Hacking and Securing iOS Apps : Part 1

32,363 views

Published on

This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.

Published in: Technology
5 Comments
32 Likes
Statistics
Notes
No Downloads
Views
Total views
32,363
On SlideShare
0
From Embeds
0
Number of Embeds
8,828
Actions
Shares
0
Downloads
377
Comments
5
Likes
32
Embeds 0
No embeds

No notes for slide

Hacking and Securing iOS Apps : Part 1

  1. 1. Hacking & SecuringiOS Apps@GeekCampSG18th Aug 2012 Subhransu Behera (Subh) Twitter: @subhransu Email: subh@subhb.org
  2. 2. 1. Hacking iOS Apps
  3. 3. About Me• iOS Application Architect in SAP• Developing iOS Apps for last 4 Yrs.• Co-organizer of iOS Dev Scout (iOS Developer Group in SG)• Worked as a RoR and Linux Developer prior to iOS• Understand Web, Mobile and Unix Systems• Have built iOS apps ranging from games to large scale enterprise apps.
  4. 4. So, 2 questions• Are the iDevices secure?• Are the apps that you developer using iOS SDK secure? Answer to both the questions are NO
  5. 5. I will be Talking on• How easy it’s to steal data from the apps you are developing• How to protect these apps• Not on how to protect your iDevices.
  6. 6. System DataFile System Database Bundle User’s own iDevice running your APP Backend Database Server other users other users other users running the running the running the same app same app same app You need to protectFile System Database Bundle data both on client and server side System Data
  7. 7. Apple’s Security Model Crypto Engine Data ProtectionSoftware Class App Sandbox Hardware and User Partition Firmware Device Key Group Key OS Partition Apple Root Certificate Encrypted File System Kernel
  8. 8. Breaking down further• Reduced Attack Surface• User & Group Permissions• Code Signing• Data Execution Prevention (Data vs Code)• Sandboxing• Address Space Layout Randomization
  9. 9. In spite of all these, a hacker can• Steal Data from File System• Steal Data from Network• Attack App Server• Run an Exploit from the iDevice
  10. 10. Developers usually store their application data in• Bundle• Document Directory• Library Directory• Key Chain• iCloud or on their own Server
  11. 11. Let’s HackSome Apps
  12. 12. Data fromBundle Directory
  13. 13. Easiest of All• Some Developers put their database, plist and other data files in bundle directory• It’s very easy to extract data available in bundle directory from the application payload• Data that you can extract are images, audio, video files, plist, xml files or any other files that are stored in bundle directory
  14. 14. Steps to do it• Go to iTunes App Directory• Right click on any app whose data you want to extract• Select “Show in Finder” option• You can extract the content of the file if you have tools like “Stuffit expander”. Otherwise, just rename the app.ipa >> app.zip• Extract using any unarchive tool• The binary of the app is within Payload directory.• Right click on the binary and “Show Package Contents” to extract the content of bundle directory.
  15. 15. Steps to do it1. Show in 3. Show Package 2. Unarchive Finder Contents
  16. 16. Contents from SGCarParks App• The app uses sqlite database file stored on Bundle directory to display car park information in Singapore.• Below is the content of sqlite file that contains Name of car parks, location (Latitude, Longitude), ERP Rates of the parking lots on weekdays and weekends.
  17. 17. Following the above steps• You can extract unencrypted Resource and Media Files• However, images are encoded by Apple to reduce the size of the binary.• So by following the above process you can’t extract the images of apps directly.• To extract reusable images you need to extraction tools like: Crunch • http://www.pragmaticcode.com/crunch/
  18. 18. Images from Instagram App• Search the name of the app.• Select the application and Click on Export Icon.• Uncheck “only export highest definition” to export all images• Choose a directory to export the contents. Images Extracted from Instagram using Crunch
  19. 19. Displaying PVR Images• PNG images use a significant amount of memory when a lot of frames are used for animation.• So game applications like AngryBird use PowerVR (commonly known as PVR) Texture images in stead of PNG images to reduce memory usage.• You can use TexturePacker tool to both create and display PVR Images. Images extracted from AngryBird http://www.codeandweb.com/texturepacker iPhone App displayed using TexturePacker
  20. 20. Data fromDocument / LibraryDirectory
  21. 21. Document / Library Directory• It’s possible to extract unprotected files from Document directory on an authorized computer using iTunes.• It’s possible to extract unprotected files from Document / Library directory using Tools like iExplorer even if device is locked.• Hacker can jailbreak a device using softwares like redsn0w or ac1dsnow even if device is locked.• Extracting data from a jailbroken device is super easy.
  22. 22. Data Extraction using iExplorer• Download iExplorer from: http://www.macroplant.com/iexplorer/• Connect the target iDevice• Browse to the Application whose data you want to extract under • Apps > “App Name”, replace App Name with the target app name. In this example we will be extract messages from Whatsapp iOS app.• Whatsapp messenger stores imported Addressbook in Document Directory by the name Contacts.sqlite and all conversations locally in ChatStorage.sqlite• You can export these files or any other files from Library Directory to a folder.
  23. 23. Extracting Chats from Whatsapp 1. Export DB File from Document Directory 2. Display Content on SQLite Manager
  24. 24. SniffingNetwork Traffic
  25. 25. Network Sniffing using Paros• Download and Install Paros : http://www.parosproxy.org/ download.shtml• Make sure your Mac and iDevice use same WiFi hotspot.• Launch Paros. Go to Tools > Options > Local Proxy• Set local proxy Address as the IP address of your mac and port as 8080• On your iDevice, select the WiFi network you are connected to and set manual proxy with the above details. This direct the traffic of iDevice through Paros.
  26. 26. Network Sniffing using Paros1. Configuring Paros with local IP on Port 8080 2. Configuring iPhone
  27. 27. Sniffing Instagram Traffic• Instagram store photos taken by users on Amazon Web Server• Whenever the app makes an internal API call either to get an user’s timeline or user’s own photos, the application fetches photos from AWS using public URL.• Using Paros you can sniff the network traffic and find out request parameters and responses of such API calls.• If you are sitting in a cafe which have public WiFI. Then you can capture packets and get photos of everyone who are using the same network.• For some apps you can even get username and password if those are being passed in clear text or even if its base64 encoded.
  28. 28. Sniffing Instagram Traffic API response captured by Paros
  29. 29. ManipulatingRuntime
  30. 30. Libraries & Frameworks• If you have ever wondered what are some of the libraries and framework your favorite iOS applications are using. Then you can use otool (object file displaying tool) to display object information from its binary. • http://goo.gl/o4EwT• You can also find class interface of an app using class-dump-z. This usually consists of the header file (.h) file of the application whose information you’re extracting. • http://code.google.com/p/networkpx/wiki/class_dump_z
  31. 31. Frameworks & Interfaces of apps
  32. 32. Breaking ObjC Codes• As ObjC is a dynamic language that’s based on the principle of message passing. It’s possible to inject custom code in a jailbroken device during runtime modifying the content of a variable or method to perform malicious activities.• On a jailbroken device you can install OpenSSH utility that will allow you to login as root user to the target device.• You can ssh to the target device using the command root@<ip_address_of_device>. Default password is alpine• After successfully logging into the device you can reverse engineer or modify the runtime in gdb mode.
  33. 33. Abusing Runtime with Cycript Using Cycript to manipulate runtimeDownload Cycript from: http://www.cycript.org/
  34. 34. ObjC variables in runtime1. Extracting Existing pin 2. Overwriting Existing pin.of PhotoVault App from Now original user can not its pinLock instance even access his own photos
  35. 35. Next Steps• Start hacking your own apps and see if it’s easy to steal sensitive data from those apps.• Attend my talk on “Securing iOS Apps” at iOS Dev Scout # Sept Meetup • On 13th Sept 2012 (Thursday) at PlugIn@BLK71 • RSVP here: https://www.facebook.com/events/340285926062221/• Go through the Books and Resources mentioned in next slides.
  36. 36. BooksHacking and Securing iOS iOS Hacker’s Handbook iPhone and iOS ForensicsApplications (Must Read) By : Charlie Miller By : Andrew HoogBy : Jonathan Zdziarski
  37. 37. • Resources Apple Reference Guides • Security Overview • Security Starting Point for iOS • Keychain Service Programming Guide • Secure Coding Guide • Cryptographic Services Guide • Certificate, Key,Trust Services Programming Guide• Sample Codes • Crypto Exercise : https://developer.apple.com/library/ios/samplecode/CryptoExercise/ CryptoExercise.zip • Generic Keychain : https://developer.apple.com/library/ios/samplecode/GenericKeychain/ GenericKeychain.zip
  38. 38. iOS Conf SG - 201331st Jan : Workshop & Hands-on Sessions1st & 2nd Feb : Conference(15 Awesome Talks by renownediOS Authors, Bloggers, App Creators)For Updates:Join Our Facebook Group:https://www.facebook.com/groups/iosdevscout/Follow on Twitter: @iOSConfSG
  39. 39. Thank YouSubhransu Behera (Subh)Twitter: @subhransuEmail: subh@subhb.org

×