© Blueinfy Solutions
iOS Attacks

© Blueinfy Solutions
Insecure Data Storage

© Blueinfy Solutions
Insecure Storage
• Why application needs to store data
– Ease of use for the user
– Popularity
– Competition
– Activity with single click
– Decrease Transaction time
– Post/Get information to/from Social Sites
• 9 out of 10 applications have this vulnerability

© Blueinfy Solutions
Insecure Storage
• How attacker can gain access
– Wifi
– Default password after jail breaking (alpine)
– Physical Theft
– Temporary access to device

© Blueinfy Solutions
Insecure Storage
• What information we usually find
– Authentication Credentials
– Authorization tokens
– Financial Statements
– Credit card numbers
– Owner’s Information – Physical Address, Name,
Phone number
– Social Engineering Sites profile/habbits
– SQL Queries

© Blueinfy Solutions
System Information
Detail Location
Applications /var/stash/Applications
Etc /private/etc
Var /private/var
User /var/mobile
Provisioning Profile /var/mobileDevice/ProvisioningProfiles
Logs /var/log,
/var/logs
/var/mobile/Library/Logs
Network Settings /
var/preferences/SystemConfiguration/com.apple.network.identif
ication.plist
Wifi Settings /var/preferences/SystemConfiguration/com.apple.wifi.plist
/var/preferences/SystemConfiguration/preferences.plist
Apple ID, Owner information
and Firmware Information
/root/Library/Lockdown/data_ark.plist
Keychain /var/Keychains
KeyBoard Cache /User/Library/Keyboard/dynamic-text.dat
Tmp /private/var/tmp

© Blueinfy Solutions
Application Information
Detail Location
Address Book /var/mobile/Library/AddressBook/AddressBook.sqlitedb
/var/mobile/Library/AddressBook/
AddressBookImages.sqlitedb
Last searched Google maps /var/mobile/Library/Caches/MapTiles/MapTiles.sqlitedb
Google Map History Information /var/mobile/Library/Maps/History.plist
/var/mobile/Library/Maps/Directions.plist
Calendar /var/mobile/Library/Calendar/Calendar.sqlitedb
Data under notes application /var/mobile/Library/Notes/notes.sqlite
Configuration file for
Applications
/var/mobile/Library/Preferences
Photos /var/mobile/Media/DCIM/
Application Pictures when HOME
button is pressed (Each
application has its own directory
- Default applications)
/User/Library/Caches/Snapshots

© Blueinfy Solutions
Default Services Information
Detail Location
Call History (Odd number is
for Outgoing calls, Even
number is for Incoming calls)
/var/mobile/Library/Callhistory/call_history.db
SMS (Odd number is for
Outgoing calls, Even number
is for Incoming calls)
/var/mobile/Library/SMS/sms.db
Voicemail /var/mobile/Library/Voicemail/voicemail.db
Voice mail recording /var/mobile/Library/Voicemail/
System provided
applications, ringtons and
wallpapers
/var/stash
Call History /var/wireless/Library/CallHistory
Call Log /var/wireless/Library/logs
Call Preferences /var/wireless/Library/Preferences

© Blueinfy Solutions
User Installed Application
Detail Location
Installed Applications /User/Applications or /private/var/mobile/Applications
Application Directory (Binary,
supporting files
/User/Applications/<app GUID>/<appname.app> or
/private/var/mobile/Applications/<app GUID>/<appname.app>
Applications documents i.e.
images, PDF, text files
/User/Applications/<app GUID>/Documents
Application cookies /User/Applications/<app
GUID>/Library/Cookies/Cookies.binarycookies
Application Preferences (plist
files)
/User/Applications/<app GUID>/Library/Preferences
Application temporary
storage
/User/Applications/<app GUID>/tmp
Application crash report /User/Library/Logs/CrashReporter
Application Screens when
pressed HOME button
/User/Applications/<app GUID>/Library/Caches/Snapshots

© Blueinfy Solutions
Browser information
Detail Location
Browser Cookie /var/mobile/Library/Cookies/Cookies.binarycookies
Browser favorites
(Book marks)
/var/mobile/Library/Safari/Bookmarks.db
Browser History /var/mobile/Library/Safari/History.plist
Browser Settings /var/mobile/Library/Preferences/com.apple.mobilesafari.plist
Browser Cache /User/Library/Caches/com.apple.WebAppCache/ApplicationCache.db

© Blueinfy Solutions
Insecure Data Storage
• Access file system – CyberDuck
• Plist files – xCode/plist Editor
• Keychain file (hardware bound ency) –
KeyChain Dumper
• Information in Db files – SQLite Browser
• Logs with queries – SQLite Browser
Hands On – Look for Sensitive information in
DVDs4Less Application

© Blueinfy Solutions
Implementation

© Blueinfy Solutions
Local file access

© Blueinfy Solutions
Insufficient Transport Layer
Protection

© Blueinfy Solutions
Insecure Network Channel
• Important to encrypt data in the transmission
• Easy to perform MiM attacks as Mobile
devices uses untrusted network i.e
open/Public WiFi, HotSpot, Carrier’s Network
• Application deals with sensitive data i.e.
– Authentication credentials
– Authorization token
– PII Information (Privacy Violation) (Owner Name,
Phone number, UDID

© Blueinfy Solutions
Insecure Network Channel
• Can sniff the traffic to get an access to
sensitive data
• SSL is the best way to secure communication
channel
• Common Issues
– Does not deprecate HTTP requests
– Allowing invalid certificates
– Sensitive information in GET requests

© Blueinfy Solutions
UI Impersonation/Spoofing

© Blueinfy Solutions
Activity Monitoring

© Blueinfy Solutions
Monitoring
• Default OS behavior after iOS 4.0 to cache all
the URLS (Request/Response) in the local
storage in file named cache.db file
• Request/Response includes the login request
with username and password
• Cache.db file is not encrypted
Hands On – Locate cache.db file in DVDs4less
application and see request/response

© Blueinfy Solutions
Malicious Monitoring
• Few services are shared between all the
applications
• A malicious user can write application to
monitor these services – including clipboard
monitor

© Blueinfy Solutions
Sensitive Data Retrieval

© Blueinfy Solutions
PII Information Leakage
• Application usually have access to user’s
private information i.e. Owner Name,
Location, Physical Address, AppID, Phone
Number
• This information needs to be handled very
carefully as per the law in some countries
• Storing this information in plain text is not
allowed in some countries

© Blueinfy Solutions
Client Side Injection

© Blueinfy Solutions
SQL Injection in Local database
• Most Mobile platforms uses SQLite as
database to store information on the device
• Using any SQLite Database Browser, it is
possible to access database logs which has
queries and other sensitive database
information
• In case application is not filtering input, SQL
Injection on local database is possible

© Blueinfy Solutions
Poor Authorization and
Authentication

© Blueinfy Solutions
Authorization & Authentication
• No password complexity specially on mobile
• Hidden/No Logout button
• Long session time out
• No account lock out
• Authorization flags or based on the local
storage

© Blueinfy Solutions
Improper Session Handling

© Blueinfy Solutions
Improper Session
• Session is key for any application for
authorization
• Application is sending sensitive information in
GET request (Be it on HTTP or HTTPS)
• GET requests are logged at multiple places
• Ends us giving away session to the privilege
user with malicious intent

© Blueinfy Solutions
Session Cookie
• HTTP is state-less protocol
• Application leverages session cookie to
maintain state for the user
• Session cookies are stored in binary format in
iOS
• File structure is public information
• A python script has been written to uncover
cookies (http://securitylearn.net/wp-content/uploads/tools/iOS/BinaryCookieReader.py)

© Blueinfy Solutions
Security Decisions Via Untrusted
Inputs

© Blueinfy Solutions
Untrusted Source
• Any input from client side which can be
modified
• Mainly authentication and authorization
decisions based on the untrusted input
• Easiest way for developer to solve complex
issues/functionality
• Attacker can get this information by either
reverse engineering application or by
checking local storage

© Blueinfy Solutions
KeyChain Dumper (Old Way)
• Upload Keychain Dumper in "/private/var“
• Dump all of the entitlements necessary to
access the entries in your target's keychain.
• ./keychain_dumper -e > /var/tmp/entitlements.xml
• Sign the obtained entitlements into
keychain_dumper.
• ldid -S/var/tmp/entitlements.xml keychain_dumper
• Get all the keys
• ./keychain_dumper

© Blueinfy Solutions
KeyChain Dumper – DON’T
• Do not change Path (Tool just does not do a
job well)
• Set proper permissions
– Keychain_dumper – Executable permission
– keychain-2.db – Read permission
• Files needs to be deleted before running it
again

© Blueinfy Solutions
KeyChain Dumper – Easy Way
• Shell Script
• Shell Script to clean
chmod +x /private/var/keychain_dumper
chmod +r /private/var/Keychains/keychain-2.db
./keychain_dumper -e > /var/tmp/entitlements.xml
ldid -S/var/tmp/entitlements.xml keychain_dumper
./keychain_dumper > /tmp/keys.txt
rm -f /private/var/keychain_dumper
rm -f /var/tmp/entitlements.xml

© Blueinfy Solutions
KeyChain Dumper (After 5.0)
• Upload Keychain Dumper in "/private/var“
• Dump all of the entitlements necessary to
access the entries in your target's keychain.
• ./keychain_dumper -e > /var/tmp/entitlements.xml
• To sign keychain_dumper file, transfer
keychain_dumper and entitlements.xml file to
any MAC machine
• Install Keychain Access on MAC

© Blueinfy Solutions
KeyChain Dumper (Cont…)
• Open keychain_access by opening binary at
(/Applications/Utilties/Keychain
Access.app/Contents/MacOS/Keychain
Access)
• Create a “code signing “ “self signed
certificate”
– Select Type as “Self Signed Root”
– Select “Code Signing”

© Blueinfy Solutions
KeyChain Dumper (Cont…)
• Sign keychain_dumper file using codesign
command
# codesign -fs "Test" --entitlements
entitlements.xml keychain_dumper
• Upload keychain_dumper to iOS device
• Get all the keys
• ./keychain_dumper

© Blueinfy Solutions
KeyChain Dumper – New Version
• Easy as running a command
• Upload on to server in /var directory
• Give execute permission
– Chmod +x /var/keychain_dumper
• Get all the keys
• ./keychain_dumper

© Blueinfy Solutions
Side Channel Data Leakage

© Blueinfy Solutions
Data Leakage to third party
• Applications gather Private information and
sends to advertisement servers
• Advertisement companies pay per the
application (This is how the free apps make
money) instance

© Blueinfy Solutions
Weak Server Side Controls

© Blueinfy Solutions
Server Side Issues
• Most Application makes server side calls to
either web services or some other
component. Security of server side
component is equally important as client side
• Controls to be tested on the server side –
Security Control Categories for Server Side
Application– Authentication, Access
Controls/Authorization, API misuse, Path
traversal, Sensitive information leakage,

© Blueinfy Solutions
Server Side Issues
Error handling, Session management, Protocol
abuse, Input validations, XSS, CSRF, Logic
bypass, Insecure crypto, DoS, Malicious Code
Injection, SQL injection, XPATH and LDAP
injections, OS command injection, Parameter
manipulations, BruteForce, Buffer Overflow,
HTTP response splitting, HTTP replay, XML
injection, Canonicalization, Logging and
auditing.

© Blueinfy Solutions
Broken Cryptography

© Blueinfy Solutions
Cryptography
• Broken implementation
• Hash/Encoding used in place of encryption
• Client side script in place of SSL

© Blueinfy Solutions
Hooking debugger in iOS
Applications

© Blueinfy Solutions
Binary Auditing
• AppStore Binary => .ipa file
– It is a ZIP files with executables and resources
(images, package info, config files...)
• Simulator Binaries are x86 not ARM
• Setup environment
– Jailbreak first
– SSH
– Gdb/iphonedbg
– otool/classdump

© Blueinfy Solutions
Binary Auditing
• Install app on iOS devices
– /
var/mobile/Applications/<UUID>/<AppName>.ap
p/
Or
– /User/Applications/<UUID>/<AppName>.app/

© Blueinfy Solutions
Binary Auditing
• Look at the directory

© Blueinfy Solutions
Binary Auditing
• Look at the directory

© Blueinfy Solutions
Binary Auditing
• Look at the directory

© Blueinfy Solutions
Binary Auditing
• Decrypt the binary file
– Each executable page is encrypted with AES and a
MD5 checksum is computed
• How to know if a binary is encrypted ?
– LC_ENCRYPTION_INFO
• cryptid : 1 if the binary is encrypted
• cryptoffset : offset of the encrypted data
• cryptsize : size of the encrypted data

© Blueinfy Solutions
Binary Auditing
• How to get LC_ENCRYPTION_INFO
• otool – tool available in cydia
otool –l <APPNAME>| grep LC_ENCRYPTION_INFO –B1 –A4
Load command 10
cmd LC_ENCRYPTION_INFO
cryptoff 4096
cryptsize 36864
cryptid 0

© Blueinfy Solutions
Binary Auditing
• Unpack binary
– Use a script that automates the process
• Crackulous: tool from Cydia
• Just select application, that’s it.

© Blueinfy Solutions
Binary Auditing
• Manual method
– Launch GDB
– Set a breakpoint
– Run the application
– Extract the unencrypted executable code
– Patch the architecture specific binary

© Blueinfy Solutions
Binary Auditing
• Look at the binary, open in IDAPro and resolve
obj_msgSend calls
• Backtrace calls to objc_msgSend
– By hand
– Using Zynamics IDAPython scripts (objc_helper.py)

© Blueinfy Solutions
Interesting Items to look for
• Locate the main class
– UIApplicationDelegate
– applicationDidFinishLaunching
– ApplicationDidFinishLaunchingWithOptions
• Views
– UI*ViewController
– viewDidLoad

© Blueinfy Solutions
Using GDB

© Blueinfy Solutions
Interesting Items to look for
• HTTP(S)
• NSURL
• Sockets
– CFSocketCreate
• UIPasteBoard
• Location based API
• KeyChain API
• ..

© Blueinfy Solutions
Interesting Items to look for
• Some protocol handlers like,

© Blueinfy Solutions
Interesting Items to look for

© Blueinfy Solutions
Interesting Items to look for

© Blueinfy Solutions
Automation in Application
Reviews

© Blueinfy Solutions
Snoop-it
• The only tool today to automate iOS
application reviews
• Very handy and gives perfect pointer where
to look for
• A long way to go for automation like web
• Demo
– https://code.google.com/p/snoop-it/

© Blueinfy Solutions
Conclusion