Your SlideShare is downloading. ×
0
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

hashdays 2011: Annika Meyer & Sebastien Andrivet - Pentesting iPhone & iPad Applications

1,087

Published on

Mobile devices are becoming more and more the “new navigator”. It is also the comeback of heavy clients with the proliferation of mobile application. In this market, Apple iPhone and iPad are very …

Mobile devices are becoming more and more the “new navigator”. It is also the comeback of heavy clients with the proliferation of mobile application. In this market, Apple iPhone and iPad are very particular: they use ARM processors like the competitors but native iOS applications are written mainly in Objective-C. Moreover, every application is validated by Apple. What does this mean in term of security? How do we test these applications for security problems?
This presentation will cover different aspects of iPhone and iPad applications pentesting, like extraction and decryption of applications from iTunes, reverse engineering of binaries and interception of communications with web services. It is illustrated by several live demonstrations with real-world examples. We will also talk about previous researches on this subject and why they are either not satisfying or not applicable.
Bio: Annika discovered computers as teenager with Commodore 64 and later Apple Macintosh. She started her professional career in the 90’s as an IT Department assistant but she’s quickly switched to the administration of Windows workstations and UNIX servers. As an opportunity rose, she then turned to database development, first under the venerable Progress and then under the more classical Oracle. At the beginning of the new millennium, she participated to several projects and in particular was involved in the creation of an ISO standard. In parallel with her career she founded ADVTOOLS, a Swiss company specialized in information systems security.
Bio: Sebastien is playing with computers since the beginning of '80s. After some (short) tentative with the BASIC language, he switched to 8-bit processor assembly programming. In the ’90s, in parallel to studies in the University of Geneva, he specialized in C/C++ and assembly programming on Win/Intel and some Smalltalk. During the Internet years, he participated to several startups and releases some open source applications, including a multi-platform XML parser written in C++. At this time, he was confronted to software pirates and the incredible world of buffer overflows and SQL injections. In 2002, he specialized in applications security and forensics. As a fan of Apple since the famous Apple II and the legendary NeXT, he applies today his skills on iPhone and iPad.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,087
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Pentesting iPhone & iPad Apps #Days 2011 – October 28 1
  • 2. Who are we?• Annika Meyer  President, co-founder of ADVTOOLS• Sebastien Andrivet  Director, co-founder of ADVTOOLS 2
  • 3. ADVTOOLS• Swiss company founded in 2002 in Geneva• Specialized in Information Security & Problems Diagnosis  Pentesting  Security Audits  Forensics  Training 3
  • 4. Agenda• Overviews• Previous researches• iPhone/iPad application pentest  Our methodology• Live demonstrations• Q&A 4
  • 5. iOS Application Types• Web Applications  HTML + CSS + Javascript  Run inside Safari• Native Applications:  Written in Objective-C (+ C/C++)  Compiled into CPU code: ARM for actual devices, x86 for iOS Simulator• MonoTouch, Adobe Flash, …  Written in high-level language  Compiled into CPU code 5
  • 6. iOS Applications• Distributed as “.ipa” files  in fact simply zip files• Deployed as “.app” directories  like on Mac OS X• Executable code is:  encrypted with FairPlay DRM (AES)  signed with Apple’s signature  decryption with GDB or Crackulous 6
  • 7. Objective-C• Objective-C = C + Smalltalk• Object oriented language• Created in early 1980s by Stepstone• Objective-C 2.0 released with Leopard (Mac OS X 10.5)• Can be mixed with C and C++ 7
  • 8. Reverse Engineering• Not so obvious at first:  ARM instruction set  Objective-C & objc_msgSend  Generated code sometimes strange  Few (working) scripts and tools• Finally not so difficult• Your best friend:  Hex-Rays IDA Pro (Win, Mac, Linux) 8
  • 9. Data storage• plist files (Property lists)  Used and abused  Binary (depreciated) or XML• Sqlite 3  From time to time• Keychain• Binary data files (aka unknown) 9
  • 10. iTunes & Backups• Every time you connect your device to your computer, a backup is made• Contains almost all data• By default, not encrypted.• To mitigate security problems: 10
  • 11. Previous researches• In general, out of date• Often inaccurate• But contain interesting information• We will give here only some examples 11
  • 12. Foundstone (McAfee / Intel)http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-testing-iphone-ipad-apps.pdf 12
  • 13. Nicolas Seriothttp://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf 13
  • 14. TippingPoint (now HP)http://dvlabs.tippingpoint.com/blog/2009/03/06/reverse-engineering-iphone-14appstore-binaries
  • 15. ARTeamhttp://www.accessroot.com/arteam/site/download.php?view.222 15http://www.accessroot.com/arteam/site/download.php?view.308
  • 16. Pentesting iOS Applications• Step 1: Preparing a device• Step 2: Preparing a workstation• Step 3: Preparing a network• Step 4: Pentesting• Step 5: Report 16
  • 17. Step 1: Preparing a device• Dedicated iPhone or iPad• Jailbreaking  Easier if you jailbreak  Forbidden by Apple if you are a developer  Dangerous: jailbreaking is disabling most of the security features of iOS• Install tools 17
  • 18. Tools• APT 0.7 Strict • network-cmds• adv-cmds • nmap• Darwin CC Tools • OpenSSH• GNU Debugger • tcpdump• inetutils • top• lsof • wget• MobileTerminal• netcat 18
  • 19. iOS Default Passwords• By default, there are two users:  root  mobile• Passwords = alpine• Be sure to change them:  passwd  passwd mobile 19
  • 20. Step 2 : Workstation• Windows:  OK• Mac OS X (Lion or Snow Leopard)  Better• Linux, FreeBSD, …  Good luck!  Possible but you will need a Windows to run some tools (virtual machine…) 20
  • 21. Some Tools• Windows:  SecureCRT or Putty, WinSCP  plist Editor for Windows• Mac OS X:  ssh, SecureCRT, Cyberduck  XCode• Windows / Mac:  SQLite Database Browser  Apple iPhone Configuration Utility  Wireshark  Burp, Webscarab …  IDA Pro (+ ARM decompiler) 21
  • 22. Our Tools• ADVsock2pipe  Remote network captures (Windows)• ADVinterceptor 2.0  Communications interception  DNS & Web Servers• Available on GitHub under GPLv3  https://github.com/ADVTOOLS 22
  • 23. Step 3: NetworkWifi Internet Firewall LAN 23
  • 24. Step 4: Pentesting• Step A: Install app. from iTunes• Step B: Reconnaissance (passive)  B.1: Network capture  B.2: Interception  B.3: Artifacts  B.4: Decrypt + Reverse engineering• Step C: Attack (active)  C.1: Interception + tampering 24
  • 25. B.1: Network Capturetcpdump + tcp netcat Windows ADVsock2pipe pipe 25
  • 26. B.2: Interception Proxy method Proxy Burp Suite Pro WebScarab … 26
  • 27. B.2: Interception ADVinterceptor DNS HTTP HTTPS ADVinterceptor 2 (DNS Server, etc. Web Server,…) 27
  • 28. Inject SSL Certificates• Root from Burp or ADVinterceptor• Use Apple iPhone Configuration 28
  • 29. Demos 3G+Wifi Internet 2G/3G Wifi Wifi SSH ClientVNC Client Shell (SecureCRT) 29 Windows 7 on Mac Book
  • 30. Q&A 30
  • 31. Thank youTo contact us:annika@advtools.comsebastien@advtools.comTwitter:@AndrivetSeb@ADVTOOLSwww.advtools.com 31

×