iOS (Vulner)ability

1,036
-1

Published on

iOS security architecture.

Published in: Mobile, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,036
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

iOS (Vulner)ability

  1. 1. iOS (Vulner)ability Subho Halder Co Founder AppKnox
  2. 2. ./WhoAmI Co Founder of AppKnox ( XYSec Labs ) Python Lover Sole Creator and Developer of Android Framework for Exploitation (AFE) Found Security Bugs in Apple, Google, Skype, Webkit, Facebook, Microsoft, …..
  3. 3. Security is …… http://xkcd.com/327/
  4. 4. NSLog [@“Agenda”]; Quick overview of iPhone iOS Platform. iOS Security Structure What is a Jailbreak? iOS App (IN)Securities
  5. 5. Peek into a state-of-art Prison
  6. 6. iOS Hardware Architecture Application Processor Baseband iOS User interaction Applications ... NucleusOS Radio communication
  7. 7. iOS Hardware Architecture Application Processor Baseband Processor audio display power managment camera WIFI BT GSM UART I2S
 GPIO
 DMA
 controls sim/net-lock !
  8. 8. Phew, Security Architecture
  9. 9. ***[Sandboxing]*** NAND Flash FTL: converts logical partition to NAND flash architecture looks like BLOCK device System Partition / (Read Only) User Partition /private/var NAND FTL Block Device / (RO)
 (System Partition) /private/var (RW)
 (User Partition)
  10. 10. ***[Sandboxing]*** 3rd Party lives only on User Partition Apps run as mobile user Kernel Signature checks executables 
 in system-call execve() %{ How did you Jailbreak it? }% NAND FTL Block Device / (RO)
 (System Partition) /private/var (RW)
 (User Partition)
  11. 11. **Memory Protection W^X Policy Non Executable Stack or Heap ASLR (Address Space Layout Randomisation) %{ Did you forget about Return-Oriented-Program }%
  12. 12. Code Signing Implemented inside Kernel Kernel signature checks executables in systemcall execve() Kernel stored on System Partition (kernelcache) Kernel is signature checked before being loaded. %{ Can still be by-passed :/ }%
  13. 13. Encryption @#%$#^% ! Everythong is encrypted Hardware AES Engine Keys derived from hardware keys GID-key UID-key %{Possible to use Jailbreak tools e.g. Syringe to use the hardware engine}%
  14. 14. What is J@!lbr3@k ?
  15. 15. How your iPhone boots up? signature check signature check signature check signature check Bootrom LLB (Low Level Bootloader) iBoot Kernel Application NOR NOR NAND NAND
  16. 16. Recovery Mode? Bootrom LLB (Low Level Bootloader) iBoot signature check signature check Kernel Kernel Ramdisk
  17. 17. DFU Mode ! Bootrom iBSS iBEC Kernel Ramdisk Bootrom LLB (Low Level Bootloader) iBoot Kernel Application minimal
 iBoot
  18. 18. Attacking the chain of trust! signature check Bootrom LLB (Low Level Bootloader) iBoot Kernel Application signature check signature check signature check signature check attack here (cannot be fixed) attack here attack here attack here System Software
  19. 19. Where do we go wrong?
  20. 20. Plists Used by iPhone to store saved properties and data XML Binary (compressed XML) (depreciated) The binary plists need converting, you can use: plutil to convert to XML Property List Editor (in XCode) plists contain all kinds of juicy information. Check for: Cookies, emails, usernames, passwords, sensitive application data, client side role identifiers, protocol handlers, etc.
  21. 21. B00M! :O
  22. 22. INSERT into `SQLite` A lot of iOS applications sensitive data in SQLite3 databases on the device. Sqlite3 does not have built-in support for encryption. There are extensions (CEROD is one, sqlcipher is another) that support encryption, but the code is not publicly available, you need to license it. Apple has not, so the included version of sqlite3 does not support encrypted databases. Still dangerous to store stuff client side. To bypass: Cerod is as simple as looking for “cerod:passwd” or break pointing and pulling out of memory: sqlite3_open(":cerod:passwd:filename.db", &db);
  23. 23. )()()( Keychains )()()( Keychain = Encrypted container for storing sensitive information Smarter devs store passwords and sensitive data using the keychain. Unfortunately with access to a phone and jailbreaking we can decrypt the keychain and dump the contents.
  24. 24. tail -f /var/logs/ iOS Logs lots of data, NSLog especially, They can be viewed after the fact in: ~/Library/Logs/CrashReporter/MobileDevice/<Device name>/private/var/ log/system.log Can be viewed in you mac “console” app under utilities
  25. 25. File Caching m/m/ If the application uses PDF, Excel, or other files it may be possible that these files may have been cached on the device. These can be found at: ~/Library/Application Support/iPhone simulator/x.x.x/ Applications/<application folder>/Documents/temp.pdf
  26. 26. $(`Keyboard Caching`) Keystrokes for predictive spellcheck are stored in: ~/Library/Application Support/iPhone Simulator/x.x.x/Library/Keyboard/ dynamic-text.dat This issue is similar to autocomplete for web browsers. Already disabled for password fields Should be disabled for any potentially sensitive fields (account numbers, SSN, etc, etc…) Set UITextField property autocorrectionType = UITextAutocorrectionNo for mitigation.
  27. 27. Snapshot Caching When in an application and the home button is pushed, the application stores a snapshot (screenshot) in the apps snapshot folder ~/Library/Application Support/iPhone Simulator/x.x.x/Applications/ <application folder>/Library/Caches/Snapshots/ These persist until reboot. Hopefully you weren’t on a screen with any sensitive data!
  28. 28. Snapshot Caching
  29. 29. SQL Injection Client-Side SQL injection is a problem on the client side too! BAD: NSString *sql = [NSString stringWithFormat:@"SELECT name FROM products WHERE id = '%@'", id]; const char *query = [sql UTF8String]; GOOD: const char *sql = "SELECT name FROM products WHERE id = ?"; sqlite3_prepare_v2(database, sql, -1, &sql_statement, NULL); sqlite3_bind_text(&sql_statement, 1, id, -1, SQLITE_TRANSIENT);
  30. 30. XSS Client-Side Can occur whenever user controlled Objective C variables populated in to WebView stringByEvaluatingJavaScriptFromString 
 
 NSString *javascript = [[NSString alloc] initWithFormat:@"var myvar="%@";", username]; 
 [mywebView stringByEvaluatingJavaScriptFromString:javascript];
  31. 31. Vulnerable Obj-C Methods NSLog() [NSString stringWithFormat:] [NSString initWithFormat:] [NSMutableString appendFormat:] [NSAlert informativeTextWithFormat:] [NSPredicate predicateWithFormat:] [NSException format:] NSRunAlertPanel
  32. 32. How can you get started? https://www.owasp.org/index.php/OWASP_iGoat_Project
  33. 33. AppKnox - Cloud Based Security Automation Tool
  34. 34. Available for Android Coming soon for iOS
  35. 35. –Cicero “There is no castle so strong that it cannot be overthrown”
  36. 36. Thank You https://www.appknox.com http://subho.me @sunnyrockzzs subho.halder@gmail.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×