Pentesting iOS Apps

2,205 views

Published on

I presented this slides in my talks at Codebits VII and Confraria Security&IT

Published in: Mobile
0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,205
On SlideShare
0
From Embeds
0
Number of Embeds
44
Actions
Shares
0
Downloads
0
Comments
0
Likes
8
Embeds 0
No embeds

No notes for slide

Pentesting iOS Apps

  1. 1. Pentesting iOS Apps Herman Duarte <hd@integrity.pt>
  2. 2. About me Security Consultant @ INTEGRITY S.A. - www.integrity.pt Penetration testing: Web Apps Mobile Apps Infrastructure / Wireless BSc in Information Systems and Computer Engineering OSCP, CISSP Associate, ISO27001LA, CCNA
  3. 3. Roadmap Environment setup Client component Static Analysis Dynamic Analysis Network component Backend component
  4. 4. Environment Setup
  5. 5. Environment Setup
  6. 6. Environment Setup Install OpenSSH Change default password for users: root mobile
  7. 7. Environment Setup Advanced Packaging Tool: apt-get install apt-get update apt-get upgrade apt-cache search
  8. 8. Environment Setup Tools of trade (just to name a few): *nix tools: tcpdump, ps, file, vim, wget, tar, … otool, plutil, sqlite3, gdb, installipa, class- dump-z, cycript, ldid, keychain_dumper, dumpdecrypted, … iRET, Snoop-It, Introspy, iNalyzer, …
  9. 9. Environment Setup Tips and Tricks #1: Use TCP over USB with usbmux One such client is libusbmuxd from libmobiledevice with a python based implementation python tcprelay.py -t 22:2222 8080:8080 ssh root@localhost -p 2222 Its a more stable connection No need to have a wifi connection at all
  10. 10. Components Network BackendClient
  11. 11. Client component Static analysis Runtime/Dynamic analysis
  12. 12. Static Analysis Binary protections Inspecting the binary Local data storage Caches
  13. 13. Binary protections The bundle of an iOS app is a zip file with the "ipa" extension Checks: Is the binary compiled with the PIE flag (Position Independent Executable aka ASLR) ? Is the binary compiled with stack smashing protection ? What about ARC (Automatic Reference Counting) ? Is the binary encrypted ? otool can be used to obtain the answers for the above questions. iRET is a tool that uses otool and presents the info in a web page.
  14. 14. Binary protections Demo Video http://youtu.be/efPrQ8_v6Qc
  15. 15. Inspecting the binary When the binary is encrypted, it is decrypted in memory upon execution. How can I do that ? By using gdb to dump the memory after decryption Dumpdecrypted Clutch (put your decryption tool/script here)
  16. 16. Inspecting the binary What can I do after decryption ? Use class-dump-z to extract the __OBJC segment, that provides information about internal classes, methods, method arguments and variables that are used in the app Use your favourite disassembler, run strings and have fun :)
  17. 17. Inspecting the binary Demo Video http://youtu.be/XUgebKj6vA0
  18. 18. Local Data Storage NSUserDefaults Plist (xml/binary) Core Data Services SQLite Keychain
  19. 19. NSUserDefaults Where? <app dir>/Library/Preferences/ How ? Data is normally stored as a plist file, but it can be stored as a sqlite file as well.
  20. 20. NSUserDefaults Demo Video http://youtu.be/Wv_uyDz81hU
  21. 21. NSUserDefaults Recommendation: Don’t use NSUserDefaults to store sensitive data; Use the keychain instead.
  22. 22. Core Data Services Where? <app dir>/Documents/ How ? Data is currently stored as a sqlite file. Tables are normally prefixed with a “Z" Z_METADATA Z_PRIMARYKEY Z_…
  23. 23. Core Data Services Demo Video http://youtu.be/p-nbb6PeD-c
  24. 24. Core Data Services Recommendation: Stop saving sensitive data using the core data services framework; Use the keychain instead.
  25. 25. Keychain Keychain services provides secure storage of passwords, keys, certificates, and notes, etc kSecAttrAccessible constants: kSecAttrAccessibleAlways kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlock kSecAttrAccessibleAlwaysThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
  26. 26. Caches Cached Data: Background screenshot UIPasteboard Keyboard cache
  27. 27. Background screenshot What ? Every time an app is put on the background a screenshot is taken. This screenshot is used by iOS when the app returns to foreground Where ? <app dir>/Library/Caches/Snapshots/<app id>/ Main/
  28. 28. Background screenshot Demo Video http://youtu.be/JvERKQ7Jv74
  29. 29. Background screenshot Recommendation: Change the screen content as soon as the app is about to lose focus, with a generic image;
  30. 30. Dynamic Analysis API calls Filesystem Keychain Methods, variables …
  31. 31. API calls Data Storage Crypto Network IPC XML
  32. 32. Introspy Tracer: Used to hook and log security-sensitive iOS APIs called by applications running on the device The calls can also sent to the Console for real-time analysis Analyzer: A tool to turn a database generated by Introspy into an HTML report
  33. 33. Introspy Demo Video http://youtu.be/B7043AcmKtY
  34. 34. Filesystem While executing an application interacts with the filesystem, and files are created, deleted, read, moved, etc ! Introspy, Snoop-It and fileMon are some of the applications that allows for file system monitoring in real time
  35. 35. Keychain While executing an application interacts with the keychain, and items are created, deleted, read, updated, etc ! Introspy and Snoop-It are some of the applications that allows for keychain monitoring in real time
  36. 36. Methods, variables … Using Cycript one can interact with this Objective-C runtime environment and call methods, change methods implementation, change variables value, etc Snoop-It implements part o Cycript functionality, and it’s simpler to use
  37. 37. Snoop-It Demo Video http://youtu.be/O-PAz7XN47o
  38. 38. Network There are 2 types of apps, from the network perspective: Those that respect the HTTP proxy configuration for network interactions; Tools: A proxy like Burp Suite or ZAP. and those that don’t! Tools: A proxy like Mallory.
  39. 39. Proxy
  40. 40. MiTM ! BackendClient ! Network
  41. 41. Tips and Tricks #2: Instead of exposing your proxy on the network SSH remote port forwarding ssh root@localhost -p 2222 -R 8080:localhost: 8080 Configure HTTP proxy to point to localhost:8080 Proxy
  42. 42. Proxy (Remote Port Fwd)
  43. 43. Network What to look for: Does the app use SSL ? Does the app accept any certificate ? Remove any root CA installed on the phone What about certificate pinning? Install burp root CA before testing
  44. 44. SSL Demo Video http://youtu.be/VmBbb47aOOk
  45. 45. What if the app uses Pinning ?
  46. 46. Pinning If an application uses pinning what can you do: You can use a tool that patches low-level SSL functions to bypass any certificate validation based on iOS API’s
  47. 47. Pinning Demo Video http://youtu.be/rn2ud3s7Z3I
  48. 48. Backend Infrastructure and web app backend tests apply to this component: Data validation flaws Business logic flaws Authentication flaws Authorisation flaws …
  49. 49. Thank You! ! Q&A ! ! @hdontwit https://www.linkedin.com/in/hcoduarte

×