iOS app security

5,066 views

Published on

Cocoaheads Taipei 2013.10

Published in: Education, Technology
0 Comments
30 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,066
On SlideShare
0
From Embeds
0
Number of Embeds
1,075
Actions
Shares
0
Downloads
107
Comments
0
Likes
30
Embeds 0
No embeds

No notes for slide

iOS app security

  1. 1. iOS app security -analyze and defense Hokila Cocoaheads Taipei 2013.10
  2. 2. 源起 Android Taipei (2013 August) Android Apps Security Taien Wang Ruby Tuesday (2013.9.10) 別再偷我App裡的⾦金幣:Server端IAP的處理與驗證 Kevin Wang
  3. 3. 所以今天是來 致(ㄉㄚˇ )敬(ㄌ⼀一ㄢˇ ) 的 ( ˘•ω•˘ )
  4. 4. 不會講這些
  5. 5. 不會講這些 如何破解 神魔之塔 / 百萬亞瑟⺩王 / 全⺠民打棒球
  6. 6. 不會講這些 如何破解 神魔之塔 / 百萬亞瑟⺩王 / 全⺠民打棒球 免費使⽤用 Splashtop / KKBOX / WhosCall
  7. 7. 會講這些 ● ● ● ● ● ● iOS app native leak network monitor IAP crack Analyze tools Encode /decode Good Habits
  8. 8. 絕對講不完 我猜可以講⼀一⼩小時
  9. 9. 還好之前講過了 2012.12 Cocoaheads Taipei In App Purchase 攻防戰 youtu.be/g2tWRPdweeY
  10. 10. 1.基本功 ○ iOS app 資料結構 ○ API分析 2. 脫離新⼿手 ○ 同時監看多個畫⾯面 ○ 常⾒見漏洞&防禦⽅方法 3.必殺技(屁孩愛⽤用) ○ IAP Free /LocalAppStore ○ iGameGardian /⼋八⾨門神器 ○ Flex
  11. 11. OWASP Mobile Top 10 Risk (2013-M1) M1. 不安全的資料儲存(Insecure Data Storage) M2. 弱伺服器端的控制(Weak Server Side Controls) M3. 傳輸層保護不⾜足(Insufficient Transport Layer Protection) M4. 客⼾戶端注⼊入(Client Side Injection) M5. 粗糙的授權與認證(Poor Authorization and Authentication) M6. 不適當的會話處理(Improper Session Handling) M7. 安全決策是經由不受信任的輸⼊入(Security Decisions Via Untrusted Inputs) M8. 側通道資料洩漏(Side Channel Data Leakage) M9. 加密失效(Broken Cryptography) M10. 敏感資訊洩漏(Sensitive Informaiton Disclosure)
  12. 12. app itself app /user data automatically backed up by iCloud. temporary files,clean when app restart NSTemporaryDirectory Library Application Support good place for configuration/template Cache Data that can be downloaded again or regenerated Cookie store cookies for sandbox webView Prefences NSUSerDefault Ref: File System Programming Guide
  13. 13. info.plist
  14. 14. info.plist
  15. 15. console log iphone configuration utility iTool(2012)
  16. 16. DEMO
  17. 17. 會看到 app沒有埋好的log framework ⾃自⼰己帶的log system notification memory warming
  18. 18. User Defaults,secure?
  19. 19. User Defaults,secure?
  20. 20. keychain locate at /var/Keychains/keychain-2.db Apple says “keychain is a secure place to store keys and passwords” dump keychain database (jb necessary)
  21. 21. API Charles / ⽂文化部open data /iCulture DEMO
  22. 22. 1. Charles (Mac Windows) $ 2. ZAP (Mac Windows) Free 3. Fiddler (Windows) Free 4. Wire Shark (Mac Windows) Free
  23. 23. ⾄至少要同時看 ● ● ● ● device screen console log plist、db API request/response
  24. 24. ⼀一些發現 其他app verify資料正確性的作法 某些遊戲讓你抽卡多選1,但是結果在你進⼊入抽 卡畫⾯面時就決定了 竟然有app把db放在google doc和dropbox (⽽而 且還不少) 讓我萬萬沒想到的是......(這邊不能打出來)
  25. 25. class dump-z ● dumping class info from an iOS app ● guess class utility https://code.google.com/p/networkpx/
  26. 26. DEMO
  27. 27. 破解⼯工具 IAP Free/LocalAppStore 欺騙app 購買成功
  28. 28. 破解⼯工具 IAP Free/LocalAppStore 欺騙app 購買成功 iGameGardin /⼋八⾨門神器 搜尋記憶體位置,修改value
  29. 29. 破解⼯工具 IAP Free/LocalAppStore 欺騙app 購買成功 iGameGardin /⼋八⾨門神器 搜尋記憶體位置,修改value Flex 鎖定function 回傳值 例 -(BOOL)isTransactionSucess ⼀一定回傳YES
  30. 30. 破解⼯工具 IAP Free/LocalAppStore 欺騙app 購買成功 iGameGardin /⼋八⾨門神器 搜尋記憶體位置,修改value Flex 鎖定function 回傳值 例 -(BOOL)isTransactionSucess ⼀一定回傳YES 對於developer來說,就是app裡⾯面.....
  31. 31. 有內奸
  32. 32. 再安全的OS也有不安全的app 啊啊啊啊啊怎麼辦 不要太相信server/model 的data 適時的關⼼心,請問您是內奸嗎?是的話殺爆他 King Of Design Pattern:MVC model 和view可以不⼀一樣 use encrypt ,not hash 要hash也記得要加salt 綜合來說,這就是....
  33. 33. 計中計中計中計
  34. 34. 這是⼀一個很基本的API GET http://xxx.yyy/getUserData.php paeameters (string)userID response (string)name (array)xxlist (string)itemname (int)quantity (string)status
  35. 35. POST http://xxx.yyy/getUserData.php public parameters (string)token (string)call_file_name (string)userID response (string)name (array)xxlist (string)itemname (int)quantity (string)status (int)status
  36. 36. 公⼦子獻頭 POST http://xxx.yyy/getUserData.php public parameters (string)token (string)call_file_name (string)userID response (string)name (array)xxlist (string)itemname (int)quantity (string)status (int)status
  37. 37. 讓對⽅方知道你的下兩步,在第三步衝康他 SSL POST http://xxx.yyy/public parameters (string)token (string)call_file_name (string)userID struct object (string)itemname (int)quantity (int)status response (string)name (array)xxlist (string)itemname (int)quantity (int)status (object)item base64 encode
  38. 38. In-App Purchase Programming Guide base64
  39. 39. 還能怎麼改? SSL POST http://xxx.yyy/public parameters (string)token (string)call_file_name (string)userID response (string)name (array)xxlist (object)item
  40. 40. 還能怎麼改? SSL POST http://xxx.yyy/public parameters (string)token (string)call_file_name (string)userID response (string)name (array)xxlist (object)item Accept = "*/*"; Accept-Language = zh-TW; Connection = close; User-Agent = "Something special~~";
  41. 41. 確定資料正確 public entry access token SSL status code object ,not clear dictionary and...?
  42. 42. King Of Design Pattern:MVC Model memory View API plist db NSString NSNumber UILabel encrypt() 08f90c1a417155361a5c4b8d297e0d78 2000 Money 2000
  43. 43. King Of Design Pattern:MVC Model memory View API plist db NSString NSNumber UILabel encrypt() 2000 08f90c1a417155361a5c4b8d297e0d78 need protection!! Money 2000
  44. 44. double_check http://xxx.yyy/buy paeameters (string)user (string)itemID response (string)status (string)itemID (int)quantity (int)leftmoney
  45. 45. double_check http://xxx.yyy/buy paeameters (string)user (string)itemID response (string)status (string)itemID (int)quantity (int)leftmoney http://xxx.yyy/double_check paeameters response (string)user (string)status (OK /Reject) (string)itemID
  46. 46. use encrypt ,not hash sha1、md5、base64 這些你敢⽤用? 實驗證明,⼀一個經過訓練的QA可以⾁肉眼反解出1~100的md5 hash
  47. 47. use encrypt ,not hash hash⾄至少要加salt md5($salt.$pass.$username) sha1($salt.$pass) md5($salt.md5($pass)) sha1($salt.$username.$pass.$salt) md5($salt.md5($pass).$salt) sha1($salt.md5($pass)) encrypt
  48. 48. use encrypt ,not hash hash⾄至少要加salt md5($salt.$pass.$username) sha1($salt.$pass) md5($salt.md5($pass)) sha1($salt.$username.$pass.$salt) md5($salt.md5($pass).$salt) sha1($salt.md5($pass)) encrypt DES 1977誕⽣生、1999被破
  49. 49. use encrypt ,not hash hash⾄至少要加salt md5($salt.$pass.$username) sha1($salt.$pass) md5($salt.md5($pass)) sha1($salt.$username.$pass.$salt) md5($salt.md5($pass).$salt) sha1($salt.md5($pass)) encrypt DES 1977誕⽣生、1999被破 AES-128 AES-256 當今最潮 passwd = AESEncrypt(“string”,” key”)
  50. 50. So.... public data可以不⽤用加密,但是private data⼀一定要加密 要檢查user有沒有作弊,但不要太頻繁的去檢查資料 需要server的service絕對都可以檔(播⾳音樂、遠端遙控) 發現別⼈人app有漏洞,記得回報開發者
  51. 51. So.... public data可以不⽤用加密,但是private data⼀一定要加密 要檢查user有沒有作弊,但不要太頻繁的去檢查資料 需要server的service絕對都可以檔(播⾳音樂、遠端遙控) 發現別⼈人app有漏洞,記得回報開發者 think as a service,not an app. 這樣想會找到很多漏洞
  52. 52. One more thing
  53. 53. video on niconico youtube
  54. 54. video on niconico youtube availiable today
  55. 55. Thanks &Bye~~ Hokila mail blog FB hokila.jan@splashtop.com josihokila.blogspot.com fb.me/hokilaj
  56. 56. Thanks &Bye~~ Hokila mail blog FB hokila.jan@splashtop.com josihokila.blogspot.com fb.me/hokilaj

×