Blackbox analysis of iOS apps

Dmitry 'D1g1' Evdokimov,
Security researcher at Digital Security (ERPScan)
Blackbox analysis of iOS apps

#whoami
• Director of DSecRG (ERPScan Research Group)
• Section editor in the Xakep magazin...
Blackbox analysis of iOS apps

Attention please!

It is not rocket science =)
This work is a compilation of public informa...
Blackbox analysis of iOS apps

Goals of this workshop

• How iOS and iOS applications work
• The basics of iOS vulnerabili...
Blackbox analysis of iOS apps

Agenda

1. iOS platform
1. How it works, Objective-C, ARM, security
mechanisms, jailbreak
2...
Blackbox analysis of iOS apps

iOS

• iOS is derived from OS X, with which it shares
Darwin
•
•

ARM
The kernel sources re...
Blackbox analysis of iOS apps

iOS security mechanisms

• Code Signing
- X.509v3 certificates
• Sandboxing (SeatBelt)
- In...
Blackbox analysis of iOS apps

Jailbreak

• Jaibreak depends on SW & HW
• Tethered
• Untethered
• Ability to access file s...
Blackbox analysis of iOS apps

Apple about jailbreak

http://support.apple.com/kb/HT3743
9
© 2002—2013, Digital Security
Blackbox analysis of iOS apps

ARM

•
•
•
•
•

Advanced RISC Machine
Load-store architecture
Fixed-length instructions
3-a...
Blackbox analysis of iOS apps

ARM modes

1. ARM
• Length(Instr) = 4 bytes
2. Thumb
• Length(Instr) = 2 bytes
3. Thumb2
• ...
Blackbox analysis of iOS apps

ARM32

• Registers:
• General Purpose: r0-r12
• Stack Pointer: r13 (SP)
• Link Register: r1...
Blackbox analysis of iOS apps

ARM 64-bit Architecture

1. iPhone 5S
2. AArch64 (ARM), ARM64 (Apple)

13
© 2002—2013, Digi...
Blackbox analysis of iOS apps

Divergences, divergences, divergences...

14
© 2002—2013, Digital Security
Blackbox analysis of iOS apps

Development for iOS

•
•

Mac
Xcode
• gcc/LLVM/LLVM-gcc compilers
• iPhone Simulator (i386)...
Blackbox analysis of iOS apps

Objective-C

•
•

Object-oriented language
Based on:
• Strict superset C
• Smalltalk

16
© ...
Blackbox analysis of iOS apps

Calling methods
C++

ObjectPointer->MethodName(param1, param2)

Obj-C

[ObjectPointer Metho...
Blackbox analysis of iOS apps

Go to device

•
•
•
•
•

Jailbreak
Cydia
SSH/putty
itunnel_mux
WinSCP/scp

18
© 2002—2013, ...
Blackbox analysis of iOS apps

Prepare env in device

• otool
• class-dump-z
• APT 0.6 Transitional
• apt-get
• Command li...
Blackbox analysis of iOS apps

Install apps from console

• Debian package
dpkg -i <package.deb>
killall -HUP SpringBoard
...
Blackbox analysis of iOS apps

Useful commands
•
•

cd /private/var/mobile/Applications
find . -name '*Appname*‘

•
•

cd ...
Blackbox analysis of iOS apps

Applications

•

AppStore
•

•

On devices
•

•

IPA packages = ZIP files
/private/var/mobi...
Blackbox analysis of iOS apps

Mach-O file format basic structure

23
© 2002—2013, Digital Security
Blackbox analysis of iOS apps

Mach-O header

1. 32bit (ARMv6,ARMv7)
• 0xFEEDFACE
2. 64bit
• 0xFEEDFACF
3. Universal binar...
Blackbox analysis of iOS apps

Application structure
AppName.app/

App

Documents/

Data files saved by the app

Library/
...
Blackbox analysis of iOS apps

Decrypt app from AppStore

1. gdb
• Choosing the right architecture (if FAT)
• Breakpoint a...
Blackbox analysis of iOS apps

Decrypt

•

•

Clutch
•

/var/root/Documents/Cracked/

dumpdecrypted.dylib

27
© 2002—2013,...
Blackbox analysis of iOS apps

OWASP Mobile Top 10 Risks

28
© 2002—2013, Digital Security
Blackbox analysis of iOS apps

Traffic analysis

•

Passive network traffic monitoring with tcpdump

Then load the *.pcap ...
Blackbox analysis of iOS apps

Certificate pinning?!

•
•
•

Pinning is the process of associating a host with
their expec...
Blackbox analysis of iOS apps

Working with SSL certificates

• NSURLConnection class
• Accepting a self-signed certificat...
Blackbox analysis of iOS apps

CFStreams sockets

• kCFStreamPropertySSLSettings
•
•
•
•
•
•

kCFStreamSSLLevel
kCFStreamS...
Blackbox analysis of iOS apps

Cross-site scripting

• UIWebView class
•
•

stringByEvaluatingJavaScriptFromString
shouldS...
Blackbox analysis of iOS apps

List of interesting strings

•

Don’t use and don’t leak
• UDID
• IMEI
• ICCID
• PII
• OSN-...
Blackbox analysis of iOS apps

XML injections

•
•

XML External Entity (XXE) flaws
NSXMLParser class
•
•

•

libxml2 libr...
Blackbox analysis of iOS apps

Directory traversal

•

NSFileManager class

•
•

•

contentsAtPath
fileHandleForReadingAtP...
Blackbox analysis of iOS apps

File storage

•

NSFileManager class
• NSFileProtectionKey attribute
•
•
•
•

•

NSFileProt...
Blackbox analysis of iOS apps

filemon.iOS

38
© 2002—2013, Digital Security
Blackbox analysis of iOS apps

Plist files

•

plist – property lists
• Serialized objects
• XML
• NSUserDefaults class

•...
Blackbox analysis of iOS apps

SQLite and SQL injections

•

SQLite database
•
•
•
•
•

/usr/lib/libsqlite3.dylib
/<GUID>/...
Blackbox analysis of iOS apps

Keychain

•

Secure storage
•
•
•
•
•

File /private/var/Keychains/keychain-2.db
SecItemAdd...
Blackbox analysis of iOS apps

Cookies

• Persistent cookies: Cookies.binarycookies

• /private/var/mobile/Library/
• /pri...
Blackbox analysis of iOS apps

Logs

NSLog()
Tools:
• iPhone Configuration Utility
• syslogd
43
© 2002—2013, Digital Secur...
Blackbox analysis of iOS apps

Cache

• UIPasteboard class
•

generalPasteboard

• Backgrounding

• <Application
GUID>/Lib...
Blackbox analysis of iOS apps

IPC

•

URL schemes
• handleOpenURL
• openURL
• http://wiki.akosma.com/IPhone_URL_Sche
mes
...
Blackbox analysis of iOS apps

Memory corruptions

•

Obj-C + C/C++ function =
• Format string
•
•
•
•
•
•
•
•

•
•

NSLog...
Blackbox analysis of iOS apps

Check for exploit mitigations

•

Stack cookie
•
•

_stack_chk_fail
_stack_chk_guard

•

PI...
Blackbox analysis of iOS apps
TOOLS

TOOLS
TOOLS

TOOLS

TOOLS

TOOLS
TOOLS

TOOLS
TOOLS

TOOLS

TOOLS

TOOLS
48
© 2002—20...
Blackbox analysis of iOS apps

IDA Pro

49
© 2002—2013, Digital Security
Blackbox analysis of iOS apps

radare2 ARM64 Mach-O

1. ???

50
© 2002—2013, Digital Security
Blackbox analysis of iOS apps

Hopper

51
© 2002—2013, Digital Security
Blackbox analysis of iOS apps

iNalyzer

52
© 2002—2013, Digital Security
Blackbox analysis of iOS apps

cycript

53
© 2002—2013, Digital Security
Blackbox analysis of iOS apps

Introspy

54
© 2002—2013, Digital Security
Blackbox analysis of iOS apps

Snoop-it

55
© 2002—2013, Digital Security
Blackbox analysis of iOS apps

Q&A

d.evdokimov@dsec.ru
@evdokimovds
56
© 2002—2013, Digital Security
Upcoming SlideShare
Loading in …5
×

Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps

1,742 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,742
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
34
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps

  1. 1. Blackbox analysis of iOS apps Dmitry 'D1g1' Evdokimov, Security researcher at Digital Security (ERPScan)
  2. 2. Blackbox analysis of iOS apps #whoami • Director of DSecRG (ERPScan Research Group) • Section editor in the Xakep magazine • Co-organizer of DEFCON Russia & ZeroNights • Author of Python arsenal for RE Specialized in finding vulnerabilities in binary applications without source code 2 © 2002—2013, Digital Security
  3. 3. Blackbox analysis of iOS apps Attention please! It is not rocket science =) This work is a compilation of public information and my own experience 3 © 2002—2013, Digital Security
  4. 4. Blackbox analysis of iOS apps Goals of this workshop • How iOS and iOS applications work • The basics of iOS vulnerabilities • The skill of using common tools to find vulnerabilities in iOS apps 4 © 2002—2013, Digital Security
  5. 5. Blackbox analysis of iOS apps Agenda 1. iOS platform 1. How it works, Objective-C, ARM, security mechanisms, jailbreak 2. Introduction to Objective-C 3. iOS apps 1. Mach-O format, application structure, … 4. iOS vulns 5. Blackbox testing 1. Static and dynamic analysis 5 © 2002—2013, Digital Security
  6. 6. Blackbox analysis of iOS apps iOS • iOS is derived from OS X, with which it shares Darwin • • ARM The kernel sources remain closed • __arm__, ARM_ARCH • Touch-based • SpringBoard • Security mechanisms • Sandbox as a jail • … 6 © 2002—2013, Digital Security
  7. 7. Blackbox analysis of iOS apps iOS security mechanisms • Code Signing - X.509v3 certificates • Sandboxing (SeatBelt) - Inability to break the app’s directory - /var/mobile/Applications/<app-GUID>/ - Inability to access any other process - Inability to use any hardware devices directly - Inability to generate code dynamically • Privilege separation - Mobile user + Entitlements © 2002—2013, Digital Security 7
  8. 8. Blackbox analysis of iOS apps Jailbreak • Jaibreak depends on SW & HW • Tethered • Untethered • Ability to access file system • Copy/edit any file in the system • Bypassing sandbox restrictions • Break out of the app’s directory • Launching unsigned applications • Launch applications that do not belong to App Store © 2002—2013, Digital Security 8
  9. 9. Blackbox analysis of iOS apps Apple about jailbreak http://support.apple.com/kb/HT3743 9 © 2002—2013, Digital Security
  10. 10. Blackbox analysis of iOS apps ARM • • • • • Advanced RISC Machine Load-store architecture Fixed-length instructions 3-address instruction formats Instructions: • Data transfer • Data processing • Control flow 10 © 2002—2013, Digital Security
  11. 11. Blackbox analysis of iOS apps ARM modes 1. ARM • Length(Instr) = 4 bytes 2. Thumb • Length(Instr) = 2 bytes 3. Thumb2 • Length(Instr) = 2/4 bytes 4. Jazzle • Java bytecode + ARM/Thumb 11 © 2002—2013, Digital Security
  12. 12. Blackbox analysis of iOS apps ARM32 • Registers: • General Purpose: r0-r12 • Stack Pointer: r13 (SP) • Link Register: r14 (LR) • Program Counter: r15 (PC) • Current Program Status Register (CPSR) • Calling Convention: • Argument Values: r0-r3 • Local Values: r4-r12 • Return Value: r0 © 2002—2013, Digital Security 12
  13. 13. Blackbox analysis of iOS apps ARM 64-bit Architecture 1. iPhone 5S 2. AArch64 (ARM), ARM64 (Apple) 13 © 2002—2013, Digital Security
  14. 14. Blackbox analysis of iOS apps Divergences, divergences, divergences... 14 © 2002—2013, Digital Security
  15. 15. Blackbox analysis of iOS apps Development for iOS • • Mac Xcode • gcc/LLVM/LLVM-gcc compilers • iPhone Simulator (i386) • Cocoa Touch • Objective-C • Other: HTML, JavaScript, C# & .NET (Xamarin) 15 © 2002—2013, Digital Security
  16. 16. Blackbox analysis of iOS apps Objective-C • • Object-oriented language Based on: • Strict superset C • Smalltalk 16 © 2002—2013, Digital Security
  17. 17. Blackbox analysis of iOS apps Calling methods C++ ObjectPointer->MethodName(param1, param2) Obj-C [ObjectPointer MethodName:param1 param2Name:param2] objc_msgSend(ObjectPointer, "MethodName“,”param1”, “param2”) objc_msgSend() objc_msgSendSuper() objc_msgSend_fpret() objc_msgSend_stret() objc_msgSendSuper_stret() objc_msgSendSuper2() © 2002—2013, Digital Security 17
  18. 18. Blackbox analysis of iOS apps Go to device • • • • • Jailbreak Cydia SSH/putty itunnel_mux WinSCP/scp 18 © 2002—2013, Digital Security
  19. 19. Blackbox analysis of iOS apps Prepare env in device • otool • class-dump-z • APT 0.6 Transitional • apt-get • Command line tools • curl, dpkg, file, grep, netcat, python, sed, … 19 © 2002—2013, Digital Security
  20. 20. Blackbox analysis of iOS apps Install apps from console • Debian package dpkg -i <package.deb> killall -HUP SpringBoard • App without developer license or patched scp -r HelloWorld.app/ root@yourIP:/Applications/ uicache killall -HUP SpringBoard • IPA: o o IPA Installer Console iPhone Configuration Utility © 2002—2013, Digital Security 20
  21. 21. Blackbox analysis of iOS apps Useful commands • • cd /private/var/mobile/Applications find . -name '*Appname*‘ • • cd /private/var/mobile/Applications ls –l | grep ‘Time’ 21 © 2002—2013, Digital Security
  22. 22. Blackbox analysis of iOS apps Applications • AppStore • • On devices • • IPA packages = ZIP files /private/var/mobile/Applications/<UUID>/<AppName>.app/ Apple apps • /Applications/ 22 © 2002—2013, Digital Security
  23. 23. Blackbox analysis of iOS apps Mach-O file format basic structure 23 © 2002—2013, Digital Security
  24. 24. Blackbox analysis of iOS apps Mach-O header 1. 32bit (ARMv6,ARMv7) • 0xFEEDFACE 2. 64bit • 0xFEEDFACF 3. Universal binaries (FAT) • 0xCAFEBABE 24 © 2002—2013, Digital Security
  25. 25. Blackbox analysis of iOS apps Application structure AppName.app/ App Documents/ Data files saved by the app Library/ Miscellaneous app files iTunesArtwork App icon iTunesMetadata.plist The property list of the app tmp/ Directory for temporary files 25 © 2002—2013, Digital Security
  26. 26. Blackbox analysis of iOS apps Decrypt app from AppStore 1. gdb • Choosing the right architecture (if FAT) • Breakpoint at start 2. Clutch 3. dumpdecrypted.dylib 26 © 2002—2013, Digital Security
  27. 27. Blackbox analysis of iOS apps Decrypt • • Clutch • /var/root/Documents/Cracked/ dumpdecrypted.dylib 27 © 2002—2013, Digital Security
  28. 28. Blackbox analysis of iOS apps OWASP Mobile Top 10 Risks 28 © 2002—2013, Digital Security
  29. 29. Blackbox analysis of iOS apps Traffic analysis • Passive network traffic monitoring with tcpdump Then load the *.pcap file into wireshark for analysis • Gateway method • BurpSuite • HTTPS: Import PortSwigger CA to the iDevice • dnsRedir • Mallory (by Intrepidus Group) 29 © 2002—2013, Digital Security
  30. 30. Blackbox analysis of iOS apps Certificate pinning?! • • • Pinning is the process of associating a host with their expected X509 certificate or public key. OWASP • https://www.owasp.org/index.php/Certificate_and_Pu blic_Key_Pinning#iOS Attack • trustme • SecTrustEvaluate • ios-ssl-killswitch • SSLCreateContext,SSLSetSessionOption, SSLHandshake 30 © 2002—2013, Digital Security
  31. 31. Blackbox analysis of iOS apps Working with SSL certificates • NSURLConnection class • Accepting a self-signed certificate or incorrect error processing • • • allowsAnyHTTPSCertificateForHost setAllowsAnyHTTPSCertificate continueWithoutCredentialForAuthentica tionChallenge 31 © 2002—2013, Digital Security
  32. 32. Blackbox analysis of iOS apps CFStreams sockets • kCFStreamPropertySSLSettings • • • • • • kCFStreamSSLLevel kCFStreamSSLAllowsExpiredCertificates kCFStreamSSLAllowsExpiredRoots kCFStreamSSLAllowsAnyRoot kCFStreamSSLValidatesCertificateChain kCFStreamSSLPeerName 32 © 2002—2013, Digital Security
  33. 33. Blackbox analysis of iOS apps Cross-site scripting • UIWebView class • • stringByEvaluatingJavaScriptFromString shouldStartLoadWithRequest 33 © 2002—2013, Digital Security
  34. 34. Blackbox analysis of iOS apps List of interesting strings • Don’t use and don’t leak • UDID • IMEI • ICCID • PII • OSN-ID • LID 34 © 2002—2013, Digital Security
  35. 35. Blackbox analysis of iOS apps XML injections • • XML External Entity (XXE) flaws NSXMLParser class • • • libxml2 library • • setShouldResolveExternalEntities foundExternalEntityDeclarationWithName _xmlParseMemory 3rd party libraries and classes 35 © 2002—2013, Digital Security
  36. 36. Blackbox analysis of iOS apps Directory traversal • NSFileManager class • • • contentsAtPath fileHandleForReadingAtPath C functions • • fopen … © 2002—2013, Digital Security
  37. 37. Blackbox analysis of iOS apps File storage • NSFileManager class • NSFileProtectionKey attribute • • • • • NSFileProtectionNone NSFileProtectionComplete NSFileProtectionCompleteUnlessOpen NSFileProtectionCompleteUntilFirstUserAuthe ntication Tools: • filemon.iOS • FileDP 37 © 2002—2013, Digital Security
  38. 38. Blackbox analysis of iOS apps filemon.iOS 38 © 2002—2013, Digital Security
  39. 39. Blackbox analysis of iOS apps Plist files • plist – property lists • Serialized objects • XML • NSUserDefaults class • Tools: • Python library: plistlib, bplist • plist Editor • plutil • plutil - convert xml1 39 © 2002—2013, Digital Security
  40. 40. Blackbox analysis of iOS apps SQLite and SQL injections • SQLite database • • • • • /usr/lib/libsqlite3.dylib /<GUID>/Documents/ • *.sqlite, *.db, *.sqlite3 sqlite3_open sqlite3_prepare_v2 sqlite3_step • Use parameterized queries • sqlite3_bind_* 40 © 2002—2013, Digital Security
  41. 41. Blackbox analysis of iOS apps Keychain • Secure storage • • • • • File /private/var/Keychains/keychain-2.db SecItemAdd() SecItemUpdate() SecItemCopyMatching() SecItemDelete() • Tools: • keychain_dumper • keychain_dump 41 © 2002—2013, Digital Security
  42. 42. Blackbox analysis of iOS apps Cookies • Persistent cookies: Cookies.binarycookies • /private/var/mobile/Library/ • /private/var/mobile/<App GUID>/Library/Cookies • Tool: BinaryCookieReader.py 42 © 2002—2013, Digital Security
  43. 43. Blackbox analysis of iOS apps Logs NSLog() Tools: • iPhone Configuration Utility • syslogd 43 © 2002—2013, Digital Security
  44. 44. Blackbox analysis of iOS apps Cache • UIPasteboard class • generalPasteboard • Backgrounding • <Application GUID>/Library/Caches/Snapshots/*/*.png • applicationDidEnterBackground • Keyboard cache • • • /var/mobile/Library/Keyboard/en_GB-dynamictext.dat secureTextEntry = Yes autocorrectionType = UITextAutocorrectionTypeNo 44 © 2002—2013, Digital Security
  45. 45. Blackbox analysis of iOS apps IPC • URL schemes • handleOpenURL • openURL • http://wiki.akosma.com/IPhone_URL_Sche mes 45 © 2002—2013, Digital Security
  46. 46. Blackbox analysis of iOS apps Memory corruptions • Obj-C + C/C++ function = • Format string • • • • • • • • • • NSLog() [NSString stringWithFormat:] [NSString initWithFormat:] [NSMutableString appendFormat:] [NSAlert informativeTextWithFormat:] [NSPredicate predicateWithFormat:] [NSException format:] NSRunAlertPanel Buffer overflow Use-after-free © 2002—2013, Digital Security
  47. 47. Blackbox analysis of iOS apps Check for exploit mitigations • Stack cookie • • _stack_chk_fail _stack_chk_guard • PIE • ARC • • • • • • _objc_release _objc_retainAutoreleaseReturnValue _objc_autoreleaseReturnValue _objc_storeStrong _objc_retain _objc_retainAutoreleasedReturnValue © 2002—2013, Digital Security
  48. 48. Blackbox analysis of iOS apps TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS 48 © 2002—2013, Digital Security
  49. 49. Blackbox analysis of iOS apps IDA Pro 49 © 2002—2013, Digital Security
  50. 50. Blackbox analysis of iOS apps radare2 ARM64 Mach-O 1. ??? 50 © 2002—2013, Digital Security
  51. 51. Blackbox analysis of iOS apps Hopper 51 © 2002—2013, Digital Security
  52. 52. Blackbox analysis of iOS apps iNalyzer 52 © 2002—2013, Digital Security
  53. 53. Blackbox analysis of iOS apps cycript 53 © 2002—2013, Digital Security
  54. 54. Blackbox analysis of iOS apps Introspy 54 © 2002—2013, Digital Security
  55. 55. Blackbox analysis of iOS apps Snoop-it 55 © 2002—2013, Digital Security
  56. 56. Blackbox analysis of iOS apps Q&A d.evdokimov@dsec.ru @evdokimovds 56 © 2002—2013, Digital Security

×