Objectives - Security Assessment• Determine the correct path to Exploitation.• Many Attacks, Weaknesses and Impacts.
RULE #1: Mobile SecurityPerform sensitive/confidential/dangerous operations OFF-DEVICE......also, we still can’t trust user input.
Mobile Assessment: Key Difference• User-access to runtime environment DEVS: **New perspective allows us to see everything you are doing**VS...
Jailbreak vs. Rooting• Jailbreak (iOS) - Users can break out of sandbox, but are stilllimited by the Apple kernel. (Your iPhone is still an iPhone)• Rooting (Android) - Implement a new kernel, turn your phoneinto ???I
Security Controls• Reduced Attack Surface• Code Signing/App Store Approval Process - iOS Android is more of a free-for-all• Sandboxing• NX Memory• ASLR/PIE (compiler flag) Rarely used in 3rdparty applications• Certificate Verification• Device Encryption
Jailbreak in 30 sec• DISCLAIMER: BRICK WARNING!!!• DISCLAIMER: RUNTIME PROTECTIONS BECOME NIL!• DISCLAIMER: APPSTORE DEREGULATION!• Beware of Jailbreak SCAMMERS!• iPhone Dev Team (blog.iphone-dev.org)• evad3rs Team (http://evasi0n.com/)• Android is more complicated. (SuperOneclick) Hardware/OS/Carrier dependent
Finding TargetsPLENTY of them out there…650,000+ Applications in AppStore*250,000+ listed for iPad•App Store: ~/Music/iTunes/iTunes Media/Mobile Applications .ipa file (zip archive)•On iOS: /var/mobile/Applications/<UUID>/<AppName>.app/*Source: Techcrunch, July 2012
Techniques: Data Storage• Pulling out data… SELECT * FROM <table>
Techniques: SQL Injection• Should look familiar...
Advanced Techniques: Objective-C (iOS) Primer• Abstraction of Standard C Based on Smalltalk Designed to be “Object-oriented easy.” The good old days:Buffer Overflows, Format Strings, etc... RETURN!!!
Advanced Techniques: iOS Runtime Inspection• GDB Execute/load binary Breakpoint on start address 0x2000 (PIE may cause this to move on you)gdb $> dump memory <filename> <start address> <end address>
Advanced Techniques: iOS Binary Inspection,Unencrypted• IDA Pro Binary graphing/analysis…
IDA Pro: What to look for?• Using the Apple DEV reference File Writes Network Connections Keychain Access UI Form Fields
• What can we do with this? Application Tracing/Logging (filesystem, network, etc...) Turn off Jailbreak detection Fake GPS data... (think: location-aware security) The possibilities get scarier as trust grows...Advanced Techniques: iOS Runtime Manipulation