Your SlideShare is downloading. ×
0
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps

1,154

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,154
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
23
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Blackbox analysis of iOS apps Dmitry 'D1g1' Evdokimov, Security researcher at Digital Security (ERPScan)
  • 2. Blackbox analysis of iOS apps #whoami • Director of DSecRG (ERPScan Research Group) • Section editor in the Xakep magazine • Co-organizer of DEFCON Russia & ZeroNights • Author of Python arsenal for RE Specialized in finding vulnerabilities in binary applications without source code 2 © 2002—2013, Digital Security
  • 3. Blackbox analysis of iOS apps Attention please! It is not rocket science =) This work is a compilation of public information and my own experience 3 © 2002—2013, Digital Security
  • 4. Blackbox analysis of iOS apps Goals of this workshop • How iOS and iOS applications work • The basics of iOS vulnerabilities • The skill of using common tools to find vulnerabilities in iOS apps 4 © 2002—2013, Digital Security
  • 5. Blackbox analysis of iOS apps Agenda 1. iOS platform 1. How it works, Objective-C, ARM, security mechanisms, jailbreak 2. Introduction to Objective-C 3. iOS apps 1. Mach-O format, application structure, … 4. iOS vulns 5. Blackbox testing 1. Static and dynamic analysis 5 © 2002—2013, Digital Security
  • 6. Blackbox analysis of iOS apps iOS • iOS is derived from OS X, with which it shares Darwin • • ARM The kernel sources remain closed • __arm__, ARM_ARCH • Touch-based • SpringBoard • Security mechanisms • Sandbox as a jail • … 6 © 2002—2013, Digital Security
  • 7. Blackbox analysis of iOS apps iOS security mechanisms • Code Signing - X.509v3 certificates • Sandboxing (SeatBelt) - Inability to break the app’s directory - /var/mobile/Applications/<app-GUID>/ - Inability to access any other process - Inability to use any hardware devices directly - Inability to generate code dynamically • Privilege separation - Mobile user + Entitlements © 2002—2013, Digital Security 7
  • 8. Blackbox analysis of iOS apps Jailbreak • Jaibreak depends on SW & HW • Tethered • Untethered • Ability to access file system • Copy/edit any file in the system • Bypassing sandbox restrictions • Break out of the app’s directory • Launching unsigned applications • Launch applications that do not belong to App Store © 2002—2013, Digital Security 8
  • 9. Blackbox analysis of iOS apps Apple about jailbreak http://support.apple.com/kb/HT3743 9 © 2002—2013, Digital Security
  • 10. Blackbox analysis of iOS apps ARM • • • • • Advanced RISC Machine Load-store architecture Fixed-length instructions 3-address instruction formats Instructions: • Data transfer • Data processing • Control flow 10 © 2002—2013, Digital Security
  • 11. Blackbox analysis of iOS apps ARM modes 1. ARM • Length(Instr) = 4 bytes 2. Thumb • Length(Instr) = 2 bytes 3. Thumb2 • Length(Instr) = 2/4 bytes 4. Jazzle • Java bytecode + ARM/Thumb 11 © 2002—2013, Digital Security
  • 12. Blackbox analysis of iOS apps ARM32 • Registers: • General Purpose: r0-r12 • Stack Pointer: r13 (SP) • Link Register: r14 (LR) • Program Counter: r15 (PC) • Current Program Status Register (CPSR) • Calling Convention: • Argument Values: r0-r3 • Local Values: r4-r12 • Return Value: r0 © 2002—2013, Digital Security 12
  • 13. Blackbox analysis of iOS apps ARM 64-bit Architecture 1. iPhone 5S 2. AArch64 (ARM), ARM64 (Apple) 13 © 2002—2013, Digital Security
  • 14. Blackbox analysis of iOS apps Divergences, divergences, divergences... 14 © 2002—2013, Digital Security
  • 15. Blackbox analysis of iOS apps Development for iOS • • Mac Xcode • gcc/LLVM/LLVM-gcc compilers • iPhone Simulator (i386) • Cocoa Touch • Objective-C • Other: HTML, JavaScript, C# & .NET (Xamarin) 15 © 2002—2013, Digital Security
  • 16. Blackbox analysis of iOS apps Objective-C • • Object-oriented language Based on: • Strict superset C • Smalltalk 16 © 2002—2013, Digital Security
  • 17. Blackbox analysis of iOS apps Calling methods C++ ObjectPointer->MethodName(param1, param2) Obj-C [ObjectPointer MethodName:param1 param2Name:param2] objc_msgSend(ObjectPointer, "MethodName“,”param1”, “param2”) objc_msgSend() objc_msgSendSuper() objc_msgSend_fpret() objc_msgSend_stret() objc_msgSendSuper_stret() objc_msgSendSuper2() © 2002—2013, Digital Security 17
  • 18. Blackbox analysis of iOS apps Go to device • • • • • Jailbreak Cydia SSH/putty itunnel_mux WinSCP/scp 18 © 2002—2013, Digital Security
  • 19. Blackbox analysis of iOS apps Prepare env in device • otool • class-dump-z • APT 0.6 Transitional • apt-get • Command line tools • curl, dpkg, file, grep, netcat, python, sed, … 19 © 2002—2013, Digital Security
  • 20. Blackbox analysis of iOS apps Install apps from console • Debian package dpkg -i <package.deb> killall -HUP SpringBoard • App without developer license or patched scp -r HelloWorld.app/ root@yourIP:/Applications/ uicache killall -HUP SpringBoard • IPA: o o IPA Installer Console iPhone Configuration Utility © 2002—2013, Digital Security 20
  • 21. Blackbox analysis of iOS apps Useful commands • • cd /private/var/mobile/Applications find . -name '*Appname*‘ • • cd /private/var/mobile/Applications ls –l | grep ‘Time’ 21 © 2002—2013, Digital Security
  • 22. Blackbox analysis of iOS apps Applications • AppStore • • On devices • • IPA packages = ZIP files /private/var/mobile/Applications/<UUID>/<AppName>.app/ Apple apps • /Applications/ 22 © 2002—2013, Digital Security
  • 23. Blackbox analysis of iOS apps Mach-O file format basic structure 23 © 2002—2013, Digital Security
  • 24. Blackbox analysis of iOS apps Mach-O header 1. 32bit (ARMv6,ARMv7) • 0xFEEDFACE 2. 64bit • 0xFEEDFACF 3. Universal binaries (FAT) • 0xCAFEBABE 24 © 2002—2013, Digital Security
  • 25. Blackbox analysis of iOS apps Application structure AppName.app/ App Documents/ Data files saved by the app Library/ Miscellaneous app files iTunesArtwork App icon iTunesMetadata.plist The property list of the app tmp/ Directory for temporary files 25 © 2002—2013, Digital Security
  • 26. Blackbox analysis of iOS apps Decrypt app from AppStore 1. gdb • Choosing the right architecture (if FAT) • Breakpoint at start 2. Clutch 3. dumpdecrypted.dylib 26 © 2002—2013, Digital Security
  • 27. Blackbox analysis of iOS apps Decrypt • • Clutch • /var/root/Documents/Cracked/ dumpdecrypted.dylib 27 © 2002—2013, Digital Security
  • 28. Blackbox analysis of iOS apps OWASP Mobile Top 10 Risks 28 © 2002—2013, Digital Security
  • 29. Blackbox analysis of iOS apps Traffic analysis • Passive network traffic monitoring with tcpdump Then load the *.pcap file into wireshark for analysis • Gateway method • BurpSuite • HTTPS: Import PortSwigger CA to the iDevice • dnsRedir • Mallory (by Intrepidus Group) 29 © 2002—2013, Digital Security
  • 30. Blackbox analysis of iOS apps Certificate pinning?! • • • Pinning is the process of associating a host with their expected X509 certificate or public key. OWASP • https://www.owasp.org/index.php/Certificate_and_Pu blic_Key_Pinning#iOS Attack • trustme • SecTrustEvaluate • ios-ssl-killswitch • SSLCreateContext,SSLSetSessionOption, SSLHandshake 30 © 2002—2013, Digital Security
  • 31. Blackbox analysis of iOS apps Working with SSL certificates • NSURLConnection class • Accepting a self-signed certificate or incorrect error processing • • • allowsAnyHTTPSCertificateForHost setAllowsAnyHTTPSCertificate continueWithoutCredentialForAuthentica tionChallenge 31 © 2002—2013, Digital Security
  • 32. Blackbox analysis of iOS apps CFStreams sockets • kCFStreamPropertySSLSettings • • • • • • kCFStreamSSLLevel kCFStreamSSLAllowsExpiredCertificates kCFStreamSSLAllowsExpiredRoots kCFStreamSSLAllowsAnyRoot kCFStreamSSLValidatesCertificateChain kCFStreamSSLPeerName 32 © 2002—2013, Digital Security
  • 33. Blackbox analysis of iOS apps Cross-site scripting • UIWebView class • • stringByEvaluatingJavaScriptFromString shouldStartLoadWithRequest 33 © 2002—2013, Digital Security
  • 34. Blackbox analysis of iOS apps List of interesting strings • Don’t use and don’t leak • UDID • IMEI • ICCID • PII • OSN-ID • LID 34 © 2002—2013, Digital Security
  • 35. Blackbox analysis of iOS apps XML injections • • XML External Entity (XXE) flaws NSXMLParser class • • • libxml2 library • • setShouldResolveExternalEntities foundExternalEntityDeclarationWithName _xmlParseMemory 3rd party libraries and classes 35 © 2002—2013, Digital Security
  • 36. Blackbox analysis of iOS apps Directory traversal • NSFileManager class • • • contentsAtPath fileHandleForReadingAtPath C functions • • fopen … © 2002—2013, Digital Security
  • 37. Blackbox analysis of iOS apps File storage • NSFileManager class • NSFileProtectionKey attribute • • • • • NSFileProtectionNone NSFileProtectionComplete NSFileProtectionCompleteUnlessOpen NSFileProtectionCompleteUntilFirstUserAuthe ntication Tools: • filemon.iOS • FileDP 37 © 2002—2013, Digital Security
  • 38. Blackbox analysis of iOS apps filemon.iOS 38 © 2002—2013, Digital Security
  • 39. Blackbox analysis of iOS apps Plist files • plist – property lists • Serialized objects • XML • NSUserDefaults class • Tools: • Python library: plistlib, bplist • plist Editor • plutil • plutil - convert xml1 39 © 2002—2013, Digital Security
  • 40. Blackbox analysis of iOS apps SQLite and SQL injections • SQLite database • • • • • /usr/lib/libsqlite3.dylib /<GUID>/Documents/ • *.sqlite, *.db, *.sqlite3 sqlite3_open sqlite3_prepare_v2 sqlite3_step • Use parameterized queries • sqlite3_bind_* 40 © 2002—2013, Digital Security
  • 41. Blackbox analysis of iOS apps Keychain • Secure storage • • • • • File /private/var/Keychains/keychain-2.db SecItemAdd() SecItemUpdate() SecItemCopyMatching() SecItemDelete() • Tools: • keychain_dumper • keychain_dump 41 © 2002—2013, Digital Security
  • 42. Blackbox analysis of iOS apps Cookies • Persistent cookies: Cookies.binarycookies • /private/var/mobile/Library/ • /private/var/mobile/<App GUID>/Library/Cookies • Tool: BinaryCookieReader.py 42 © 2002—2013, Digital Security
  • 43. Blackbox analysis of iOS apps Logs NSLog() Tools: • iPhone Configuration Utility • syslogd 43 © 2002—2013, Digital Security
  • 44. Blackbox analysis of iOS apps Cache • UIPasteboard class • generalPasteboard • Backgrounding • <Application GUID>/Library/Caches/Snapshots/*/*.png • applicationDidEnterBackground • Keyboard cache • • • /var/mobile/Library/Keyboard/en_GB-dynamictext.dat secureTextEntry = Yes autocorrectionType = UITextAutocorrectionTypeNo 44 © 2002—2013, Digital Security
  • 45. Blackbox analysis of iOS apps IPC • URL schemes • handleOpenURL • openURL • http://wiki.akosma.com/IPhone_URL_Sche mes 45 © 2002—2013, Digital Security
  • 46. Blackbox analysis of iOS apps Memory corruptions • Obj-C + C/C++ function = • Format string • • • • • • • • • • NSLog() [NSString stringWithFormat:] [NSString initWithFormat:] [NSMutableString appendFormat:] [NSAlert informativeTextWithFormat:] [NSPredicate predicateWithFormat:] [NSException format:] NSRunAlertPanel Buffer overflow Use-after-free © 2002—2013, Digital Security
  • 47. Blackbox analysis of iOS apps Check for exploit mitigations • Stack cookie • • _stack_chk_fail _stack_chk_guard • PIE • ARC • • • • • • _objc_release _objc_retainAutoreleaseReturnValue _objc_autoreleaseReturnValue _objc_storeStrong _objc_retain _objc_retainAutoreleasedReturnValue © 2002—2013, Digital Security
  • 48. Blackbox analysis of iOS apps TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS 48 © 2002—2013, Digital Security
  • 49. Blackbox analysis of iOS apps IDA Pro 49 © 2002—2013, Digital Security
  • 50. Blackbox analysis of iOS apps radare2 ARM64 Mach-O 1. ??? 50 © 2002—2013, Digital Security
  • 51. Blackbox analysis of iOS apps Hopper 51 © 2002—2013, Digital Security
  • 52. Blackbox analysis of iOS apps iNalyzer 52 © 2002—2013, Digital Security
  • 53. Blackbox analysis of iOS apps cycript 53 © 2002—2013, Digital Security
  • 54. Blackbox analysis of iOS apps Introspy 54 © 2002—2013, Digital Security
  • 55. Blackbox analysis of iOS apps Snoop-it 55 © 2002—2013, Digital Security
  • 56. Blackbox analysis of iOS apps Q&A d.evdokimov@dsec.ru @evdokimovds 56 © 2002—2013, Digital Security

×