iOS app security
Upcoming SlideShare
Loading in...5
×
 

iOS app security

on

  • 3,889 views

Cocoaheads Taipei 2013.10

Cocoaheads Taipei 2013.10

Statistics

Views

Total Views
3,889
Views on SlideShare
3,018
Embed Views
871

Actions

Likes
28
Downloads
94
Comments
0

6 Embeds 871

http://josihokila.blogspot.tw 835
http://josihokila.blogspot.com 26
http://josihokila.blogspot.hk 6
http://cloud.feedly.com 2
https://www.facebook.com 1
http://josihokila.blogspot.co.uk 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

iOS app security  iOS app security Presentation Transcript

  • iOS app security -analyze and defense Hokila Cocoaheads Taipei 2013.10
  • 源起 Android Taipei (2013 August) Android Apps Security Taien Wang Ruby Tuesday (2013.9.10) 別再偷我App裡的⾦金幣:Server端IAP的處理與驗證 Kevin Wang
  • 所以今天是來 致(ㄉㄚˇ )敬(ㄌ⼀一ㄢˇ ) 的 ( ˘•ω•˘ )
  • 不會講這些
  • 不會講這些 如何破解 神魔之塔 / 百萬亞瑟⺩王 / 全⺠民打棒球
  • 不會講這些 如何破解 神魔之塔 / 百萬亞瑟⺩王 / 全⺠民打棒球 免費使⽤用 Splashtop / KKBOX / WhosCall
  • 會講這些 ● ● ● ● ● ● iOS app native leak network monitor IAP crack Analyze tools Encode /decode Good Habits
  • 絕對講不完 我猜可以講⼀一⼩小時
  • 還好之前講過了 2012.12 Cocoaheads Taipei In App Purchase 攻防戰 youtu.be/g2tWRPdweeY
  • 1.基本功 ○ iOS app 資料結構 ○ API分析 2. 脫離新⼿手 ○ 同時監看多個畫⾯面 ○ 常⾒見漏洞&防禦⽅方法 3.必殺技(屁孩愛⽤用) ○ IAP Free /LocalAppStore ○ iGameGardian /⼋八⾨門神器 ○ Flex
  • OWASP Mobile Top 10 Risk (2013-M1) M1. 不安全的資料儲存(Insecure Data Storage) M2. 弱伺服器端的控制(Weak Server Side Controls) M3. 傳輸層保護不⾜足(Insufficient Transport Layer Protection) M4. 客⼾戶端注⼊入(Client Side Injection) M5. 粗糙的授權與認證(Poor Authorization and Authentication) M6. 不適當的會話處理(Improper Session Handling) M7. 安全決策是經由不受信任的輸⼊入(Security Decisions Via Untrusted Inputs) M8. 側通道資料洩漏(Side Channel Data Leakage) M9. 加密失效(Broken Cryptography) M10. 敏感資訊洩漏(Sensitive Informaiton Disclosure)
  • app itself app /user data automatically backed up by iCloud. temporary files,clean when app restart NSTemporaryDirectory Library Application Support good place for configuration/template Cache Data that can be downloaded again or regenerated Cookie store cookies for sandbox webView Prefences NSUSerDefault Ref: File System Programming Guide
  • info.plist
  • info.plist
  • console log iphone configuration utility iTool(2012)
  • DEMO
  • 會看到 app沒有埋好的log framework ⾃自⼰己帶的log system notification memory warming
  • User Defaults,secure?
  • User Defaults,secure?
  • keychain locate at /var/Keychains/keychain-2.db Apple says “keychain is a secure place to store keys and passwords” dump keychain database (jb necessary)
  • API Charles / ⽂文化部open data /iCulture DEMO
  • 1. Charles (Mac Windows) $ 2. ZAP (Mac Windows) Free 3. Fiddler (Windows) Free 4. Wire Shark (Mac Windows) Free
  • ⾄至少要同時看 ● ● ● ● device screen console log plist、db API request/response
  • ⼀一些發現 其他app verify資料正確性的作法 某些遊戲讓你抽卡多選1,但是結果在你進⼊入抽 卡畫⾯面時就決定了 竟然有app把db放在google doc和dropbox (⽽而 且還不少) 讓我萬萬沒想到的是......(這邊不能打出來)
  • class dump-z ● dumping class info from an iOS app ● guess class utility https://code.google.com/p/networkpx/
  • DEMO
  • 破解⼯工具 IAP Free/LocalAppStore 欺騙app 購買成功
  • 破解⼯工具 IAP Free/LocalAppStore 欺騙app 購買成功 iGameGardin /⼋八⾨門神器 搜尋記憶體位置,修改value
  • 破解⼯工具 IAP Free/LocalAppStore 欺騙app 購買成功 iGameGardin /⼋八⾨門神器 搜尋記憶體位置,修改value Flex 鎖定function 回傳值 例 -(BOOL)isTransactionSucess ⼀一定回傳YES
  • 破解⼯工具 IAP Free/LocalAppStore 欺騙app 購買成功 iGameGardin /⼋八⾨門神器 搜尋記憶體位置,修改value Flex 鎖定function 回傳值 例 -(BOOL)isTransactionSucess ⼀一定回傳YES 對於developer來說,就是app裡⾯面.....
  • 有內奸
  • 再安全的OS也有不安全的app 啊啊啊啊啊怎麼辦 不要太相信server/model 的data 適時的關⼼心,請問您是內奸嗎?是的話殺爆他 King Of Design Pattern:MVC model 和view可以不⼀一樣 use encrypt ,not hash 要hash也記得要加salt 綜合來說,這就是....
  • 計中計中計中計
  • 這是⼀一個很基本的API GET http://xxx.yyy/getUserData.php paeameters (string)userID response (string)name (array)xxlist (string)itemname (int)quantity (string)status
  • POST http://xxx.yyy/getUserData.php public parameters (string)token (string)call_file_name (string)userID response (string)name (array)xxlist (string)itemname (int)quantity (string)status (int)status
  • 公⼦子獻頭 POST http://xxx.yyy/getUserData.php public parameters (string)token (string)call_file_name (string)userID response (string)name (array)xxlist (string)itemname (int)quantity (string)status (int)status
  • 讓對⽅方知道你的下兩步,在第三步衝康他 SSL POST http://xxx.yyy/public parameters (string)token (string)call_file_name (string)userID struct object (string)itemname (int)quantity (int)status response (string)name (array)xxlist (string)itemname (int)quantity (int)status (object)item base64 encode
  • In-App Purchase Programming Guide base64
  • 還能怎麼改? SSL POST http://xxx.yyy/public parameters (string)token (string)call_file_name (string)userID response (string)name (array)xxlist (object)item
  • 還能怎麼改? SSL POST http://xxx.yyy/public parameters (string)token (string)call_file_name (string)userID response (string)name (array)xxlist (object)item Accept = "*/*"; Accept-Language = zh-TW; Connection = close; User-Agent = "Something special~~";
  • 確定資料正確 public entry access token SSL status code object ,not clear dictionary and...?
  • King Of Design Pattern:MVC Model memory View API plist db NSString NSNumber UILabel encrypt() 08f90c1a417155361a5c4b8d297e0d78 2000 Money 2000
  • King Of Design Pattern:MVC Model memory View API plist db NSString NSNumber UILabel encrypt() 2000 08f90c1a417155361a5c4b8d297e0d78 need protection!! Money 2000
  • double_check http://xxx.yyy/buy paeameters (string)user (string)itemID response (string)status (string)itemID (int)quantity (int)leftmoney
  • double_check http://xxx.yyy/buy paeameters (string)user (string)itemID response (string)status (string)itemID (int)quantity (int)leftmoney http://xxx.yyy/double_check paeameters response (string)user (string)status (OK /Reject) (string)itemID
  • use encrypt ,not hash sha1、md5、base64 這些你敢⽤用? 實驗證明,⼀一個經過訓練的QA可以⾁肉眼反解出1~100的md5 hash
  • use encrypt ,not hash hash⾄至少要加salt md5($salt.$pass.$username) sha1($salt.$pass) md5($salt.md5($pass)) sha1($salt.$username.$pass.$salt) md5($salt.md5($pass).$salt) sha1($salt.md5($pass)) encrypt
  • use encrypt ,not hash hash⾄至少要加salt md5($salt.$pass.$username) sha1($salt.$pass) md5($salt.md5($pass)) sha1($salt.$username.$pass.$salt) md5($salt.md5($pass).$salt) sha1($salt.md5($pass)) encrypt DES 1977誕⽣生、1999被破
  • use encrypt ,not hash hash⾄至少要加salt md5($salt.$pass.$username) sha1($salt.$pass) md5($salt.md5($pass)) sha1($salt.$username.$pass.$salt) md5($salt.md5($pass).$salt) sha1($salt.md5($pass)) encrypt DES 1977誕⽣生、1999被破 AES-128 AES-256 當今最潮 passwd = AESEncrypt(“string”,” key”)
  • So.... public data可以不⽤用加密,但是private data⼀一定要加密 要檢查user有沒有作弊,但不要太頻繁的去檢查資料 需要server的service絕對都可以檔(播⾳音樂、遠端遙控) 發現別⼈人app有漏洞,記得回報開發者
  • So.... public data可以不⽤用加密,但是private data⼀一定要加密 要檢查user有沒有作弊,但不要太頻繁的去檢查資料 需要server的service絕對都可以檔(播⾳音樂、遠端遙控) 發現別⼈人app有漏洞,記得回報開發者 think as a service,not an app. 這樣想會找到很多漏洞
  • One more thing
  • video on niconico youtube
  • video on niconico youtube availiable today
  • Thanks &Bye~~ Hokila mail blog FB hokila.jan@splashtop.com josihokila.blogspot.com fb.me/hokilaj
  • Thanks &Bye~~ Hokila mail blog FB hokila.jan@splashtop.com josihokila.blogspot.com fb.me/hokilaj