Position Independent Executable - enables full ASLR for binary All of above are currently set by default in XCode. 28
Setting up Burp 29
Jailbreak Detection - Common Methods ○ Check existence of additional files, e.g.: /bin/bash ○ Check API calls like: ● fork() - forbidden on non-JB devices ● system(NULL) returns 0 on non-JB and 1 on JB devices ○ Check if cydia:// URL scheme is registered Read more: https://www.trustwave.com/Resources/SpiderLabs-Blog/Jailbreak-Detection-Methods/ 30
Bypassing JB detection 1. The easy way: xcon 2. More challenging: a. Debugger/Binary patching b. Frida c. Cycript 31
Getting Info with Class-dump 32 iOS8-jailbreak:~ root# lipo -thin armv7 DamnVulnerableIOSApp -output DVIA32 iOS8-jailbreak:~ root# class-dump DVIA32 @interface FlurryUtil : ./DVIA/DVIA/DamnVulnerableIOSApp/DamnVulnerableIOSApp/YapDatabase/Extensions/Vie ws/Internal/ { } + (BOOL)appIsCracked; + (BOOL)deviceIsJailbroken;
Hopper - Disassembling 33
Cycript 34 iOS8-jailbreak:~ root# cycript -p 12345 cy# [SFAntiPiracy isTheDeviceJailbroken] true cy# a=choose(JailbreakDetectionVC) [] cy# a=choose(JailbreakDetectionVC) [#"<JailbreakDetectionVC: 0x14ee15620>"] cy# [a[0] isJailbroken] True Worth reading: http://iphonedevwiki.net/index.php/Cycript_Tricks
Cycript 35 cy# [a[0] isJailbroken] true cy# JailbreakDetectionVC.prototype.isJailbroken=fu nction(){return false} cy# [a[0] isJailbroken] false
Frida - Method Tracing 1. Install Frida on your workstation and iDevice 2. Connect iDevice to USB 3. Use frida-trace 36 $ frida-trace -U -f /Applications/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp -m "-[JailbreakDetectionVC isJailbroken]:" 4. This creates JS hook with onEnter and onLeave callback functions: onLeave: function (log, retval, state) { console.log("Function [JailbreakDetectionVC isJailbroken] originally returned:"+ retval); retval.replace(0); console.log("Changing the return value to:"+retval); }
Frida - Method Tracing - Output 37 $ frida-trace -U -f /Applications/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp -m "-[JailbreakDetectionVC isJailbroken]:" Instrumenting functions... `... -[JailbreakDetectionVC isJailbroken]: Loaded handler at "./__handlers__/__JailbreakDetectionVC_isJailbroken_.js" Started tracing 1 function. Press Ctrl+C to stop. Function [JailbreakDetectionVC isJailbroken] originally returned:0x1 Changing the return value to:0x0 /* TID 0x303 */ 6890 ms -[JailbreakDetectionVC isJailbroken] Function [JailbreakDetectionVC isJailbroken] originally returned:0x1 Changing the return value to:0x0 22475 ms -[JailbreakDetectionVC isJailbroken]
Frida on non-jailbroken device 38
Testing for Certificate Pinning Gradually relax requirements for server certificate, and check if traffic is successfully proxied through Burp on each stage: 1. Set Burp in proxy settings, make sure that SSL Killswitch is disabled and that Burp Profile is *not* installed → no certificate validation 2. Install Burp Profile (certificate) → no certificate pinning 3. Enable SSL Killswitch → certificate pinned 4. Bypass certificate pinning manually 39
Bypassing Certificate Pinning - Killswitch: https://github.com/iSECPartners/ios-ssl-kill-switch - Bypassing OpenSSL cert pinning with cycript: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/january/bypassing-openssl-certificate-pinning-in-ios-apps/ Other tips: - Certificate is often bundled in the application- look for .der or .pem - Class-dump binary looking for strings like X509 or Cert - Look for the following methods in the binary: NSURLSession, CFStream, AFNetworking 40 Source: iOS Application Security - D. Thiel
Investigating Local Storage 1. Check app Data directory /private/var/mobile/Containers/Data/Application/<app Bundle> a. .db - using SQLite - check with sqlite3 b. plists 2. NSUserDefaults a. /User/Library/Preferences/ b. /<app>/Library/Preferences/ 3. Protection class a. fileDP tool* 41 http://www.securitylearn.net/2012/10/18/extracting-data-protection-clas s-from-files-on-ios/
Investigating Local Storage - Cont’d 4. Application screenshots a. /private/var/mobile/Containers/Data/Application/<BundleID>/Library/Caches/Snapshots/ 5. WebView caching a. /User/Library/Caches/*/Cache.db b. /Library/Caches/*/Cache.db 6. Forensic approach: a. ls -lR --full-time before application install, after install and after first use diff the results and check any files that changed b. use strings on any binary/unidentified file formats c. check for WAL files that may contain uncommitted DB transactions 42 http://www.securitylearn.net/2012/10/18/extracting-data-protection-clas s-from-files-on-ios/
iExplorer 43
Final Thoughts ○ Server-side bugs (LFI, SQLi, RCE) are still among most impactful ○ Limited scenarios for exploiting device data leakage ● Starting from iPhone 5s the Secure Enclave protects from easy passcode bruteforcing ● Backups? ○ Simple passcode might be an issue (1234, 0000, etc.) ○ User may choose to wipe device after 10 attempts 44
Current Challenges March 7, 2016 October 26, 2016 45
○ Frequent iOS release with quick adoption rate ○ Slow/unpredictable jailbreak release for recent iOSes ○ Customer asking to test on latest iOS ○ Swift does not use message passing :( ○ Pentesting toolset is lagging Current Challenges 46
Q&A or drop me a line: me@skosowski.com 47
Introspy 48
○ URL handlers, e.g. mailto:// ● open another app using its URL handler with: [[UIApplication sharedApplication] openURL:myURL]; ● sender can be authenticated :) ● URL scheme can be hijacked :( Read more: https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html Interprocess Communication 49 Note: If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme. - Apple’s Documentation
○ Universal Links introduced in iOS 9 ● solve problems of openURL ● no unregistered schemes - working over https:// ○ App Extensions introduced in iOS 8 ● are installed with host application and can communicate through extension points: Actions, Custom Keyboards, Document Providers, Photo Editing, Sharing, Today Widgets Read more: https://developer.apple.com/library/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html Interprocess Communication 50
File Data Protection 51 Hardware Key Passcode Key Class Key File System Key File Metadata [File Key] File Contents
Secure Boot Chain ○ Only Apple signed code is run on iDevice ○ You need developer’s account to write and run your apps ○ Each level of boot is checked for a valid signature 52 Boot ROM Low-Level Bootloader iBoot iOS Kernel OS Apple Root CA
Secure Boot Chain - Jailbreak ○ Jailbreak permits running self-signed code ○ It does not break Application Sandbox ○ Usually several exploits are chained to perform jailbreak ○ Look for: TaiG, Pangu, redsn0w 53 iOS Kernel OS Apple Root CA Boot ROM Low-Level Bootloader iBoot Exploit this or that
Protection Classes 54 Availability File Data Protection Keychain Data Protection When Unlocked NSFileProtectionComplete kSecAttrAccessibleWhenUnlocked When Locked NSFileProtectionCompleteUnlessOpen N/A After First Unlock NSFileProtectionCompleteUntil FirstUserAuthentication kSecAttrAccessibleAfterFirstUnlock Always NSFileProtectionNone kSecAttrAccessibleAlways Passcode Enabled N/A kSecAttrAccessibleWhenPasscodeSetThis DeviceOnly
$ unzip DamnVulnerableiOSApp.ipa $ cd Payload/DamnVulnerableIOSApp.app $ otool -hv DamnVulnerableIOSApp DamnVulnerableIOSApp (architecture armv7): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC ARM V7 0x00 EXECUTE 38 4292 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE DamnVulnerableIOSApp (architecture arm64): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC_64 ARM64 ALL 0x00 EXECUTE 38 4856 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE Binary Checks - PIE 55
$ otool -Iv DamnVulnerableIOSApp | grep stack 0x0046040c 83177 ___stack_chk_fail 0x0046100c 83521 _sigaltstack 0x004fc010 83178 ___stack_chk_guard 0x004fe5c8 83177 ___stack_chk_fail 0x004fe8c8 83521 _sigaltstack 0x00000001004b3fd8 83077 ___stack_chk_fail 0x00000001004b4890 83414 _sigaltstack 0x0000000100590cf0 83078 ___stack_chk_guard 0x00000001005937f8 83077 ___stack_chk_fail 0x0000000100593dc8 83414 _sigaltstack Binary Checks - SSP 56
$ otool -Iv DamnVulnerableIOSApp | grep release 0x0045b7dc 83156 ___cxa_guard_release 0x0045fd5c 83414 _objc_autorelease 0x0045fd6c 83415 _objc_autoreleasePoolPop 0x0045fd7c 83416 _objc_autoreleasePoolPush 0x0045fd8c 83417 _objc_autoreleaseReturnValue 0x0045ff0c 83441 _objc_release [SNIP] Binary Checks - ARC 57

More Related Content

PPTX
Infrastructure as Code Presentation v5.pptx
byYASHSRIVASTAVA811639
 
PPTX
Containers and workload security an overview
byKrishna-Kumar
 
PPT
iOS Application Penetration Testing for Beginners
byRyanISI
 
PPTX
Hyper-V を使おう
bywataken44
 
PPTX
Jenkins CI presentation
byJonathan Holloway
 
PDF
ニフクラでDockerを使う際のTips
by富士通クラウドテクノロジーズ株式会社
 
PPTX
Apache ZooKeeper 로
 분산 서버 만들기
byiFunFactory Inc.
 
PPTX
odoo 11.0 development (CRUD)
byMohamed Magdy
 
Infrastructure as Code Presentation v5.pptx
byYASHSRIVASTAVA811639
 
Containers and workload security an overview
byKrishna-Kumar
 
iOS Application Penetration Testing for Beginners
byRyanISI
 
Hyper-V を使おう
bywataken44
 
Jenkins CI presentation
byJonathan Holloway
 
ニフクラでDockerを使う際のTips
by富士通クラウドテクノロジーズ株式会社
 
Apache ZooKeeper 로
 분산 서버 만들기
byiFunFactory Inc.
 
odoo 11.0 development (CRUD)
byMohamed Magdy
 

What's hot

PPTX
MongoDB presentation
byHyphen Call
 
PDF
Docker internals
byRohit Jnagal
 
PDF
Hibernate 6.0 - What's new.pdf
byChristian Beikov
 
PPTX
iOS-Application-Security-iAmPr3m
byPrem Kumar (OSCP)
 
PDF
[Cloud OnAir] Google Networking Deep Dive ! その技術と設計の紹介 2018年8月9日 放送
byGoogle Cloud Platform - Japan
 
PDF
Jenkins를 활용한 Openshift CI/CD 구성
byrockplace
 
PDF
Service discovery with Eureka and Spring Cloud
byMarcelo Serpa
 
PPTX
Samantha Wang [InfluxData] | Best Practices on How to Transform Your Data Usi...
byInfluxData
 
PPTX
Introducing FIDO Device Onboard (FDO)
byFIDO Alliance
 
PPTX
Dpdk applications
byVipin Varghese
 
PPTX
Maven
byMourad HASSINI
 
PDF
An Introduction to Kubernetes
byImesh Gunaratne
 
PPTX
Understanding DPDK
byDenys Haryachyy
 
PPTX
Introduction to DPDK
byKernel TLV
 
PPTX
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
PDF
Introduction to State Restoration in Flutter
byDave Chao
 
PPT
Container security
byAnthony Chow
 
PDF
Alphorm.com Formation Docker (1/2) : Installation et Administration
byAlphorm
 
PDF
Container Security
bySalman Baset
 
PPTX
Introduction to docker
byFrederik Mogensen
 
MongoDB presentation
byHyphen Call
 
Docker internals
byRohit Jnagal
 
Hibernate 6.0 - What's new.pdf
byChristian Beikov
 
iOS-Application-Security-iAmPr3m
byPrem Kumar (OSCP)
 
[Cloud OnAir] Google Networking Deep Dive ! その技術と設計の紹介 2018年8月9日 放送
byGoogle Cloud Platform - Japan
 
Jenkins를 활용한 Openshift CI/CD 구성
byrockplace
 
Service discovery with Eureka and Spring Cloud
byMarcelo Serpa
 
Samantha Wang [InfluxData] | Best Practices on How to Transform Your Data Usi...
byInfluxData
 
Introducing FIDO Device Onboard (FDO)
byFIDO Alliance
 
Dpdk applications
byVipin Varghese
 
Maven
byMourad HASSINI
 
An Introduction to Kubernetes
byImesh Gunaratne
 
Understanding DPDK
byDenys Haryachyy
 
Introduction to DPDK
byKernel TLV
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
Introduction to State Restoration in Flutter
byDave Chao
 
Container security
byAnthony Chow
 
Alphorm.com Formation Docker (1/2) : Installation et Administration
byAlphorm
 
Container Security
bySalman Baset
 
Introduction to docker
byFrederik Mogensen
 

Viewers also liked

PDF
OWASP Melbourne - Introduction to iOS Application Penetration Testing
byeightbit
 
PPTX
Mirai botnet
byOWASP
 
PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
byOWASP
 
PDF
iOS Application Penetration Testing
byn|u - The Open Security Community
 
PPTX
Hacking and securing ios applications
bySatish b
 
PPTX
Android pen test basics
byOWASPKerala
 
PPTX
Pentesting Android Applications
byCláudio André
 
PDF
Yow connected developing secure i os applications
bymgianarakis
 
PPTX
Pentesting iOS Applications
byjasonhaddix
 
PDF
My Null Android Penetration Session
byAvinash Sinha
 
PDF
Android Security & Penetration Testing
bySubho Halder
 
PDF
Ruxmon April 2014 - Introduction to iOS Penetration Testing
byeightbit
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
byeightbit
 
Mirai botnet
byOWASP
 
[Wroclaw #5] OWASP Projects: beyond Top 10
byOWASP
 
iOS Application Penetration Testing
byn|u - The Open Security Community
 
Hacking and securing ios applications
bySatish b
 
Android pen test basics
byOWASPKerala
 
Pentesting Android Applications
byCláudio André
 
Yow connected developing secure i os applications
bymgianarakis
 
Pentesting iOS Applications
byjasonhaddix
 
My Null Android Penetration Session
byAvinash Sinha
 
Android Security & Penetration Testing
bySubho Halder
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
byeightbit
 

Similar to Introduction to iOS Penetration Testing

PDF
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
byPROIDEA
 
PPTX
iOS Application Exploitation
byPositive Hack Days
 
PDF
iOS Application Security
byEgor Tolstoy
 
PDF
Wahckon[2] - iOS Runtime Hacking Crash Course
byeightbit
 
PDF
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
byeightbit
 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
 
PDF
CNIT 128 2. Analyzing iOS Applications (Part 1)
bySam Bowne
 
PDF
NCC Group 44Con Workshop: How to assess and secure ios apps
byNCC Group
 
PDF
Synack at AppSec California with Patrick Wardle
bySynack
 
PDF
Hacking iOS Applications: A Detailed Testing Guide
bySecurity Innovation
 
PDF
YOW! Connected 2014 - Developing Secure iOS Applications
byeightbit
 
PDF
AusCERT - Developing Secure iOS Applications
byeightbit
 
PPTX
Hacking & Securing of iOS Apps by Saurabh Mishra
byOWASP Delhi
 
PPTX
Beyond the 'cript practical i os reverse engineering lascon
byNino Ho
 
PPTX
EkoParty 2010: iPhone Rootkit? There's an App for that.
byEric Monti
 
PDF
Dark Side of iOS [SmartDevCon 2013]
byKuba Břečka
 
PPTX
128-ch3.pptx
byDeepakPanchal65
 
PPT
iOS Application Pentesting
byn|u - The Open Security Community
 
PDF
I Want More Ninja – iOS Security Testing
byJason Haddix
 
PDF
Pentesting iOS Apps - Runtime Analysis and Manipulation
byAndreas Kurtz
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
byPROIDEA
 
iOS Application Exploitation
byPositive Hack Days
 
iOS Application Security
byEgor Tolstoy
 
Wahckon[2] - iOS Runtime Hacking Crash Course
byeightbit
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
byeightbit
 
2a Analyzing iOS Apps Part 1
bySam Bowne
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
bySam Bowne
 
NCC Group 44Con Workshop: How to assess and secure ios apps
byNCC Group
 
Synack at AppSec California with Patrick Wardle
bySynack
 
Hacking iOS Applications: A Detailed Testing Guide
bySecurity Innovation
 
YOW! Connected 2014 - Developing Secure iOS Applications
byeightbit
 
AusCERT - Developing Secure iOS Applications
byeightbit
 
Hacking & Securing of iOS Apps by Saurabh Mishra
byOWASP Delhi
 
Beyond the 'cript practical i os reverse engineering lascon
byNino Ho
 
EkoParty 2010: iPhone Rootkit? There's an App for that.
byEric Monti
 
Dark Side of iOS [SmartDevCon 2013]
byKuba Břečka
 
128-ch3.pptx
byDeepakPanchal65
 
iOS Application Pentesting
byn|u - The Open Security Community
 
I Want More Ninja – iOS Security Testing
byJason Haddix
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
byAndreas Kurtz
 

More from OWASP

PDF
[OPD 2019] Web Apps vs Blockchain dApps
byOWASP
 
PDF
[OPD 2019] Threat modeling at scale
byOWASP
 
PDF
[OPD 2019] Life after pentest
byOWASP
 
PDF
[OPD 2019] .NET Core Security
byOWASP
 
PDF
[OPD 2019] Top 10 Security Facts of 2020
byOWASP
 
PDF
[OPD 2019] Governance as a missing part of IT security architecture
byOWASP
 
PDF
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
byOWASP
 
PPTX
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
byOWASP
 
PPTX
[OPD 2019] AST Platform and the importance of multi-layered application secu...
byOWASP
 
PPTX
[OPD 2019] Inter-application vulnerabilities
byOWASP
 
PDF
[OPD 2019] Automated Defense with Serverless computing
byOWASP
 
PDF
[OPD 2019] Advanced Data Analysis in RegSOC
byOWASP
 
PDF
[OPD 2019] Attacking JWT tokens
byOWASP
 
PDF
[OPD 2019] Rumpkernels meet fuzzing
byOWASP
 
PDF
[OPD 2019] Trusted types and the end of DOM XSS
byOWASP
 
PDF
[Wroclaw #9] The purge - dealing with secrets in Opera Software
byOWASP
 
PDF
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
byOWASP
 
PDF
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
byOWASP
 
PDF
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
byOWASP
 
PDF
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
byOWASP
 
[OPD 2019] Web Apps vs Blockchain dApps
byOWASP
 
[OPD 2019] Threat modeling at scale
byOWASP
 
[OPD 2019] Life after pentest
byOWASP
 
[OPD 2019] .NET Core Security
byOWASP
 
[OPD 2019] Top 10 Security Facts of 2020
byOWASP
 
[OPD 2019] Governance as a missing part of IT security architecture
byOWASP
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
byOWASP
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
byOWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
byOWASP
 
[OPD 2019] Inter-application vulnerabilities
byOWASP
 
[OPD 2019] Automated Defense with Serverless computing
byOWASP
 
[OPD 2019] Advanced Data Analysis in RegSOC
byOWASP
 
[OPD 2019] Attacking JWT tokens
byOWASP
 
[OPD 2019] Rumpkernels meet fuzzing
byOWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
byOWASP
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
byOWASP
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
byOWASP
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
byOWASP
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
byOWASP
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
byOWASP
 

Recently uploaded

PPTX
ENDNOTE refrencing how to do step by step..
byhumairasohaib19
 
PPTX
kultursay_ispass13_talk evaluation of evaluations
bydominicsherwood100x1
 
PPT
INTRODUCTION_TO_SOFTWARE_APPLICATION.pptx
byMESFINBELAY4
 
PPTX
MEANING OF EMOJIS OF SOCIAL MEDIA - RUKUNDO Emmanuel..pptx
bysongsormusics
 
PDF
Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]
byBangladesh Network Operators Group
 
PPTX
AI Presentation it all about what is ai and how to implement in real life
byshraddhasule1710
 
PDF
OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER
byBangladesh Network Operators Group
 
PPTX
evolution of internet (internet journey)
byyamunadevi49
 
PPTX
The Queen's University of Belfast Diploma
by留服认证查尔斯达尔文大学毕业证【Q微号:1954 292 140】
 
PPTX
BTCFi on Starknet,Troves.fi offers automated strategies for Bitcoin users on ...
bytrovesfi
 
PPTX
ARCHITECTURESACGCHCIUOHCOHCSAKJCOQKCHUO.pptx
bymchlrdpc2921
 
PDF
Cybrain Software Solutions – Building Future-Ready Digital Tools
byCybrain Software Solutions
 
PPT
2. Network Desy Jemilan ena Birken ande ahun kuci bilo eyetebekegne newign.ppt
byedget1
 
ENDNOTE refrencing how to do step by step..
byhumairasohaib19
 
kultursay_ispass13_talk evaluation of evaluations
bydominicsherwood100x1
 
INTRODUCTION_TO_SOFTWARE_APPLICATION.pptx
byMESFINBELAY4
 
MEANING OF EMOJIS OF SOCIAL MEDIA - RUKUNDO Emmanuel..pptx
bysongsormusics
 
Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]
byBangladesh Network Operators Group
 
AI Presentation it all about what is ai and how to implement in real life
byshraddhasule1710
 
OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER
byBangladesh Network Operators Group
 
evolution of internet (internet journey)
byyamunadevi49
 
The Queen's University of Belfast Diploma
by留服认证查尔斯达尔文大学毕业证【Q微号:1954 292 140】
 
BTCFi on Starknet,Troves.fi offers automated strategies for Bitcoin users on ...
bytrovesfi
 
ARCHITECTURESACGCHCIUOHCOHCSAKJCOQKCHUO.pptx
bymchlrdpc2921
 
Cybrain Software Solutions – Building Future-Ready Digital Tools
byCybrain Software Solutions
 
2. Network Desy Jemilan ena Birken ande ahun kuci bilo eyetebekegne newign.ppt
byedget1
 
In this document
Powered by AI

Introduction to iOS penetration testing by Slawomir Kosowski, focusing on mobile and web pentesting.

Engagement with the audience about their roles; an agenda of topics including iOS basics and app testing.

iOS as Apple's mobile OS with key security features like Secure Boot Chain and encryption methods.

Explanation of Keychain for sensitive data storage and iOS's sandboxing for application security.

Insight into Objective-C, highlighting message passing, class structures, and the runtime environment.

Methods for static binary analysis and runtime manipulation, including tools like IDA Pro and LLDB.

Requirements for creating a pentesting environment, focusing on iDevice setup and jailbreaking. Jailbreaking details, necessary tools, and understanding IPA files in the context of iOS security.

Steps for pentesting, including data storage checks and binary security features in iOS applications.

Using Burp Suite for traffic analysis, methods to bypass jailbreak and certificate pinning, and investigation techniques.

Techniques for examining app storage and data retrieval methods in iOS for pentesting.

Recap on impactful security aspects, challenges of current iOS versions and jailbreaking.

Overview of how apps communicate through URL schemes and the introduction of Universal Links.

Detailed look at iOS data protection methods, secure boot processes, and how jailbreaking affects security.

Technical analysis of iOS binary files focusing on Mach-O format, stack protections, and memory management methods.

Introduction to iOS Penetration Testing

  • 1.
    Introduction to iOS PenetrationTesting OWASP 15/11/2016 | Slawomir Kosowski
  • 2.
    ○ Working asMobile and Web pentester ○ Focused on iOS ○ Previously worked on wide range of security projects ○ Educational background in Telecommunications About Me 2 https://www.linkedin.com/in/skosowski
  • 3.
    Introduction How many iOSdevelopers do we have here? How many of you are actually writing in Swift? Any pentesters? Android folks? 3
  • 4.
    Agenda 4 What we willcover: ○ Introduction to iOS ○ Basics of Objective-C runtime ○ Setting up testing environment ○ Fundamentals of app testing ● Focus on black-box testing What we will not cover: ○ Jailbreak development ○ Swift (not in detail) ○ White box testing / code review ○ Webapp pentesting
  • 5.
    Introduction to iOS -Mobile operating system from Apple - Based on XNU kernel from Darwin OS (Unix) - iOS is closed-source with some exceptions* - Applications written in Objective-C (and Swift) - Cocoa Touch - main API for iOS handling user interaction 5 * https://opensource.apple.com
  • 6.
    Apple controls bothhardware and software to provide end-to-end security, with following key features: ○ Secure Boot Chain ○ Secure Enclave (and Touch ID) ○ Encryption and Data Protection ○ Trusted Code Execution ○ Network Security Introduction to iOS security model 6 User Partition Application A Application B Data Protection Class Data Protection Class OS Partition software Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf Kernel
  • 7.
    Keychain ○ Stores sensitivedata such as passwords, certificates, tokens, etc. ○ Is implemented as SQLite database ○ Application can access only items in its keychain-access-group ○ Can be arbitrarily read on a jailbroken device using keychain-dumper 7
  • 8.
    Application Sandbox ○ iOSSandbox derives from TrustedBSD MAC framework ○ Each third-party application runs as mobile user ○ Only a few system daemons/apps run as root ○ Application can access only its own files and data ○ IPCs are very limited 8
  • 9.
    Objective-C ○ Superset ofC, adding object-oriented functionality ● This means you can include C code in your apps ○ Based on Smalltalk language, supporting message passing, dynamic typing and infix notation ○ Uses interface and implementation file ● Think about .h and .cpp files in C++ 9
  • 10.
    Objective-C Objective-C is usinginfix notation with arguments listed after colon: 10 [Object method:argument] [NSString stringWithString:@”Hello World!”]
  • 11.
    Class vs InstanceMethods ○ Class method can be called on its own ○ Instance method must use instance of an object 11 @interface MyClass : NSObject + (void)aClassMethod; - (void)anInstanceMethod; @end [MyClass aClassMethod]; MyClass *object = [[MyClass alloc] init]; [object anInstanceMethod];
  • 12.
    Objective-C - MessagePassing When you pass method, a special function objc_msgSend() is called: 12 SaySomething *saySomething = [ [ SaySomething alloc ] init ]; [ saySomething say: @"Hello, world!" ]; [ saySomething release ]; Which gets translated into C calls: objc_msgSend( objc_msgSend( objc_msgSend( objc_msgSend( objc_getClass("SaySomething"), NSSelectorFromString(@"alloc")), NSSelectorFromString(@"init")), NSSelectorFromString(@"say:"), @"Hello, world!"), NSSelectorFromString(@"release:")); Source: Hacking and Securing iOS Applications - J. Zdziarski
  • 13.
  • 14.
    Objective-C Runtime ○ Objective-Cruntime is written in C and assembly ○ Very interesting subject on its own! ○ Calls are cached so that subsequent messages are dispatched quicker ○ Decision on which method will be called is resolved dynamically ○ This is called Method Swizzling ○ It will help us during black-box testing and runtime manipulation Read more: https://mikeash.com/pyblog/friday-qa-2009-03-20-objective-c-messaging.html http://cocoasamurai.blogspot.com/2010/01/understanding-objective-c-runtime.html http://www.friday.com/bbum/2009/12/18/objc_msgsend-part-1-the-road-map/ 14
  • 15.
  • 16.
    Static Binary Analysis ○IDA Pro ○ Hopper (demo closing after 30 minutes) ○ class-dump ○ otool ○ strings 16
  • 17.
    Runtime Manipulation 1. Cycript a.injects into process and enables to manipulate the runtime with interactive console b. supports mixed Objective-C and Javascript syntax 2. Frida a. injects Javascript V8 Javascript Duktape engine into process runtime b. can inject a hook into starting process 17
  • 18.
    Runtime Manipulation -Cont’d 3. Debugger a. Apple moved from GCC and GDB to LLVM and LLDB b. GDB is fully supported until iOS7 c. iOS8 and onwards uses LLDB d. Some key features are still missing in LLDB i. info mach-regions ii. Symbols from stripped ObjC Mach-O binary are not loaded in LLDB 18
  • 19.
    Setting up PentestingLab ○ Bare minimum is one iDevice, e.g. iPad running iOS 8.x ● Recommended at least two or more iDevices ○ You will need to jailbreak it ○ Ideally grab another pair of iPads/iPhones running older iOS for any legacy apps ○ OS X and XCode is very useful, but not mandatory ○ Alternatively, grab your favourite Linux 19
  • 20.
    Setting up PentestingLab - Cont’d ○ Beware: if you fail to JB your device correctly you can restore it and upgrade with iTunes ○ Semi-restore might be handy if your JB fails: https://semi-restore.com/ ○ No possibility to downgrade iOS version 20
  • 21.
    Jailbreaking ○ Get appropriatejailbreak - https://ipsw.me might be handy ○ Jailbreak will install Cydia - the alternative application store as well as couple of useful services ○ From Cydia install aptitude and openssh ○ Install additional packages with aptitude 21
  • 22.
    Jailbreaking - cont’d ○SSH to your iDevice ● Two users are root and mobile ● Default password: alpine ○ Install additional packages with aptitude 22 inetutils syslogd less com.autopear.installipa class-dump com.ericasadun.utilities odcctools cycript sqlite3 adv-cmds bigbosshackertools
  • 23.
    Install Frida ○ Checkinstall guide: www.frida.re/docs/ios ○ Basically add https://build.frida.re to Cydia repo ○ Then install Frida with Cydia 23
  • 24.
    IPA file andBinary ○ IPA file is simply a ZIP archive ● Think of APK but for iOS ● Contains all relevant files like binary itself, graphics, certificates, default data, etc. ○ For static analysis, the Mach-O Binary is interesting ○ Usually it contains two architectures ARM7(s) and ARM64 Read more about Mach-O File Format: https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/index.html 24
  • 25.
    Important File Location Youcan find system applications in /Applications For all the rest use installipa: 25 iOS8-jailbreak:~ root# installipa -l me.scan.qrcodereader iOS8-jailbreak:~ root# installipa -i me.scan.qrcodereader Bundle: /private/var/mobile/Containers/Bundle/Application/09D08A0A-0BC5-423C-8CC3-FF9499E0B19C Application: /private/var/mobile/Containers/Bundle/Application/09D08A0A-0BC5-423C-8CC3-FF9499E0B19C/QR Reader.app Data: /private/var/mobile/Containers/Data/Application/297EEF1B-9CC5-463C-97F7-FB062C864E56
  • 26.
    Usual Test Approach 1.Obtain IPA file 2. Bypass jailbreak detection (if present) 3. Bypass certificate pinning (if present) 4. Inspect HTTP(S) traffic - usual web app test 5. Abuse application logic by runtime manipulation 6. Check for local data storage (caches, binary cookies, plists, databases) 7. Check for client-specific bugs, e.g. SQLi, XSS 8. Other checks like: logging to ASL with NSLog, application screenshots, no app backgrounding 26
  • 27.
    Binary Encryption - Eachapp in Apple AppStore uses FairPlay DRM, hence is encrypted - You must decrypt it before doing static analysis - Easiest way to do it is to use Clutch - Alternatively you can use lldb and dump process memory once encrypted - Broadly documented in the Internet - If you are doing a pentest, you will get most likely unencrypted IPA file 27
  • 28.
    Binary Security Features ○ARC - Automatic Reference Counting - memory management feature ● adds retain and release messages when required ○ Stack Canary - helps preventing buffer overflow attacks ○ PIE - Position Independent Executable - enables full ASLR for binary All of above are currently set by default in XCode. 28
  • 29.
  • 30.
    Jailbreak Detection -Common Methods ○ Check existence of additional files, e.g.: /bin/bash ○ Check API calls like: ● fork() - forbidden on non-JB devices ● system(NULL) returns 0 on non-JB and 1 on JB devices ○ Check if cydia:// URL scheme is registered Read more: https://www.trustwave.com/Resources/SpiderLabs-Blog/Jailbreak-Detection-Methods/ 30
  • 31.
    Bypassing JB detection 1.The easy way: xcon 2. More challenging: a. Debugger/Binary patching b. Frida c. Cycript 31
  • 32.
    Getting Info withClass-dump 32 iOS8-jailbreak:~ root# lipo -thin armv7 DamnVulnerableIOSApp -output DVIA32 iOS8-jailbreak:~ root# class-dump DVIA32 @interface FlurryUtil : ./DVIA/DVIA/DamnVulnerableIOSApp/DamnVulnerableIOSApp/YapDatabase/Extensions/Vie ws/Internal/ { } + (BOOL)appIsCracked; + (BOOL)deviceIsJailbroken;
  • 33.
  • 34.
    Cycript 34 iOS8-jailbreak:~ root# cycript-p 12345 cy# [SFAntiPiracy isTheDeviceJailbroken] true cy# a=choose(JailbreakDetectionVC) [] cy# a=choose(JailbreakDetectionVC) [#"<JailbreakDetectionVC: 0x14ee15620>"] cy# [a[0] isJailbroken] True Worth reading: http://iphonedevwiki.net/index.php/Cycript_Tricks
  • 35.
  • 36.
    Frida - MethodTracing 1. Install Frida on your workstation and iDevice 2. Connect iDevice to USB 3. Use frida-trace 36 $ frida-trace -U -f /Applications/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp -m "-[JailbreakDetectionVC isJailbroken]:" 4. This creates JS hook with onEnter and onLeave callback functions: onLeave: function (log, retval, state) { console.log("Function [JailbreakDetectionVC isJailbroken] originally returned:"+ retval); retval.replace(0); console.log("Changing the return value to:"+retval); }
  • 37.
    Frida - MethodTracing - Output 37 $ frida-trace -U -f /Applications/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp -m "-[JailbreakDetectionVC isJailbroken]:" Instrumenting functions... `... -[JailbreakDetectionVC isJailbroken]: Loaded handler at "./__handlers__/__JailbreakDetectionVC_isJailbroken_.js" Started tracing 1 function. Press Ctrl+C to stop. Function [JailbreakDetectionVC isJailbroken] originally returned:0x1 Changing the return value to:0x0 /* TID 0x303 */ 6890 ms -[JailbreakDetectionVC isJailbroken] Function [JailbreakDetectionVC isJailbroken] originally returned:0x1 Changing the return value to:0x0 22475 ms -[JailbreakDetectionVC isJailbroken]
  • 38.
  • 39.
    Testing for CertificatePinning Gradually relax requirements for server certificate, and check if traffic is successfully proxied through Burp on each stage: 1. Set Burp in proxy settings, make sure that SSL Killswitch is disabled and that Burp Profile is *not* installed → no certificate validation 2. Install Burp Profile (certificate) → no certificate pinning 3. Enable SSL Killswitch → certificate pinned 4. Bypass certificate pinning manually 39
  • 40.
    Bypassing Certificate Pinning -Killswitch: https://github.com/iSECPartners/ios-ssl-kill-switch - Bypassing OpenSSL cert pinning with cycript: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/january/bypassing-openssl-certificate-pinning-in-ios-apps/ Other tips: - Certificate is often bundled in the application- look for .der or .pem - Class-dump binary looking for strings like X509 or Cert - Look for the following methods in the binary: NSURLSession, CFStream, AFNetworking 40 Source: iOS Application Security - D. Thiel
  • 41.
    Investigating Local Storage 1.Check app Data directory /private/var/mobile/Containers/Data/Application/<app Bundle> a. .db - using SQLite - check with sqlite3 b. plists 2. NSUserDefaults a. /User/Library/Preferences/ b. /<app>/Library/Preferences/ 3. Protection class a. fileDP tool* 41 http://www.securitylearn.net/2012/10/18/extracting-data-protection-clas s-from-files-on-ios/
  • 42.
    Investigating Local Storage- Cont’d 4. Application screenshots a. /private/var/mobile/Containers/Data/Application/<BundleID>/Library/Caches/Snapshots/ 5. WebView caching a. /User/Library/Caches/*/Cache.db b. /Library/Caches/*/Cache.db 6. Forensic approach: a. ls -lR --full-time before application install, after install and after first use diff the results and check any files that changed b. use strings on any binary/unidentified file formats c. check for WAL files that may contain uncommitted DB transactions 42 http://www.securitylearn.net/2012/10/18/extracting-data-protection-clas s-from-files-on-ios/
  • 43.
  • 44.
    Final Thoughts ○ Server-sidebugs (LFI, SQLi, RCE) are still among most impactful ○ Limited scenarios for exploiting device data leakage ● Starting from iPhone 5s the Secure Enclave protects from easy passcode bruteforcing ● Backups? ○ Simple passcode might be an issue (1234, 0000, etc.) ○ User may choose to wipe device after 10 attempts 44
  • 45.
    Current Challenges March 7,2016 October 26, 2016 45
  • 46.
    ○ Frequent iOSrelease with quick adoption rate ○ Slow/unpredictable jailbreak release for recent iOSes ○ Customer asking to test on latest iOS ○ Swift does not use message passing :( ○ Pentesting toolset is lagging Current Challenges 46
  • 47.
    Q&A or drop mea line: me@skosowski.com 47
  • 48.
  • 49.
    ○ URL handlers,e.g. mailto:// ● open another app using its URL handler with: [[UIApplication sharedApplication] openURL:myURL]; ● sender can be authenticated :) ● URL scheme can be hijacked :( Read more: https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html Interprocess Communication 49 Note: If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme. - Apple’s Documentation
  • 50.
    ○ Universal Linksintroduced in iOS 9 ● solve problems of openURL ● no unregistered schemes - working over https:// ○ App Extensions introduced in iOS 8 ● are installed with host application and can communicate through extension points: Actions, Custom Keyboards, Document Providers, Photo Editing, Sharing, Today Widgets Read more: https://developer.apple.com/library/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html Interprocess Communication 50
  • 51.
    File Data Protection 51 HardwareKey Passcode Key Class Key File System Key File Metadata [File Key] File Contents
  • 52.
    Secure Boot Chain ○Only Apple signed code is run on iDevice ○ You need developer’s account to write and run your apps ○ Each level of boot is checked for a valid signature 52 Boot ROM Low-Level Bootloader iBoot iOS Kernel OS Apple Root CA
  • 53.
    Secure Boot Chain- Jailbreak ○ Jailbreak permits running self-signed code ○ It does not break Application Sandbox ○ Usually several exploits are chained to perform jailbreak ○ Look for: TaiG, Pangu, redsn0w 53 iOS Kernel OS Apple Root CA Boot ROM Low-Level Bootloader iBoot Exploit this or that
  • 54.
    Protection Classes 54 Availability FileData Protection Keychain Data Protection When Unlocked NSFileProtectionComplete kSecAttrAccessibleWhenUnlocked When Locked NSFileProtectionCompleteUnlessOpen N/A After First Unlock NSFileProtectionCompleteUntil FirstUserAuthentication kSecAttrAccessibleAfterFirstUnlock Always NSFileProtectionNone kSecAttrAccessibleAlways Passcode Enabled N/A kSecAttrAccessibleWhenPasscodeSetThis DeviceOnly
  • 55.
    $ unzip DamnVulnerableiOSApp.ipa $cd Payload/DamnVulnerableIOSApp.app $ otool -hv DamnVulnerableIOSApp DamnVulnerableIOSApp (architecture armv7): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC ARM V7 0x00 EXECUTE 38 4292 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE DamnVulnerableIOSApp (architecture arm64): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC_64 ARM64 ALL 0x00 EXECUTE 38 4856 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE Binary Checks - PIE 55
  • 56.
    $ otool -IvDamnVulnerableIOSApp | grep stack 0x0046040c 83177 ___stack_chk_fail 0x0046100c 83521 _sigaltstack 0x004fc010 83178 ___stack_chk_guard 0x004fe5c8 83177 ___stack_chk_fail 0x004fe8c8 83521 _sigaltstack 0x00000001004b3fd8 83077 ___stack_chk_fail 0x00000001004b4890 83414 _sigaltstack 0x0000000100590cf0 83078 ___stack_chk_guard 0x00000001005937f8 83077 ___stack_chk_fail 0x0000000100593dc8 83414 _sigaltstack Binary Checks - SSP 56
  • 57.
    $ otool -IvDamnVulnerableIOSApp | grep release 0x0045b7dc 83156 ___cxa_guard_release 0x0045fd5c 83414 _objc_autorelease 0x0045fd6c 83415 _objc_autoreleasePoolPop 0x0045fd7c 83416 _objc_autoreleasePoolPush 0x0045fd8c 83417 _objc_autoreleaseReturnValue 0x0045ff0c 83441 _objc_release [SNIP] Binary Checks - ARC 57