Satish b, profile picture
Uploaded bySatish b
PPTX, PDF9,428 views

Pentesting iPhone applications

The document provides an overview of pentesting for iPhone applications, including app development, distribution, and the unique security challenges associated with iOS. It highlights key areas of focus such as network communication, privacy issues, and storage of sensitive data, along with methods for exploiting vulnerabilities. The document also discusses tools and techniques for both reversing apps and analyzing network traffic, emphasizing the importance of adhering to security best practices to mitigate risks.

Embed presentation

Downloaded 326 times
Pentesting iPhone Applications satishb3@hotmail.com
Agenda • iPhone App Basics – App development – App distribution • Pentesting iPhone Apps – Methodology – Areas of focus • Major Mobile Threats
Who am I <1 • Framework for functional testing tools Development • Web application hacking, Network assessments, 5+ Information Reverse engineering, Mobile application hacking… Security • OWASP Hyderabad Contributor Other Activities • Blogging - Securitylearn.wordpress.com 3
iPhone App Basics • iPhone released in 2007 – 110 million sales till March 2011 • Browser based Applications – HTML + CSS + JavaScript • Native iOS Applications – Objective C & Cocoa Touch API • Super set of C, Compiles into native code (ARM) • App Store – Centralized mechanism to distribute software – Only Apple signed application are available – Designed to protect the Apps from piracy & No malware
Why to build iPhone Application? • New business • Good way to launch new services • Urgency for clients • Users want them • Quick to develop • Fame and Fortune – Angry Birds cost $140k to develop and made $70 million in profits Source: mildtech.net
iPhone Application Distribution Distributed as .ipa files • iOS Simulator • Device testing • Ad-Hoc Distribution • In-House Distribution • Over The Air Distribution • App Store Distribution – Apps have to obey Apple Review guidelines
Pentesting of iPhone Applications • Areas of focus include – Network communication – Privacy Issues – Application Data Storage – Reverse Engineering – URL Schemes – Push Notifications • Overlap between iPhone security and iPhone App security
JailBreaking • iPhone does not allow unsigned applications • Jailbreak gives a full access to the device • Allows to install Apps which are not authorized (via Cydia) • Can put your phone at increased risk to some security vulnerabilities • Tools: PwnageTool, redsn0w, Sn0wbreeze, Greenpois0n, jailbreakMe… • JailBreaking makes our work easy
Useful Cydia Apps • Openssh : SSH to phone • Adv-cmds : process commands like ps, kill… • Sqlite3 : Sqlite database client • GNU Debugger: Reverse engineering • Syslogd : To view iPhone logs • Tcpdump: capture traffic on phone • com.ericasadun.utlities: plutil (view plist files) • Darwin tools: Strings command • Odcctools: otool, nm …
SSH to iPhone • Install Open SSH from Cydia • On workstation install SSH Client • iPhone has two users by default – Root and mobile (password is ‘alpine’) • Connect to the phone as a root user via SSH – SSH over WIFI SSH Clients > ssh root@iPhoneIP Type Windows OS X > password: alpine Console Putty SSH client GUI WinSCP Cyberduck – SSH over USB > ./itunnel_mux --lport 1234 > ssh –p 1234 root@127.0.0.1 > password: alpine
Network Communication • Mobile application pentesting isn’t really all that different – It involves network communication • Communication mechanism • Clear text transmission (http) • Encrypted transmission (https) • Use of Custom or Proprietary protocols
Clear text Transmission • It’s 2011. Still Apps run on http • More possible MITM attacks because of WIFI – Firesheep • To analyze HTTP traffic – Enable manual proxy in iPhone (settings - > WIFI - > manual)
SSL Communication • HTTPS is required for sensitive data transmission • In SSL communication, – Apps may fail to validate SSL cert • allowsAnyHTTPSCertificateForHost – Apps which are validating the cert will not allow MITM • similar to modern browsers like Google chrome, IE 8… – To capture the traffic, load your proxy (burp) CA Cert to iPhone – Same applicable to other protocols which works on Cert
Custom Protocols • Identify the communication protocol – On SSH Terminal: > tcpdump -w traffic.pcap – Load the .pcap in wireshark and analyze • May not respect iPhone proxy settings • DNS Spoofing techniques to MITM • Once you capture the traffic it is a typical web application pentesting in which attacks are done on the application server -Authentication, Authorization, Session management, weak ciphers….
Privacy Issues • Every iPhone has an unique device identifier called UDID • Apps may collect the device UDID • With UDID – Possible to observe the user browsing patterns – Feasible to locate user Geo location – More possible attacks are documented in “Eric Smith: iPhone- Applications-Privacy-Issues.pdf” • One such application is – Openfient : mobile social gaming network http://corte.si/posts/security/openfeint-udid-deanonymization/ • Observe the network traffic to find out UDID transmission
Application Data Storage • 76 percent of mobile Apps store user data on phone • 10 percent Apps store passwords in clear text Source: viaforensics.com/appwatchdog • Apps store information on phone – For better performance – Offline access • Data storage locations • Plist files • Keychain • Logs • Screenshots • Home directory
Application Directory Structure • Application run in a sandbox (seatbelt) with ‘mobile’ privileges • Each application gets a private area of the file system – App Home directory: /var/mobile/Applications/[GUID] SubDirectory Description Appname.app Contains the application code and static data Documents Data that may be shared with desktop through iTunes Library Application support files Library/Preferences/ App specific preferences Data that should persist across successive launches of the Library/Caches/ application but not needed to be backed up Temporary files that do not need to persist across successive tmp launches of the application
Plist files • Property list files – often used to store user’s properties of an App – /var/mobile/Applications/[appid]/Documents/Preferences • Key value pairs are stored in binary format • Easily extracted and modified with property list editor, plutil • Look for usernames , passwords, cookies… • Apps may take Authentication/Authorization decisions – Ex: admin=1, timeout=10 • Do not store clear text data in plist files
Keychain • SQLite database for sensitive data storage • Four tables: genp, inet, cert, keys • Located at: /var/Keychains/keychain-2.db • Keychain data is encrypted – Uses hardware encryption key – Uses user passcode for encryption • Depends on accessibility constant of keychain entry – Can not be moved to other device • Idea is, developers can leverage keychains to have the OS to store information securely – Not any more
Keychain • Accessible to all the applications • Application can only access it’s key chain items – On a JailBroken device It can be bypassed • Keychain Dumper Tool – by github – Displays keychain entries of all the installed applications • Use data protection API while storing data in keychain • Use kSecAttrAccessibleWhenUnlocked accessibility constant – If phone is lost & user sets a passcode, it is difficult to retrieve protected contents in keychain – Keychain data is encrypted with User Passcode
Error Logs • Apps may write sensitive data in logs – Debugging (NSLog calls) – Trouble shooting – Requests & Responses – /private/var/log/syslog • To view iPhone logs – Console App (from AppStore) – Sync to iTunes • Mac OS X : ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE_NAME> • Windows XP: C:Documents and Settings<USERNAME>Application DataApple computerLogsCrashReporter/<DEVICE_NAME>
Screenshot • Home button shrinks your application with a nice effect • iOS takes screen shots of the application to create that effect • Sensitive data may get cached – App directory/Library/Caches/Snapshots • Solution – Remove sensitive data or change the screen before the applicationDidEnterBackground() function returns – Instead of hiding or removing sensitive data you can also prevent back- grounding altogether by setting the "Application does not run in background" property in the application's Info.plist file
Screenshot Copied From SANS website
Home directory • Apps can store data in application home directory • Custom encryption mechanism can be used to store files • Use Reverse engineering techniques to find encryption key • Write tools to break the custom encryption
Reverse Engineering • Apps downloaded from AppStore are encrypted – Fairplay DRM (AES) • On a JailBroken device, we can decrypt Apps easily – Craculous : decrypts Apps on device – Installous : installs decrypted Apps on device • Self distributed Apps are not encrypted • Hex Rays decompiler & Run time debugger (gdb) • Look for Hard coded passwords and encryption keys • Buffer Overflows – iOS 4.3 introduced ASLR support • Apps must be compiled with PIE (position independent executable) for full support
URL Scheme • Protocol Handlers - mailto:, tel: • Browser to App interaction • View Info.plist for supported schemes > plutil Facebook.app/Info.plist CFBundleURLName = "com.facebook"; CFBundleURLSchemes = ( fbauth, fb ); • Parameters are supplied to the application Mailto:securitylearn.wordpress@gmail.com twitter://post?message=visit%20maniacdev.com – Bad Input crash Apps
URL Scheme • Decrypt the App to find parameters > strings Facebook.app/Facebook | grep 'fb:' fb://online#offline fb://birthdays/(initWithMonth:)/(year:) fb://userset fb://nearby fb://place/(initWithPageId:) – http://wiki.akosma.com/IPhone_URL_Schemes • Remote attacks – URL Scheme allows to edit or delete data without user permission Ex: Skype URL Handler Dial Arbitrary Number <iframe src="skype://14085555555?call"></iframe>
Push Notifications • App vendors use this service to push notifications to the user's device even when the app is in a frozen state – Instant Messenger alerts the user when a new message is received even though the user is using another app • Device token unique to ios instance is required • Push notification data can be read by Apple – Do not send Confidential data in notifications • Do not allow push notifications to modify App data
Major mobile Threats • Easy to lose phones – Device is protected with passcode – Sensitive files on the device are encrypted – What’s the threat? • Data encryption in mobile is only available after boot up – Boot Rom exploits • all files on the device can be copied with in 10 minutes – Passcode brute force • 4 digit passcode can be brute forced with in 20 minutes • Mobile App Risks – Veracode Top 10 – OWASP Top 10
References • BlackHat 2011 - DaiZovi_iOS_Security • Fraunhofer iOS Device encryption security • GitHub – Keychain Dumper
Thank You Email : Satishb3@securitylearn.net Blog: http://www.securitylearn.net

More Related Content

PPTX
iOS-Application-Security-iAmPr3m
byPrem Kumar (OSCP)
 
PDF
Hacking and Securing iOS Apps : Part 1
bySubhransu Behera
 
PDF
I Want More Ninja – iOS Security Testing
byJason Haddix
 
PPTX
Hacking and securing ios applications
bySatish b
 
KEY
Jailbreaking iOS
byKai Aras
 
PPTX
iOS Security and Encryption
byUrvashi Kataria
 
PDF
YOW! Connected 2014 - Developing Secure iOS Applications
byeightbit
 
PDF
iOS Application Penetration Testing
byn|u - The Open Security Community
 
iOS-Application-Security-iAmPr3m
byPrem Kumar (OSCP)
 
Hacking and Securing iOS Apps : Part 1
bySubhransu Behera
 
I Want More Ninja – iOS Security Testing
byJason Haddix
 
Hacking and securing ios applications
bySatish b
 
Jailbreaking iOS
byKai Aras
 
iOS Security and Encryption
byUrvashi Kataria
 
YOW! Connected 2014 - Developing Secure iOS Applications
byeightbit
 
iOS Application Penetration Testing
byn|u - The Open Security Community
 

What's hot

PDF
OWASP Melbourne - Introduction to iOS Application Penetration Testing
byeightbit
 
PPT
iOS Hacking: Advanced Pentest & Forensic Techniques
byÖmer Coşkun
 
PDF
iOS Application Penetation Test
byJongWon Kim
 
PDF
Attacking and Defending Apple iOS Devices
byTom Eston
 
PPT
Mobile Security Assessment: 101
bywireharbor
 
PPTX
Pentesting iOS Applications
byjasonhaddix
 
PDF
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
byeightbit
 
PPT
iOS Application Penetration Testing for Beginners
byRyanISI
 
PDF
Pentesting iOS Apps - Runtime Analysis and Manipulation
byAndreas Kurtz
 
PDF
Ruxmon April 2014 - Introduction to iOS Penetration Testing
byeightbit
 
PDF
iOS Application Security
byEgor Tolstoy
 
PDF
Pentesting iOS Apps
byHerman Duarte
 
PPTX
iOS jailbreaking
byVarun Luthra
 
PDF
Iphone Presentation for MuMe09
byGonzalo Parra
 
PDF
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
byTom Eston
 
PDF
Yow connected developing secure i os applications
bymgianarakis
 
PDF
Security Best Practices for Mobile Development
bySalesforce Developers
 
PDF
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
byeightbit
 
PDF
Dark Side of iOS [SmartDevCon 2013]
byKuba Břečka
 
PDF
Smart Bombs: Mobile Vulnerability and Exploitation
byTom Eston
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
byeightbit
 
iOS Hacking: Advanced Pentest & Forensic Techniques
byÖmer Coşkun
 
iOS Application Penetation Test
byJongWon Kim
 
Attacking and Defending Apple iOS Devices
byTom Eston
 
Mobile Security Assessment: 101
bywireharbor
 
Pentesting iOS Applications
byjasonhaddix
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
byeightbit
 
iOS Application Penetration Testing for Beginners
byRyanISI
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
byAndreas Kurtz
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
byeightbit
 
iOS Application Security
byEgor Tolstoy
 
Pentesting iOS Apps
byHerman Duarte
 
iOS jailbreaking
byVarun Luthra
 
Iphone Presentation for MuMe09
byGonzalo Parra
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
byTom Eston
 
Yow connected developing secure i os applications
bymgianarakis
 
Security Best Practices for Mobile Development
bySalesforce Developers
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
byeightbit
 
Dark Side of iOS [SmartDevCon 2013]
byKuba Břečka
 
Smart Bombs: Mobile Vulnerability and Exploitation
byTom Eston
 

Viewers also liked

PPT
Infosecure 2011 owasp y cumplimiento normativo pci-dss y pa-dss
byJuan Jose Rider Jimenez
 
PPTX
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
PDF
Forensic analysis of iPhone backups (iOS 5)
bySatish b
 
PDF
Lifetime support-middleware-069163
bysharewithterrance
 
PDF
Droidcon it-2014-marco-grassi-viaforensics
byviaForensics
 
DOC
دليل جميع مراكز تكوين الأطر التربوية
byAssoib Rachid
 
PPT
iPhone forensics on iOS5
bySatish b
 
PDF
C0c0n 2011 mobile security presentation v1.2
bySantosh Satam
 
PPT
padding oracle attack
bySatish b
 
PPT
Pentesting web applications
bySatish b
 
DOC
الهاكرز
byacc
 
PPTX
Web application attack Presentation
byKhoa Nguyen
 
PPSX
بحث علمي عن الهاكرز . Hackers
byAbdullah AlQarni
 
PDF
Reverse Engineering iOS apps
byMax Bazaliy
 
PDF
Pentest with Metasploit
byM.Syarifudin, ST, OSCP, OSWP
 
PPTX
Web application attacks
byhruth
 
Infosecure 2011 owasp y cumplimiento normativo pci-dss y pa-dss
byJuan Jose Rider Jimenez
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
Forensic analysis of iPhone backups (iOS 5)
bySatish b
 
Lifetime support-middleware-069163
bysharewithterrance
 
Droidcon it-2014-marco-grassi-viaforensics
byviaForensics
 
دليل جميع مراكز تكوين الأطر التربوية
byAssoib Rachid
 
iPhone forensics on iOS5
bySatish b
 
C0c0n 2011 mobile security presentation v1.2
bySantosh Satam
 
padding oracle attack
bySatish b
 
Pentesting web applications
bySatish b
 
الهاكرز
byacc
 
Web application attack Presentation
byKhoa Nguyen
 
بحث علمي عن الهاكرز . Hackers
byAbdullah AlQarni
 
Reverse Engineering iOS apps
byMax Bazaliy
 
Pentest with Metasploit
byM.Syarifudin, ST, OSCP, OSWP
 
Web application attacks
byhruth
 

Similar to Pentesting iPhone applications

PDF
ASFWS 2012 - Audit d’applications iOS par Julien Bachmann
byCyber Security Alliance
 
PPTX
Hacking and Securing iOS Applications by Satish Bomisstty
byClubHack
 
PDF
Hacking and Securing iOS Applications
byn|u - The Open Security Community
 
PDF
Smart Bombs: Mobile Vulnerability and Exploitation
bySecureState
 
PPTX
iOS application (in)security
byiphonepentest
 
PDF
CactusCon - Practical iOS App Attack and Defense
bySeth Law
 
PPT
iOS Application Pentesting
byn|u - The Open Security Community
 
PDF
Penetration testing of i phone-ipad applications
byshehab najjar
 
PPT
iOS Client Side Analysis
byAadarsh N
 
PDF
Evaluating iOS Applications
byiphonepentest
 
PDF
CNIT 128 2. Analyzing iOS Applications (Part 1)
bySam Bowne
 
PPTX
Mobile security part 2
byRomansh Yadav
 
PDF
iOS Application Security And Static Analysis.pdf
byCyber security professional services- Detox techno
 
PDF
Pentesting Mobile Applications (Prashant Verma)
byClubHack
 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
 
PDF
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
bySeth Law
 
PDF
OWASP for iOS
byPhineas Huang
 
PPTX
Hacking & Securing of iOS Apps by Saurabh Mishra
byOWASP Delhi
 
PDF
iOS (Vulner)ability
bySubho Halder
 
PPTX
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 
ASFWS 2012 - Audit d’applications iOS par Julien Bachmann
byCyber Security Alliance
 
Hacking and Securing iOS Applications by Satish Bomisstty
byClubHack
 
Hacking and Securing iOS Applications
byn|u - The Open Security Community
 
Smart Bombs: Mobile Vulnerability and Exploitation
bySecureState
 
iOS application (in)security
byiphonepentest
 
CactusCon - Practical iOS App Attack and Defense
bySeth Law
 
iOS Application Pentesting
byn|u - The Open Security Community
 
Penetration testing of i phone-ipad applications
byshehab najjar
 
iOS Client Side Analysis
byAadarsh N
 
Evaluating iOS Applications
byiphonepentest
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
bySam Bowne
 
Mobile security part 2
byRomansh Yadav
 
iOS Application Security And Static Analysis.pdf
byCyber security professional services- Detox techno
 
Pentesting Mobile Applications (Prashant Verma)
byClubHack
 
2a Analyzing iOS Apps Part 1
bySam Bowne
 
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
bySeth Law
 
OWASP for iOS
byPhineas Huang
 
Hacking & Securing of iOS Apps by Saurabh Mishra
byOWASP Delhi
 
iOS (Vulner)ability
bySubho Halder
 
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 

Recently uploaded

PPTX
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 
PDF
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
PDF
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
PPTX
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
PPTX
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
PDF
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
PPTX
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 
PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PPTX
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
PPTX
Overview of how to Create a Model in Odoo 18
byCeline George
 
PDF
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
PPTX
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
PDF
Biology Practical Class 12th 2025 PDF(2)-2-52.pdf
bySCPRPWomenCollegeChi
 
PPTX
Nursing Unit Management, patient care unit, physical layout of nursing unit,t...
byyellow4878
 
PDF
Using Charts and Tables in Presenting Data
byThelma Villaflores
 
PPTX
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 
PDF
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
PDF
Multiple Myeloma , definition, etiology, PP, CM , DE and management
byNisha Borsa
 
PPTX
Introduction-to-Anatomy-and-Physiology.pptx
byAshish Umale
 
PDF
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
Overview of how to Create a Model in Odoo 18
byCeline George
 
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
Biology Practical Class 12th 2025 PDF(2)-2-52.pdf
bySCPRPWomenCollegeChi
 
Nursing Unit Management, patient care unit, physical layout of nursing unit,t...
byyellow4878
 
Using Charts and Tables in Presenting Data
byThelma Villaflores
 
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
Multiple Myeloma , definition, etiology, PP, CM , DE and management
byNisha Borsa
 
Introduction-to-Anatomy-and-Physiology.pptx
byAshish Umale
 
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 

Pentesting iPhone applications

  • 1.
    Pentesting iPhone Applications satishb3@hotmail.com
  • 2.
    Agenda • iPhone AppBasics – App development – App distribution • Pentesting iPhone Apps – Methodology – Areas of focus • Major Mobile Threats
  • 3.
    Who am I <1 • Framework for functional testing tools Development • Web application hacking, Network assessments, 5+ Information Reverse engineering, Mobile application hacking… Security • OWASP Hyderabad Contributor Other Activities • Blogging - Securitylearn.wordpress.com 3
  • 4.
    iPhone App Basics •iPhone released in 2007 – 110 million sales till March 2011 • Browser based Applications – HTML + CSS + JavaScript • Native iOS Applications – Objective C & Cocoa Touch API • Super set of C, Compiles into native code (ARM) • App Store – Centralized mechanism to distribute software – Only Apple signed application are available – Designed to protect the Apps from piracy & No malware
  • 5.
    Why to buildiPhone Application? • New business • Good way to launch new services • Urgency for clients • Users want them • Quick to develop • Fame and Fortune – Angry Birds cost $140k to develop and made $70 million in profits Source: mildtech.net
  • 6.
    iPhone Application Distribution Distributedas .ipa files • iOS Simulator • Device testing • Ad-Hoc Distribution • In-House Distribution • Over The Air Distribution • App Store Distribution – Apps have to obey Apple Review guidelines
  • 7.
    Pentesting of iPhoneApplications • Areas of focus include – Network communication – Privacy Issues – Application Data Storage – Reverse Engineering – URL Schemes – Push Notifications • Overlap between iPhone security and iPhone App security
  • 8.
    JailBreaking • iPhone doesnot allow unsigned applications • Jailbreak gives a full access to the device • Allows to install Apps which are not authorized (via Cydia) • Can put your phone at increased risk to some security vulnerabilities • Tools: PwnageTool, redsn0w, Sn0wbreeze, Greenpois0n, jailbreakMe… • JailBreaking makes our work easy
  • 9.
    Useful Cydia Apps • Openssh : SSH to phone • Adv-cmds : process commands like ps, kill… • Sqlite3 : Sqlite database client • GNU Debugger: Reverse engineering • Syslogd : To view iPhone logs • Tcpdump: capture traffic on phone • com.ericasadun.utlities: plutil (view plist files) • Darwin tools: Strings command • Odcctools: otool, nm …
  • 10.
    SSH to iPhone •Install Open SSH from Cydia • On workstation install SSH Client • iPhone has two users by default – Root and mobile (password is ‘alpine’) • Connect to the phone as a root user via SSH – SSH over WIFI SSH Clients > ssh root@iPhoneIP Type Windows OS X > password: alpine Console Putty SSH client GUI WinSCP Cyberduck – SSH over USB > ./itunnel_mux --lport 1234 > ssh –p 1234 root@127.0.0.1 > password: alpine
  • 11.
    Network Communication • Mobileapplication pentesting isn’t really all that different – It involves network communication • Communication mechanism • Clear text transmission (http) • Encrypted transmission (https) • Use of Custom or Proprietary protocols
  • 12.
    Clear text Transmission •It’s 2011. Still Apps run on http • More possible MITM attacks because of WIFI – Firesheep • To analyze HTTP traffic – Enable manual proxy in iPhone (settings - > WIFI - > manual)
  • 13.
    SSL Communication • HTTPSis required for sensitive data transmission • In SSL communication, – Apps may fail to validate SSL cert • allowsAnyHTTPSCertificateForHost – Apps which are validating the cert will not allow MITM • similar to modern browsers like Google chrome, IE 8… – To capture the traffic, load your proxy (burp) CA Cert to iPhone – Same applicable to other protocols which works on Cert
  • 14.
    Custom Protocols • Identifythe communication protocol – On SSH Terminal: > tcpdump -w traffic.pcap – Load the .pcap in wireshark and analyze • May not respect iPhone proxy settings • DNS Spoofing techniques to MITM • Once you capture the traffic it is a typical web application pentesting in which attacks are done on the application server -Authentication, Authorization, Session management, weak ciphers….
  • 15.
    Privacy Issues • EveryiPhone has an unique device identifier called UDID • Apps may collect the device UDID • With UDID – Possible to observe the user browsing patterns – Feasible to locate user Geo location – More possible attacks are documented in “Eric Smith: iPhone- Applications-Privacy-Issues.pdf” • One such application is – Openfient : mobile social gaming network http://corte.si/posts/security/openfeint-udid-deanonymization/ • Observe the network traffic to find out UDID transmission
  • 16.
    Application Data Storage •76 percent of mobile Apps store user data on phone • 10 percent Apps store passwords in clear text Source: viaforensics.com/appwatchdog • Apps store information on phone – For better performance – Offline access • Data storage locations • Plist files • Keychain • Logs • Screenshots • Home directory
  • 17.
    Application Directory Structure •Application run in a sandbox (seatbelt) with ‘mobile’ privileges • Each application gets a private area of the file system – App Home directory: /var/mobile/Applications/[GUID] SubDirectory Description Appname.app Contains the application code and static data Documents Data that may be shared with desktop through iTunes Library Application support files Library/Preferences/ App specific preferences Data that should persist across successive launches of the Library/Caches/ application but not needed to be backed up Temporary files that do not need to persist across successive tmp launches of the application
  • 18.
    Plist files • Propertylist files – often used to store user’s properties of an App – /var/mobile/Applications/[appid]/Documents/Preferences • Key value pairs are stored in binary format • Easily extracted and modified with property list editor, plutil • Look for usernames , passwords, cookies… • Apps may take Authentication/Authorization decisions – Ex: admin=1, timeout=10 • Do not store clear text data in plist files
  • 19.
    Keychain • SQLite database for sensitive data storage • Four tables: genp, inet, cert, keys • Located at: /var/Keychains/keychain-2.db • Keychain data is encrypted – Uses hardware encryption key – Uses user passcode for encryption • Depends on accessibility constant of keychain entry – Can not be moved to other device • Idea is, developers can leverage keychains to have the OS to store information securely – Not any more
  • 20.
    Keychain • Accessible toall the applications • Application can only access it’s key chain items – On a JailBroken device It can be bypassed • Keychain Dumper Tool – by github – Displays keychain entries of all the installed applications • Use data protection API while storing data in keychain • Use kSecAttrAccessibleWhenUnlocked accessibility constant – If phone is lost & user sets a passcode, it is difficult to retrieve protected contents in keychain – Keychain data is encrypted with User Passcode
  • 21.
    Error Logs • Appsmay write sensitive data in logs – Debugging (NSLog calls) – Trouble shooting – Requests & Responses – /private/var/log/syslog • To view iPhone logs – Console App (from AppStore) – Sync to iTunes • Mac OS X : ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE_NAME> • Windows XP: C:Documents and Settings<USERNAME>Application DataApple computerLogsCrashReporter/<DEVICE_NAME>
  • 22.
    Screenshot • Home buttonshrinks your application with a nice effect • iOS takes screen shots of the application to create that effect • Sensitive data may get cached – App directory/Library/Caches/Snapshots • Solution – Remove sensitive data or change the screen before the applicationDidEnterBackground() function returns – Instead of hiding or removing sensitive data you can also prevent back- grounding altogether by setting the "Application does not run in background" property in the application's Info.plist file
  • 23.
    Screenshot Copied From SANS website
  • 24.
    Home directory • Apps can store data in application home directory • Custom encryption mechanism can be used to store files • Use Reverse engineering techniques to find encryption key • Write tools to break the custom encryption
  • 25.
    Reverse Engineering • Appsdownloaded from AppStore are encrypted – Fairplay DRM (AES) • On a JailBroken device, we can decrypt Apps easily – Craculous : decrypts Apps on device – Installous : installs decrypted Apps on device • Self distributed Apps are not encrypted • Hex Rays decompiler & Run time debugger (gdb) • Look for Hard coded passwords and encryption keys • Buffer Overflows – iOS 4.3 introduced ASLR support • Apps must be compiled with PIE (position independent executable) for full support
  • 26.
    URL Scheme • ProtocolHandlers - mailto:, tel: • Browser to App interaction • View Info.plist for supported schemes > plutil Facebook.app/Info.plist CFBundleURLName = "com.facebook"; CFBundleURLSchemes = ( fbauth, fb ); • Parameters are supplied to the application Mailto:securitylearn.wordpress@gmail.com twitter://post?message=visit%20maniacdev.com – Bad Input crash Apps
  • 27.
    URL Scheme • Decryptthe App to find parameters > strings Facebook.app/Facebook | grep 'fb:' fb://online#offline fb://birthdays/(initWithMonth:)/(year:) fb://userset fb://nearby fb://place/(initWithPageId:) – http://wiki.akosma.com/IPhone_URL_Schemes • Remote attacks – URL Scheme allows to edit or delete data without user permission Ex: Skype URL Handler Dial Arbitrary Number <iframe src="skype://14085555555?call"></iframe>
  • 28.
    Push Notifications • Appvendors use this service to push notifications to the user's device even when the app is in a frozen state – Instant Messenger alerts the user when a new message is received even though the user is using another app • Device token unique to ios instance is required • Push notification data can be read by Apple – Do not send Confidential data in notifications • Do not allow push notifications to modify App data
  • 29.
    Major mobile Threats •Easy to lose phones – Device is protected with passcode – Sensitive files on the device are encrypted – What’s the threat? • Data encryption in mobile is only available after boot up – Boot Rom exploits • all files on the device can be copied with in 10 minutes – Passcode brute force • 4 digit passcode can be brute forced with in 20 minutes • Mobile App Risks – Veracode Top 10 – OWASP Top 10
  • 30.
    References • BlackHat 2011- DaiZovi_iOS_Security • Fraunhofer iOS Device encryption security • GitHub – Keychain Dumper
  • 31.
    Thank You Email :Satishb3@securitylearn.net Blog: http://www.securitylearn.net