iOS Application Security Testing

Web Security Products, Consulting & Training Company
Feb. 2, 2016

More Related Content

Similar to iOS Application Security Testing(20)


iOS Application Security Testing

  1. © Blueinfy Solutions iOS Attacks
  2. © Blueinfy Solutions Insecure Data Storage
  3. © Blueinfy Solutions Insecure Storage • Why application needs to store data – Ease of use for the user – Popularity – Competition – Activity with single click – Decrease Transaction time – Post/Get information to/from Social Sites • 9 out of 10 applications have this vulnerability
  4. © Blueinfy Solutions Insecure Storage • How attacker can gain access – Wifi – Default password after jail breaking (alpine) – Physical Theft – Temporary access to device
  5. © Blueinfy Solutions Insecure Storage • What information we usually find – Authentication Credentials – Authorization tokens – Financial Statements – Credit card numbers – Owner’s Information – Physical Address, Name, Phone number – Social Engineering Sites profile/habbits – SQL Queries
  6. © Blueinfy Solutions System Information Detail Location Applications /var/stash/Applications Etc /private/etc Var /private/var User /var/mobile Provisioning Profile /var/mobileDevice/ProvisioningProfiles Logs /var/log, /var/logs /var/mobile/Library/Logs Network Settings / var/preferences/SystemConfiguration/ ication.plist Wifi Settings /var/preferences/SystemConfiguration/ /var/preferences/SystemConfiguration/preferences.plist Apple ID, Owner information and Firmware Information /root/Library/Lockdown/data_ark.plist Keychain /var/Keychains KeyBoard Cache /User/Library/Keyboard/dynamic-text.dat Tmp /private/var/tmp
  7. © Blueinfy Solutions Application Information Detail Location Address Book /var/mobile/Library/AddressBook/AddressBook.sqlitedb /var/mobile/Library/AddressBook/ AddressBookImages.sqlitedb Last searched Google maps /var/mobile/Library/Caches/MapTiles/MapTiles.sqlitedb Google Map History Information /var/mobile/Library/Maps/History.plist /var/mobile/Library/Maps/Directions.plist Calendar /var/mobile/Library/Calendar/Calendar.sqlitedb Data under notes application /var/mobile/Library/Notes/notes.sqlite Configuration file for Applications /var/mobile/Library/Preferences Photos /var/mobile/Media/DCIM/ Application Pictures when HOME button is pressed (Each application has its own directory - Default applications) /User/Library/Caches/Snapshots
  8. © Blueinfy Solutions Default Services Information Detail Location Call History (Odd number is for Outgoing calls, Even number is for Incoming calls) /var/mobile/Library/Callhistory/call_history.db SMS (Odd number is for Outgoing calls, Even number is for Incoming calls) /var/mobile/Library/SMS/sms.db Voicemail /var/mobile/Library/Voicemail/voicemail.db Voice mail recording /var/mobile/Library/Voicemail/ System provided applications, ringtons and wallpapers /var/stash Call History /var/wireless/Library/CallHistory Call Log /var/wireless/Library/logs Call Preferences /var/wireless/Library/Preferences
  9. © Blueinfy Solutions User Installed Application Detail Location Installed Applications /User/Applications or /private/var/mobile/Applications Application Directory (Binary, supporting files /User/Applications/<app GUID>/<> or /private/var/mobile/Applications/<app GUID>/<> Applications documents i.e. images, PDF, text files /User/Applications/<app GUID>/Documents Application cookies /User/Applications/<app GUID>/Library/Cookies/Cookies.binarycookies Application Preferences (plist files) /User/Applications/<app GUID>/Library/Preferences Application temporary storage /User/Applications/<app GUID>/tmp Application crash report /User/Library/Logs/CrashReporter Application Screens when pressed HOME button /User/Applications/<app GUID>/Library/Caches/Snapshots
  10. © Blueinfy Solutions Browser information Detail Location Browser Cookie /var/mobile/Library/Cookies/Cookies.binarycookies Browser favorites (Book marks) /var/mobile/Library/Safari/Bookmarks.db Browser History /var/mobile/Library/Safari/History.plist Browser Settings /var/mobile/Library/Preferences/ Browser Cache /User/Library/Caches/
  11. © Blueinfy Solutions Insecure Data Storage • Access file system – CyberDuck • Plist files – xCode/plist Editor • Keychain file (hardware bound ency) – KeyChain Dumper • Information in Db files – SQLite Browser • Logs with queries – SQLite Browser Hands On – Look for Sensitive information in DVDs4Less Application
  12. © Blueinfy Solutions Implementation
  13. © Blueinfy Solutions Local file access
  14. © Blueinfy Solutions Insufficient Transport Layer Protection
  15. © Blueinfy Solutions Insecure Network Channel • Important to encrypt data in the transmission • Easy to perform MiM attacks as Mobile devices uses untrusted network i.e open/Public WiFi, HotSpot, Carrier’s Network • Application deals with sensitive data i.e. – Authentication credentials – Authorization token – PII Information (Privacy Violation) (Owner Name, Phone number, UDID
  16. © Blueinfy Solutions Insecure Network Channel • Can sniff the traffic to get an access to sensitive data • SSL is the best way to secure communication channel • Common Issues – Does not deprecate HTTP requests – Allowing invalid certificates – Sensitive information in GET requests
  17. © Blueinfy Solutions UI Impersonation/Spoofing
  18. © Blueinfy Solutions Activity Monitoring
  19. © Blueinfy Solutions Monitoring • Default OS behavior after iOS 4.0 to cache all the URLS (Request/Response) in the local storage in file named cache.db file • Request/Response includes the login request with username and password • Cache.db file is not encrypted Hands On – Locate cache.db file in DVDs4less application and see request/response
  20. © Blueinfy Solutions Malicious Monitoring • Few services are shared between all the applications • A malicious user can write application to monitor these services – including clipboard monitor
  21. © Blueinfy Solutions Sensitive Data Retrieval
  22. © Blueinfy Solutions PII Information Leakage • Application usually have access to user’s private information i.e. Owner Name, Location, Physical Address, AppID, Phone Number • This information needs to be handled very carefully as per the law in some countries • Storing this information in plain text is not allowed in some countries
  23. © Blueinfy Solutions Client Side Injection
  24. © Blueinfy Solutions SQL Injection in Local database • Most Mobile platforms uses SQLite as database to store information on the device • Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information • In case application is not filtering input, SQL Injection on local database is possible
  25. © Blueinfy Solutions Poor Authorization and Authentication
  26. © Blueinfy Solutions Authorization & Authentication • No password complexity specially on mobile • Hidden/No Logout button • Long session time out • No account lock out • Authorization flags or based on the local storage
  27. © Blueinfy Solutions Improper Session Handling
  28. © Blueinfy Solutions Improper Session • Session is key for any application for authorization • Application is sending sensitive information in GET request (Be it on HTTP or HTTPS) • GET requests are logged at multiple places • Ends us giving away session to the privilege user with malicious intent
  29. © Blueinfy Solutions Session Cookie • HTTP is state-less protocol • Application leverages session cookie to maintain state for the user • Session cookies are stored in binary format in iOS • File structure is public information • A python script has been written to uncover cookies (
  30. © Blueinfy Solutions Security Decisions Via Untrusted Inputs
  31. © Blueinfy Solutions Untrusted Source • Any input from client side which can be modified • Mainly authentication and authorization decisions based on the untrusted input • Easiest way for developer to solve complex issues/functionality • Attacker can get this information by either reverse engineering application or by checking local storage
  32. © Blueinfy Solutions KeyChain Dumper (Old Way) • Upload Keychain Dumper in "/private/var“ • Dump all of the entitlements necessary to access the entries in your target's keychain. • ./keychain_dumper -e > /var/tmp/entitlements.xml • Sign the obtained entitlements into keychain_dumper. • ldid -S/var/tmp/entitlements.xml keychain_dumper • Get all the keys • ./keychain_dumper
  33. © Blueinfy Solutions KeyChain Dumper – DON’T • Do not change Path (Tool just does not do a job well) • Set proper permissions – Keychain_dumper – Executable permission – keychain-2.db – Read permission • Files needs to be deleted before running it again
  34. © Blueinfy Solutions KeyChain Dumper – Easy Way • Shell Script • Shell Script to clean chmod +x /private/var/keychain_dumper chmod +r /private/var/Keychains/keychain-2.db ./keychain_dumper -e > /var/tmp/entitlements.xml ldid -S/var/tmp/entitlements.xml keychain_dumper ./keychain_dumper > /tmp/keys.txt rm -f /private/var/keychain_dumper rm -f /var/tmp/entitlements.xml
  35. © Blueinfy Solutions KeyChain Dumper (After 5.0) • Upload Keychain Dumper in "/private/var“ • Dump all of the entitlements necessary to access the entries in your target's keychain. • ./keychain_dumper -e > /var/tmp/entitlements.xml • To sign keychain_dumper file, transfer keychain_dumper and entitlements.xml file to any MAC machine • Install Keychain Access on MAC
  36. © Blueinfy Solutions KeyChain Dumper (Cont…) • Open keychain_access by opening binary at (/Applications/Utilties/Keychain Access) • Create a “code signing “ “self signed certificate” – Select Type as “Self Signed Root” – Select “Code Signing”
  37. © Blueinfy Solutions KeyChain Dumper (Cont…) • Sign keychain_dumper file using codesign command # codesign -fs "Test" --entitlements entitlements.xml keychain_dumper • Upload keychain_dumper to iOS device • Get all the keys • ./keychain_dumper
  38. © Blueinfy Solutions KeyChain Dumper – New Version • Easy as running a command • Upload on to server in /var directory • Give execute permission – Chmod +x /var/keychain_dumper • Get all the keys • ./keychain_dumper
  39. © Blueinfy Solutions Side Channel Data Leakage
  40. © Blueinfy Solutions Data Leakage to third party • Applications gather Private information and sends to advertisement servers • Advertisement companies pay per the application (This is how the free apps make money) instance
  41. © Blueinfy Solutions Weak Server Side Controls
  42. © Blueinfy Solutions Server Side Issues • Most Application makes server side calls to either web services or some other component. Security of server side component is equally important as client side • Controls to be tested on the server side – Security Control Categories for Server Side Application– Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage,
  43. © Blueinfy Solutions Server Side Issues Error handling, Session management, Protocol abuse, Input validations, XSS, CSRF, Logic bypass, Insecure crypto, DoS, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, BruteForce, Buffer Overflow, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
  44. © Blueinfy Solutions Broken Cryptography
  45. © Blueinfy Solutions Cryptography • Broken implementation • Hash/Encoding used in place of encryption • Client side script in place of SSL
  46. © Blueinfy Solutions Hooking debugger in iOS Applications
  47. © Blueinfy Solutions Binary Auditing • AppStore Binary => .ipa file – It is a ZIP files with executables and resources (images, package info, config files...) • Simulator Binaries are x86 not ARM • Setup environment – Jailbreak first – SSH – Gdb/iphonedbg – otool/classdump
  48. © Blueinfy Solutions Binary Auditing • Install app on iOS devices – / var/mobile/Applications/<UUID>/<AppName>.ap p/ Or – /User/Applications/<UUID>/<AppName>.app/
  49. © Blueinfy Solutions Binary Auditing • Look at the directory
  50. © Blueinfy Solutions Binary Auditing • Look at the directory
  51. © Blueinfy Solutions Binary Auditing • Look at the directory
  52. © Blueinfy Solutions Binary Auditing • Decrypt the binary file – Each executable page is encrypted with AES and a MD5 checksum is computed • How to know if a binary is encrypted ? – LC_ENCRYPTION_INFO • cryptid : 1 if the binary is encrypted • cryptoffset : offset of the encrypted data • cryptsize : size of the encrypted data
  53. © Blueinfy Solutions Binary Auditing • How to get LC_ENCRYPTION_INFO • otool – tool available in cydia otool –l <APPNAME>| grep LC_ENCRYPTION_INFO –B1 –A4 Load command 10 cmd LC_ENCRYPTION_INFO cryptoff 4096 cryptsize 36864 cryptid 0
  54. © Blueinfy Solutions Binary Auditing • Unpack binary – Use a script that automates the process • Crackulous: tool from Cydia • Just select application, that’s it.
  55. © Blueinfy Solutions Binary Auditing • Manual method – Launch GDB – Set a breakpoint – Run the application – Extract the unencrypted executable code – Patch the architecture specific binary
  56. © Blueinfy Solutions Binary Auditing • Look at the binary, open in IDAPro and resolve obj_msgSend calls • Backtrace calls to objc_msgSend – By hand – Using Zynamics IDAPython scripts (
  57. © Blueinfy Solutions Interesting Items to look for • Locate the main class – UIApplicationDelegate – applicationDidFinishLaunching – ApplicationDidFinishLaunchingWithOptions • Views – UI*ViewController – viewDidLoad
  58. © Blueinfy Solutions Using GDB
  59. © Blueinfy Solutions Interesting Items to look for • HTTP(S) • NSURL • Sockets – CFSocketCreate • UIPasteBoard • Location based API • KeyChain API • ..
  60. © Blueinfy Solutions Interesting Items to look for • Some protocol handlers like,
  61. © Blueinfy Solutions Interesting Items to look for
  62. © Blueinfy Solutions Interesting Items to look for
  63. © Blueinfy Solutions Automation in Application Reviews
  64. © Blueinfy Solutions Snoop-it • The only tool today to automate iOS application reviews • Very handy and gives perfect pointer where to look for • A long way to go for automation like web • Demo –
  65. © Blueinfy Solutions Conclusion