SlideShare a Scribd company logo

Hacking and securing ios applications

Download as PPTX, PDF
Satish b
Satish b
Education
1 of 46
HACKING AND SECURING IOS APPLICATIONS http://www.securitylearn.net -Satish B
Agenda  iOS Security Concepts  Loopholes in iOS  Hacking & Securing iOS Applications  How does loophole in iOS affects the apps  How easy it’s to steal data from the apps  How to protect these apps http://www.securitylearn.net
Who Am I? <1 • Framework for functional testing tools Development 5+ Information • Web & Mobile application security Security • iOS Forensics & hacking Other Interests • Tool development & Knowledge Sharing http://www.securitylearn.net
iOS Basics  iOS is the Operating System that run on Apple devices like iPhone, iPod, iPad & Apple TV  Stripped down Mac OS X + XNU kernel  Provides multi tasking  Only allows to run Apple signed applications  New features & Bug fixes with every release  Current version is iOS 6.0.1 http://www.securitylearn.net
iOS Security Features  Boot Chain  Chain of trust  Series of signature checks  BootRom->LLB->iBoot->kernel->file system  Code Signing  Prevents running of unauthorized apps/code  Verifies the integrity of the app code at rest & runtime  Malware prevention  Passcode  Prevents unauthorized access to the device  Default is 4-digit passcode & Support for complex passcode  Configurable data wipe after 10 failed attempts http://www.securitylearn.net
Access data without passcode  Breaking Chain of trust  Bootrom exploit  Patch the series of signature checks  Boot with custom ramdisk  Access file system  No Bootrom exploit for latest devices  iPhone 4s & 5, iPad 2 &3, iPad Mini http://www.securitylearn.net
iOS Security Features  Encryption  Dedicated crypto engine  Two hardcoded keys – UID & GID  Usage of UID & GID is limited  Data Protection  Ties the data encryption to the user’s passcode  Files are not accessible when the device is locked  No Passcode = No data protection  File Encryption  Every File is encrypted with unique key  File key is stored in the file metadata  Metadata is encrypted with EMF Key http://www.securitylearn.net
Bypassing the iPhone passcode  Custom ram disk gives access to the file system  Passcode is required to access those protected files  Passcode is not stored on the device in any format  Brute force is the only option  Brute forcing at Springboard  6 failed attempts introduces delay  Delay from 1 min to several days  Brute forcing at kernel level  Passcode validity is verified by unlocking the System Keybag  Load brute force script in custom ramdisk and try to unlock Keybag http://www.securitylearn.net
Bypassing the iPhone passcode  Brute force time depends on the iPhone hardware  On iPhone 4 – http://www.securitylearn.net
iOS Security Features  ASLR - Address Space layout randomization  Randomizes the memory address  Apps can built with partial or full ASLR  Full - Compiled with PIE  DEP – Data Execution Prevention  Differentiates code and data  Prevents the execution of code from non executable memory pages  Stack Canaries  Stack smashing protection  Canary is placed after the local variables  Protects from buffer overflows http://www.securitylearn.net
iOS Software Stack Security APIs iOS Security Features http://www.securitylearn.net Ahmad-Reza Sadeghi et al, “Overview on apple iOS” paper
Types of iOS Applications  Browser based  Run inside safari  Built with server side technology like PHP, .NET,…  HTML, CSS & JavaScript rendering styled to the device  Native  Built with iOS SDK & ARM compiled  Written in Objective C & Cocoa Touch API  Hybrid  Native container that leverage browser engine  Objective C, HTML 5 & JavaScript http://www.securitylearn.net
Areas of focus for hacking  Device storage  Plist  Sqlite  Cookies  Keychain  Run time analysis  Breaking simple locks  Sniffing Networks  MITM & Transport security http://www.securitylearn.net
Local Storage http://www.securitylearn.net
App Sandbox  Apps run in a self-contained environment called Sandbox  Apps can not access data from other apps  All apps run as one user: mobile http://www.securitylearn.net
Plist files  Property list files - Key value pairs stored in binary or XML format  Easily viewed and modified using property list editors (plutil)  Designed to store user’s properties and configuration information  But Apps store usernames, passwords, email ids and session info  Ex: Facebook stores the authentication tokens http://www.securitylearn.net
Plist files  Apps create plist files with any or without a file extension  Plists are identified by a file header – bplist  Plist files are not protected by Data protection  Plists are stored un-encrypted in the iOS normal backups (iTunes).  Apps may delete the plist files upon logout  File system changes are recorded in HFS Journal  Deleted files can be recovered by carving the HFS Journal http://www.securitylearn.net
Facebook Session Hijacking  Facebook stores authentication tokens in plist file  Gaining access to the plist allows to log into the app  Plist files can be stolen  Upon physical access to the device  From backups : Metasploit post exploitation script to read iOS backup  In addition to that, Tokens never expired even on Logout http://www.securitylearn.net
Plist files  Do not store sensitive data in Plist files  If required, use custom encryption  Protect plist files with data protection API  Create plist files Library/Caches folder  iTunes does not backup caches directory  For better security, Implement classes for secure file wipe  Before deleting the file overwrite the file bytes with junk values http://www.securitylearn.net
Data Protection for files http://www.securitylearn.net
Sqlite files  Lightweight database for structured data storage  Sqlite is portable, reliable, small and available as a single flat file  Sqlite is preferred as it gives good memory usage and speed  Apps store usernames, passwords, emails and sensitive data Ex: Gmail stores the emails in Sqlite db file for offline access http://www.securitylearn.net
Sqlite files  Sqlite can be created with any or without a file extension  Sqlite files can be viewed using Sqlite Spy or sqlite3  Data stored in the Sqlite is un-encrypted  Sqlite files are stored un-encrypted in the iOS backups (iTunes)  Apps may delete Sqlite files upon logout  Delete files can be recovered by carving the HFS Journal http://www.securitylearn.net
Sqlite files  Apps may delete the Sqlite records  Sqlite – tags the records as deleted but not purge them  Records which are marked as deleted can be recovered by reading the WAL (Write Ahead Log)  Recovering Sqlite records is easy compare to recovering the files  Strings command can be used to print the deleted records http://www.securitylearn.net
Sqlite files  Do not store sensitive data in clear text  Use custom encryption  Protect Sqlite files with data protection API  Implement classes for secure file wipe  Purge the data upon deletion with VACUUM SQL command.  VACUUM rebuilds the database  Doing it for every delete consumes time  Before deleting the Sqlite record, replace the data with junk values  Data and Junk value length has to be same http://www.securitylearn.net
Keychain  Sqlite database for sensitive data storage  Apple says “keychain is a secure place to store keys and passwords”  Located at: /var/Keychains/keychain-2.db  Four tables: genp, inet, cert, keys  Keychain encryption is tied to the device  Protected entries are tied to the user’s passcode  Keychain file is accessible to all the applications  Application can only access it’s own key chain items  Based on app keychain access group http://www.securitylearn.net
Keychain  On a JailBroken device Keychain restrictions can be bypassed  Design an app as a member of all keychain access groups (*)  Keychain Dumper Tool  Design app with com.apple.keystore.access-keychain-keys permission  Keychain viewer – by Sogeti http://www.securitylearn.net
Keychain  Keychain is also not secure. Do not store sensitive data in clear text.  Encrypt the data using custom encryption (CCCrypt)  Use data protection API while storing data in keychain  BY default entries are created with kSecAttrAccessibleWhenUnlocked data protection  Apple may change the default protection any time  Do not store the encryption keys in the binary http://www.securitylearn.net
Data Protection for keychain http://www.securitylearn.net
Error Logs  Apps may write sensitive data in logs  Debugging (NSLog calls)  Trouble shooting  Requests & Responses  Located at - /private/var/log/syslog  To view iPhone logs  Console App (from AppStore)  iTunes Sync (CrashReporter folder)  iPhone configuration utility - Console http://www.securitylearn.net
Error Logs  Syslog is out of sandbox – Any app can access it  Do not write sensitive data in the syslog file http://www.securitylearn.net
Screenshot  Home button shrinks your application with a nice effect  iOS takes screen shots of the application to create that effect  Sensitive data may get cached  App directory/Library/Caches/Snapshots  Remove sensitive data or change the screen before the applicationDidEnterBackground() function returns  Instead of hiding or removing sensitive data you can also prevent back- grounding altogether by setting the "Application does not run in background" property in the application's Info.plist file http://www.securitylearn.net
Screenshot  Gmail Screenshot http://www.securitylearn.net
Keyboard cache  iPhone records everything that a user types in clear text  Designed to auto complete the predictive common words  Located at - Library/Keyboard/en_GB-dynamic-text.dat  Viewed using a hex editor http://www.securitylearn.net
Keyboard cache  Secure fields are not stored  Passwords are safe  Strings with all digits are not stored  Pins and credit card numbers are safe  Data typed into text fields are cached  Usernames and security question answers…  To disable auto complete of a text field  Mark it as a secure field mytextField.secureTextEntry = YES  Disable auto correction mytextField.autocorrectionType = UITextAutocorrectionTypeNo; http://www.securitylearn.net
Cookies.binarycookies  Binary file to store the cookies  Persistent cookies are stored along with the flags (Secure, HTTPOnly)  Most iOS apps does not prompt the user for login every time and creates persistent cookies  Apps store the session cookies locally  Grabbing cookies allows to log into the user’s account http://www.securitylearn.net
Cookies.binarycookies  BinaryCookieReader.py can be used to read the cookie files  For critical applications don’t create persistent cookies http://www.securitylearn.net
Run Time Analysis http://www.securitylearn.net
Binary Analysis  Self distributed Apps are not encrypted  AppStore binaries are encrypted  Similar to Fairplay DRM used on iTunes music  Loader decrypts the apps when loaded into memory  Debugger can be used to dump the decrypted app from memory into a file  Tools are available: Craculous & Installous  GNU Debugger or IDA Pro are used on decrypted binary for better analysis  Look for Hard coded passwords, encryption keys, buffer over flows and format string attacks http://www.securitylearn.net
Runtime Analysis  Use class-dump-z on decrypted binary and map the application  iOS app centralized point of control (MVC) – UIApplication class  Analyze the class dump output and identify the interesting class http://www.securitylearn.net
Runtime Analysis  App runtime can be easily modified using Cycript (Cydia pkg)  Combination of JavaScript and Objective-C interpreter  Can be hooked to a running process (like GDB)  Gives access to all classes and instance variables within the app  Existing methods can be overwritten easily  Create object for the class and directly access the instance variables and invoke methods http://www.securitylearn.net
Runtime Analysis  Possible attacks with Cycript  Authentication bypass  Breaking simple locks  Bypassing restrictions that stops apps from running on Jailbroken device  Extract hardcode encryption keys  Extract app passcodes  Malicious code injection  Do not store encryption keys / passcode in memory  Implement code that restricts debugger attachment http://www.securitylearn.net
Transport Security http://www.securitylearn.net
Transport Security  iOS apps use SSL/https to do secure transactions  NSURLRequest / NSURLConnection are commonly used  CFNetwork – Alternate low level framework to implement SSL  Frameworks by default rejects the self signed certificates to prevent MITM attacks  Provides API to accept any un-trusted certificate  NSURLRequest  setAllowsAnyHTTPSCertificate  NSURLConnection delegate  continueWithoutCredentialForAuthenticationChallenge  CFNetwork  kCFStreamSSLAllowsExpiredCertificates … http://www.securitylearn.net
Transport Security  DO not deploy iOS applications with cert validation bypass code http://www.securitylearn.net
Transport Security  API uses a default set of ciphers to setup a connection  Does not provide an option to choose the cipher  Apps can built with embedded SSL libraries  MatrixSSL, yaSSL  Apps compiled with latest SDK (>5) does not support weak ciphers Image from iOS Application In-Security paper by MDSec http://www.securitylearn.net
Thank You Email: Satishb3@hotmail.com Twitter: @Satishb3 http://www.securitylearn.net

Recommended

iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 

Recommended

iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
Sina Manavi
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Stefan Esser
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
n|u - The Open Security Community
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
Mohammed Adam
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
VodqaBLR
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
kunwaratul hax0r
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
Roshan Kumar Gami
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applications
n|u - The Open Security Community
 
KeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be Dangerous
KeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be DangerousKeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be Dangerous
KeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be Dangerous
Priyanka Aash
 
IOS security
IOS securityIOS security
IOS security
bakhti rahman
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
Max Bazaliy
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
Satish b
 

More Related Content

What's hot

KeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be Dangerous
KeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be DangerousKeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be Dangerous
KeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be Dangerous
Priyanka Aash
 

What's hot (20)

Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
Mobile security
Mobile securityMobile security
Mobile security
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applications
 
KeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be Dangerous
KeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be DangerousKeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be Dangerous
KeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be Dangerous
 
IOS security
IOS securityIOS security
IOS security
 
Android security
Android securityAndroid security
Android security
 

Viewers also liked

OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
Behind the scenes with IOS security
Behind the scenes with IOS securityBehind the scenes with IOS security
Behind the scenes with IOS security
Priyanka Aash
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
iOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectioniOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data Protection
Andrey Belenko
 
iPhone forensics on iOS5
iPhone forensics on iOS5iPhone forensics on iOS5
iPhone forensics on iOS5
Satish b
 

Viewers also liked (20)

Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
Behind the scenes with IOS security
Behind the scenes with IOS securityBehind the scenes with IOS security
Behind the scenes with IOS security
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Forensic analysis of iPhone backups (iOS 5)
Forensic analysis of iPhone backups (iOS 5)Forensic analysis of iPhone backups (iOS 5)
Forensic analysis of iPhone backups (iOS 5)
 
Hacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsHacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & Solutions
 
iOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectioniOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data Protection
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Smart phone security ios system
Smart phone security ios systemSmart phone security ios system
Smart phone security ios system
 
iPhone forensics on iOS5
iPhone forensics on iOS5iPhone forensics on iOS5
iPhone forensics on iOS5
 
iOS App Reverse Engineering
iOS App Reverse EngineeringiOS App Reverse Engineering
iOS App Reverse Engineering
 
ppt based on android technology with great animations
ppt based on android technology with great animationsppt based on android technology with great animations
ppt based on android technology with great animations
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
Client Side Exploits using PDF
Client Side Exploits using PDFClient Side Exploits using PDF
Client Side Exploits using PDF
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious Profiles
 

Similar to Hacking and securing ios applications

Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
GTestClub
 

Similar to Hacking and securing ios applications (20)

Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app development
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.
 
iOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdfiOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdf
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
 
OWASP for iOS
OWASP for iOSOWASP for iOS
OWASP for iOS
 
Security in iOS
Security in iOSSecurity in iOS
Security in iOS
 
osi semair.pptx
osi semair.pptxosi semair.pptx
osi semair.pptx
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption Systems
 
Are Your Mobile Apps Secure? (Part I)
Are Your Mobile Apps Secure? (Part I)Are Your Mobile Apps Secure? (Part I)
Are Your Mobile Apps Secure? (Part I)
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
Ios file management
Ios file managementIos file management
Ios file management
 
Best 15 file and folder locker for Windows 11
Best 15 file and folder locker for Windows 11Best 15 file and folder locker for Windows 11
Best 15 file and folder locker for Windows 11
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 

Recently uploaded

Introduction to Quality Improvement Essentials
Introduction to Quality Improvement EssentialsIntroduction to Quality Improvement Essentials
Introduction to Quality Improvement Essentials
Excellence Foundation for South Sudan
 

Recently uploaded (20)

Sectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfSectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdf
 
Keeping Your Information Safe with Centralized Security Services
Keeping Your Information Safe with Centralized Security ServicesKeeping Your Information Safe with Centralized Security Services
Keeping Your Information Safe with Centralized Security Services
 
B.ed spl. HI pdusu exam paper-2023-24.pdf
B.ed spl. HI pdusu exam paper-2023-24.pdfB.ed spl. HI pdusu exam paper-2023-24.pdf
B.ed spl. HI pdusu exam paper-2023-24.pdf
 
Introduction to Quality Improvement Essentials
Introduction to Quality Improvement EssentialsIntroduction to Quality Improvement Essentials
Introduction to Quality Improvement Essentials
 
2024_Student Session 2_ Set Plan Preparation.pptx
2024_Student Session 2_ Set Plan Preparation.pptx2024_Student Session 2_ Set Plan Preparation.pptx
2024_Student Session 2_ Set Plan Preparation.pptx
 
Basic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersBasic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumers
 
slides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptxslides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptx
 
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
Operations Management - Book1.p - Dr. Abdulfatah A. SalemOperations Management - Book1.p - Dr. Abdulfatah A. Salem
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
 
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptxJose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptx
 
How to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERPHow to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERP
 
The Last Leaf, a short story by O. Henry
The Last Leaf, a short story by O. HenryThe Last Leaf, a short story by O. Henry
The Last Leaf, a short story by O. Henry
 
Open Educational Resources Primer PowerPoint
Open Educational Resources Primer PowerPointOpen Educational Resources Primer PowerPoint
Open Educational Resources Primer PowerPoint
 
Application of Matrices in real life. Presentation on application of matrices
Application of Matrices in real life. Presentation on application of matricesApplication of Matrices in real life. Presentation on application of matrices
Application of Matrices in real life. Presentation on application of matrices
 
NCERT Solutions Power Sharing Class 10 Notes pdf
NCERT Solutions Power Sharing Class 10 Notes pdfNCERT Solutions Power Sharing Class 10 Notes pdf
NCERT Solutions Power Sharing Class 10 Notes pdf
 
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
 
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfDanh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
 
Benefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational ResourcesBenefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational Resources
 

Hacking and securing ios applications

  • 1. HACKING AND SECURING IOS APPLICATIONS http://www.securitylearn.net -Satish B
  • 2. Agenda  iOS Security Concepts  Loopholes in iOS  Hacking & Securing iOS Applications  How does loophole in iOS affects the apps  How easy it’s to steal data from the apps  How to protect these apps http://www.securitylearn.net
  • 3. Who Am I? <1 • Framework for functional testing tools Development 5+ Information • Web & Mobile application security Security • iOS Forensics & hacking Other Interests • Tool development & Knowledge Sharing http://www.securitylearn.net
  • 4. iOS Basics  iOS is the Operating System that run on Apple devices like iPhone, iPod, iPad & Apple TV  Stripped down Mac OS X + XNU kernel  Provides multi tasking  Only allows to run Apple signed applications  New features & Bug fixes with every release  Current version is iOS 6.0.1 http://www.securitylearn.net
  • 5. iOS Security Features  Boot Chain  Chain of trust  Series of signature checks  BootRom->LLB->iBoot->kernel->file system  Code Signing  Prevents running of unauthorized apps/code  Verifies the integrity of the app code at rest & runtime  Malware prevention  Passcode  Prevents unauthorized access to the device  Default is 4-digit passcode & Support for complex passcode  Configurable data wipe after 10 failed attempts http://www.securitylearn.net
  • 6. Access data without passcode  Breaking Chain of trust  Bootrom exploit  Patch the series of signature checks  Boot with custom ramdisk  Access file system  No Bootrom exploit for latest devices  iPhone 4s & 5, iPad 2 &3, iPad Mini http://www.securitylearn.net
  • 7. iOS Security Features  Encryption  Dedicated crypto engine  Two hardcoded keys – UID & GID  Usage of UID & GID is limited  Data Protection  Ties the data encryption to the user’s passcode  Files are not accessible when the device is locked  No Passcode = No data protection  File Encryption  Every File is encrypted with unique key  File key is stored in the file metadata  Metadata is encrypted with EMF Key http://www.securitylearn.net
  • 8. Bypassing the iPhone passcode  Custom ram disk gives access to the file system  Passcode is required to access those protected files  Passcode is not stored on the device in any format  Brute force is the only option  Brute forcing at Springboard  6 failed attempts introduces delay  Delay from 1 min to several days  Brute forcing at kernel level  Passcode validity is verified by unlocking the System Keybag  Load brute force script in custom ramdisk and try to unlock Keybag http://www.securitylearn.net
  • 9. Bypassing the iPhone passcode  Brute force time depends on the iPhone hardware  On iPhone 4 – http://www.securitylearn.net
  • 10. iOS Security Features  ASLR - Address Space layout randomization  Randomizes the memory address  Apps can built with partial or full ASLR  Full - Compiled with PIE  DEP – Data Execution Prevention  Differentiates code and data  Prevents the execution of code from non executable memory pages  Stack Canaries  Stack smashing protection  Canary is placed after the local variables  Protects from buffer overflows http://www.securitylearn.net
  • 11. iOS Software Stack Security APIs iOS Security Features http://www.securitylearn.net Ahmad-Reza Sadeghi et al, “Overview on apple iOS” paper
  • 12. Types of iOS Applications  Browser based  Run inside safari  Built with server side technology like PHP, .NET,…  HTML, CSS & JavaScript rendering styled to the device  Native  Built with iOS SDK & ARM compiled  Written in Objective C & Cocoa Touch API  Hybrid  Native container that leverage browser engine  Objective C, HTML 5 & JavaScript http://www.securitylearn.net
  • 13. Areas of focus for hacking  Device storage  Plist  Sqlite  Cookies  Keychain  Run time analysis  Breaking simple locks  Sniffing Networks  MITM & Transport security http://www.securitylearn.net
  • 14. Local Storage http://www.securitylearn.net
  • 15. App Sandbox  Apps run in a self-contained environment called Sandbox  Apps can not access data from other apps  All apps run as one user: mobile http://www.securitylearn.net
  • 16. Plist files  Property list files - Key value pairs stored in binary or XML format  Easily viewed and modified using property list editors (plutil)  Designed to store user’s properties and configuration information  But Apps store usernames, passwords, email ids and session info  Ex: Facebook stores the authentication tokens http://www.securitylearn.net
  • 17. Plist files  Apps create plist files with any or without a file extension  Plists are identified by a file header – bplist  Plist files are not protected by Data protection  Plists are stored un-encrypted in the iOS normal backups (iTunes).  Apps may delete the plist files upon logout  File system changes are recorded in HFS Journal  Deleted files can be recovered by carving the HFS Journal http://www.securitylearn.net
  • 18. Facebook Session Hijacking  Facebook stores authentication tokens in plist file  Gaining access to the plist allows to log into the app  Plist files can be stolen  Upon physical access to the device  From backups : Metasploit post exploitation script to read iOS backup  In addition to that, Tokens never expired even on Logout http://www.securitylearn.net
  • 19. Plist files  Do not store sensitive data in Plist files  If required, use custom encryption  Protect plist files with data protection API  Create plist files Library/Caches folder  iTunes does not backup caches directory  For better security, Implement classes for secure file wipe  Before deleting the file overwrite the file bytes with junk values http://www.securitylearn.net
  • 20. Data Protection for files http://www.securitylearn.net
  • 21. Sqlite files  Lightweight database for structured data storage  Sqlite is portable, reliable, small and available as a single flat file  Sqlite is preferred as it gives good memory usage and speed  Apps store usernames, passwords, emails and sensitive data Ex: Gmail stores the emails in Sqlite db file for offline access http://www.securitylearn.net
  • 22. Sqlite files  Sqlite can be created with any or without a file extension  Sqlite files can be viewed using Sqlite Spy or sqlite3  Data stored in the Sqlite is un-encrypted  Sqlite files are stored un-encrypted in the iOS backups (iTunes)  Apps may delete Sqlite files upon logout  Delete files can be recovered by carving the HFS Journal http://www.securitylearn.net
  • 23. Sqlite files  Apps may delete the Sqlite records  Sqlite – tags the records as deleted but not purge them  Records which are marked as deleted can be recovered by reading the WAL (Write Ahead Log)  Recovering Sqlite records is easy compare to recovering the files  Strings command can be used to print the deleted records http://www.securitylearn.net
  • 24. Sqlite files  Do not store sensitive data in clear text  Use custom encryption  Protect Sqlite files with data protection API  Implement classes for secure file wipe  Purge the data upon deletion with VACUUM SQL command.  VACUUM rebuilds the database  Doing it for every delete consumes time  Before deleting the Sqlite record, replace the data with junk values  Data and Junk value length has to be same http://www.securitylearn.net
  • 25. Keychain  Sqlite database for sensitive data storage  Apple says “keychain is a secure place to store keys and passwords”  Located at: /var/Keychains/keychain-2.db  Four tables: genp, inet, cert, keys  Keychain encryption is tied to the device  Protected entries are tied to the user’s passcode  Keychain file is accessible to all the applications  Application can only access it’s own key chain items  Based on app keychain access group http://www.securitylearn.net
  • 26. Keychain  On a JailBroken device Keychain restrictions can be bypassed  Design an app as a member of all keychain access groups (*)  Keychain Dumper Tool  Design app with com.apple.keystore.access-keychain-keys permission  Keychain viewer – by Sogeti http://www.securitylearn.net
  • 27. Keychain  Keychain is also not secure. Do not store sensitive data in clear text.  Encrypt the data using custom encryption (CCCrypt)  Use data protection API while storing data in keychain  BY default entries are created with kSecAttrAccessibleWhenUnlocked data protection  Apple may change the default protection any time  Do not store the encryption keys in the binary http://www.securitylearn.net
  • 28. Data Protection for keychain http://www.securitylearn.net
  • 29. Error Logs  Apps may write sensitive data in logs  Debugging (NSLog calls)  Trouble shooting  Requests & Responses  Located at - /private/var/log/syslog  To view iPhone logs  Console App (from AppStore)  iTunes Sync (CrashReporter folder)  iPhone configuration utility - Console http://www.securitylearn.net
  • 30. Error Logs  Syslog is out of sandbox – Any app can access it  Do not write sensitive data in the syslog file http://www.securitylearn.net
  • 31. Screenshot  Home button shrinks your application with a nice effect  iOS takes screen shots of the application to create that effect  Sensitive data may get cached  App directory/Library/Caches/Snapshots  Remove sensitive data or change the screen before the applicationDidEnterBackground() function returns  Instead of hiding or removing sensitive data you can also prevent back- grounding altogether by setting the "Application does not run in background" property in the application's Info.plist file http://www.securitylearn.net
  • 32. Screenshot  Gmail Screenshot http://www.securitylearn.net
  • 33. Keyboard cache  iPhone records everything that a user types in clear text  Designed to auto complete the predictive common words  Located at - Library/Keyboard/en_GB-dynamic-text.dat  Viewed using a hex editor http://www.securitylearn.net
  • 34. Keyboard cache  Secure fields are not stored  Passwords are safe  Strings with all digits are not stored  Pins and credit card numbers are safe  Data typed into text fields are cached  Usernames and security question answers…  To disable auto complete of a text field  Mark it as a secure field mytextField.secureTextEntry = YES  Disable auto correction mytextField.autocorrectionType = UITextAutocorrectionTypeNo; http://www.securitylearn.net
  • 35. Cookies.binarycookies  Binary file to store the cookies  Persistent cookies are stored along with the flags (Secure, HTTPOnly)  Most iOS apps does not prompt the user for login every time and creates persistent cookies  Apps store the session cookies locally  Grabbing cookies allows to log into the user’s account http://www.securitylearn.net
  • 36. Cookies.binarycookies  BinaryCookieReader.py can be used to read the cookie files  For critical applications don’t create persistent cookies http://www.securitylearn.net
  • 37. Run Time Analysis http://www.securitylearn.net
  • 38. Binary Analysis  Self distributed Apps are not encrypted  AppStore binaries are encrypted  Similar to Fairplay DRM used on iTunes music  Loader decrypts the apps when loaded into memory  Debugger can be used to dump the decrypted app from memory into a file  Tools are available: Craculous & Installous  GNU Debugger or IDA Pro are used on decrypted binary for better analysis  Look for Hard coded passwords, encryption keys, buffer over flows and format string attacks http://www.securitylearn.net
  • 39. Runtime Analysis  Use class-dump-z on decrypted binary and map the application  iOS app centralized point of control (MVC) – UIApplication class  Analyze the class dump output and identify the interesting class http://www.securitylearn.net
  • 40. Runtime Analysis  App runtime can be easily modified using Cycript (Cydia pkg)  Combination of JavaScript and Objective-C interpreter  Can be hooked to a running process (like GDB)  Gives access to all classes and instance variables within the app  Existing methods can be overwritten easily  Create object for the class and directly access the instance variables and invoke methods http://www.securitylearn.net
  • 41. Runtime Analysis  Possible attacks with Cycript  Authentication bypass  Breaking simple locks  Bypassing restrictions that stops apps from running on Jailbroken device  Extract hardcode encryption keys  Extract app passcodes  Malicious code injection  Do not store encryption keys / passcode in memory  Implement code that restricts debugger attachment http://www.securitylearn.net
  • 42. Transport Security http://www.securitylearn.net
  • 43. Transport Security  iOS apps use SSL/https to do secure transactions  NSURLRequest / NSURLConnection are commonly used  CFNetwork – Alternate low level framework to implement SSL  Frameworks by default rejects the self signed certificates to prevent MITM attacks  Provides API to accept any un-trusted certificate  NSURLRequest  setAllowsAnyHTTPSCertificate  NSURLConnection delegate  continueWithoutCredentialForAuthenticationChallenge  CFNetwork  kCFStreamSSLAllowsExpiredCertificates … http://www.securitylearn.net
  • 44. Transport Security  DO not deploy iOS applications with cert validation bypass code http://www.securitylearn.net
  • 45. Transport Security  API uses a default set of ciphers to setup a connection  Does not provide an option to choose the cipher  Apps can built with embedded SSL libraries  MatrixSSL, yaSSL  Apps compiled with latest SDK (>5) does not support weak ciphers Image from iOS Application In-Security paper by MDSec http://www.securitylearn.net
  • 46. Thank You Email: Satishb3@hotmail.com Twitter: @Satishb3 http://www.securitylearn.net