Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The 411 on Mobile Application Security Testing and Runtime Protection for iOS Applications

2,393 views

Published on

View Session 3 ondemand: https://securityintelligence.com/events/the-411-on-mobile-application-security-testing-for-ios-devices/

Full webinar Series: https://event.on24.com/eventRegistration/EventLobbyServlet?target=reg20.jsp&referrer=&eventid=1071189&sessionid=1&key=6218FFB2E8F57B0499B33332051FE943&regTag=5303&sourcepage=register

Session 3 of IBM’s #CoverYourApps with Application Security on Cloud Webinar Series
In our final session, we’ll provide best practices for mobile application security testing for security vulnerabilities and protecting them at runtime, with a special emphasis on iOS applications. It is commonly believed that iOS apps are more secure than Android apps, but that doesn’t mean that your iOS apps might not contain vulnerabilities and/or there aren’t ways for attackers to circumvent IOS’s security controls. You’ll learn how to protect your ever-expanding portfolio of mobile apps, to stay one step ahead of the rush-to-release phenomenon.

Check out the rest of our #CoverYourApps with IBM’s Application Security on Cloud Webinar Series! Register today for all three to get up to speed on the latest from IBM on Application Security on Cloud.

Full webinar Series:

Published in: Technology
  • Login to see the comments

The 411 on Mobile Application Security Testing and Runtime Protection for iOS Applications

  1. 1. © 2015 IBM Corporation Eitan Worcel IBM Application Security on Cloud Chris Stahly Arxan Director Application Protection Services The 411 on Mobile Application Security Testing and Runtime Protection for iOS Applications
  2. 2. 2© 2015 IBM Corporation Security Intelligence Enterprise Applications and Cloud Services Identity, Fraud, and Data Protection Content Security Application Security Transaction Security Device Security DATA Personal and Consumer Enterprise Device Security Content Security Application Security Transaction Security Device as ID Provision, manage and secure Corporate and BYOD devices Secure enterprise content access and sharing Develop vulnerability free, tamper proof and risk aware applications Prevent & detect high risk mobile transactions from employees, customers and partners Mobile Identity Platform Security Intelligence A unified architecture for integrating mobile security information & event management (SIEM), log management, anomaly detection, and configuration & vulnerability management IBM Mobile Security Framework
  3. 3. 3© 2015 IBM Corporation Agenda Mobile App Sec • Exploring Mobile App Vulnerabilities • Mobile Security Overview iOS Mobile App Sec • Exploring iOS vulnerabilities & attacks • Protection Approaches • Application Testing Demo Additional Resources
  4. 4. 4© 2015 IBM Corporation December 2013 Android Fragment Injection A set of vulnerabilities exposed by Mobile Analyzer Research leading to a new discovery of Android vulnerability class! X-Force Mobile Vulnerability Findings
  5. 5. 5© 2015 IBM Corporation March 2014 Firefox vulnerability Overtaking Firefox Profiles identified by Mobile Analyzer Disclosed and fixed X-Force Mobile Vulnerability Findings
  6. 6. 6© 2015 IBM Corporation July 2014 Android KeyStore Vulnerability Stack Buffer Overflow X-Force Mobile Vulnerability Findings
  7. 7. 7© 2015 IBM Corporation August 2014 Apache Cordova Vulnerability 10% of Android Banking Apps Potentially Vulnerable X-Force Mobile Vulnerability Findings
  8. 8. 8© 2015 IBM Corporation February 2015 Dating Apps Vulnerabilities Mobile Analyzer identified medium to high vulnerabilities in over 60% of the top dating apps X-Force Mobile Vulnerability Findings
  9. 9. 9© 2015 IBM Corporation August 2015 Android Serialization Vulnerability Over 55 percent of Android phones are at risk. Vulnerability Gives Underprivileged Apps Super Status X-Force Mobile Vulnerability Findings
  10. 10. 10© 2015 IBM Corporation X-Force Mobile Vulnerability Findings April 2015 Deobfuscating iOS Kernel Pointers Vulnerability Information leak vulnerability in iOS which can be used to defeat the kernel address obfuscation mechanism available since iOS 6
  11. 11. 11© 2015 IBM Corporation Mobile Security Overview
  12. 12. 12© 2015 IBM Corporation Web Apps Internet Web Apps Run in a Browser Database Internet
  13. 13. 13© 2015 IBM Corporation Database Mobile Apps Run on the Phone and are Supported by Mobile Services Internet Mobile Services
  14. 14. 14© 2015 IBM Corporation Internet Mobile Services Database Testing Mobile Apps is Different from Testing Web Apps We know how to pen test our networks We know how to pen test web app/services This is the new area where we need to focus
  15. 15. 15© 2015 IBM Corporation Internet Web Apps Mobile Applications Have a Different Threat Model Internet Mobile Services Carrier Application Logic Temporary Storage Application Logic Temporary Storage JavaScript is sandboxed JavaScript can access device features Malicious Site Malicious Site Attacker with Root Malicious Apps Application Services
  16. 16. 16© 2015 IBM Corporation iOS Mobile App Sec
  17. 17. 17© 2015 IBM Corporation iOS Security Controls  Why should we trust the OS? – Code signing – Anti arbitrary code execution policies • ASLR • Memory pages marked W^X o Writable XOR executable • Stack canaries – Sandboxing – App encryption
  18. 18. 18© 2015 IBM Corporation Circumventing iOS Controls  Jailbreaking – Remove iOS controls – Gain root access – Custom kernel – Privilege escalation
  19. 19. 19© 2015 IBM Corporation Apple’s Threat Modeling  Attacks on System Integrity – Attacks on system integrity […] modify the system in such a way that it can no longer be trusted. […] the attacker might be able to: • Execute malicious code • Impersonate a user or server • Repudiate an action • https://developer.apple.com/library/ios/DOCUMENTATION/Security/Conceptua l/Security_Overview/ThreatModeling/ThreatModeling.html
  20. 20. 20© 2015 IBM Corporation Jailbreak History • iPhone 1.0 (June 29th 2007) • Jailbroken (July 10th 2007) • 4.3.2 • redsn0w 0.9.11x (April 2011) • 4.3.3 • jailbreakme.com remote jailbreak (July 2011) • 5.1.1 • absinthe 2.0.x (May 2012) • 6.1 • evasi0n (January 30 2013) • 7.0 • evasi0n7 (December 2013) • 7.1 • Pangu (June 23 2014) • 8.1 • Pangu (January 2015) • 9.0 • Pangu (October 2015)
  21. 21. 21© 2015 IBM Corporation iOS Recent Attacks Nobody is safe: Major App Store malware breach may affect millions of iPhone users “A substantial security threat called XcodeGhost managed to fool App Store security and sneak into the App Store inside real App Store apps potentially affecting hundreds of millions of iPhone and iPad users on both stock and jailbroken devices.” Key Raider — Another iOS malware steals account info and more “Malicious code surreptitiously included with Cydia apps [has] pilfered account data…disabled some infected phones until users pay a ransom, and…made unauthorized charges against some victims’ accounts.” Flaws in OS X, iOS Allow Malicious Apps to Steal Passwords, Other Data “In a paper titled “Unauthorized Cross-App Resource Access on MAC OS X and iOS,” researchers demonstrated that cross-app resource access (XARA) attacks are possible on Apple’s operating systems, allowing malicious applications to steal passwords and other sensitive data from other programs.”
  22. 22. 22© 2015 IBM Corporation Anatomy of Attacks on iOS Mobile App Reverse-engineering app contents 1. Decrypt the mobile app (iOS apps) 2. Open up and examine the app 3. Create a hacked version 11 110 01 0 1001110 1100 001 01 111 00 11 110 01 0 0101010 0101 110 011100 00 Extract and steal confidential data Create a tampered, cracked or patched version of the app Release / use the hacked app Use malware to infect/patch the app on other devices 4. Distribute app
  23. 23. 23© 2015 IBM Corporation Tools for Hacking are Found Everywhere Category Example Tools Platform/Target Mobile decryption, unpacking & conversion Clutch iOS APKTool Android Dex2jar Android Static binary analysis: disassembly, decompilation, info dumping IDA Pro & Hex-Rays Linux, Mac OS, Windows Hopper iOS, Linux, Mac OS, Windows JD Project Java baksmali Android / Java class-dump-z iOS, Linux, Mac OS, Windows nm Windows / .obj, .lib Strings Windows / UNICODE Runtime binary analysis: debugging, tracing GDB Windows, UNIX / C, C++, Obj-C & more ADB Android Introspy-Android, Introspy-iOS Android, iOS Sogeti ESEC Lab Android Runtime manipulation, code injection, method swizzling, patching Cydia Substrate Android, iOS Cycript iOS, Mac OS DYLD Mac OS Theos suite iOS Hex Editors Everything CheatEngine Windows Jailbreak detection evasion xCon, tsProtector iOS What do these tools allow? – Decrypt iOS apps – Modify data in- memory – Modify data on disk – Inject custom code – Change existing code – Read network traffic – Manipulate network traffic – Bypass jailbreak detections
  24. 24. 24© 2015 IBM Corporation IDA Example
  25. 25. 25© 2015 IBM Corporation Protection Approaches
  26. 26. 26© 2015 IBM Corporation Mobile Application Security Static Analysis of Source Code IBM AppScan Source/ IBM MobileFirst Application Scanning Dynamic Analysis of Back End Calls IBM AppScan Standard Interactive Analysis of Mobile App IBM Application Security on Cloud Hardening of Binary Code Arxan Application Protection for IBM Solutions Security Intelligence Enterprise Applications and Cloud Services Identity, Fraud, and Data Protection Content Security Application Security Transaction Security Device Security DATA Personal and Consumer Enterprise IBM Mobile Application Security Framework
  27. 27. 27© 2015 IBM Corporation Obfuscation Confuse the Hacker • Dummy Code Insertion • Instruction Merging • Block Shuffling • Function Inlining • … and More! Turns this into this …
  28. 28. 28© 2015 IBM Corporation Preventing Reverse Engineering Other Techniques • Method Renaming • String Encryption • … and More! String not found
  29. 29. 29© 2015 IBM Corporation Preventing Tampering Common Techniques Jailbreak Detection Am I on a jailbroken device? Checksum Has the binary changed? Method Swizzling Detection Is someone hijacking my code? Debug Detection Is a Debugger Running?
  30. 30. 30© 2015 IBM Corporation Security Layers
  31. 31. © 2015 IBM Corporation DEMO
  32. 32. 32© 2015 IBM Corporation Additional Resources
  33. 33. 33© 2015 IBM Corporation Learn More about Mobile Application Security Testing on Cloud Replay recent Webinar • Oct 20nd - Making the Case for Application Security Testing on Cloud • Nov. 3rd - Protecting Mission-Critical Source Code from AppSec Vulnerabilities Read the Blogs • AppSec Testing on Cloud and the Future of Penetration Testing • A Lever to Move the World: Automating AppSec Testing in the Cloud • Protecting Your Apps at Runtime View the Infographic • Case Closed with IBM AppSec on Cloud View the YouTube Video • Identify and Remediate Application Security Vulnerabilities Effectively Visit the Web Page • Cloud Marketplace
  34. 34. 34© 2015 IBM Corporation Free Evaluation of “Arxan Application Protection for IBM Solutions” Now offered as part of IBM’s Security Portfolio Your Next Steps to Protecting Your Apps Curious how your app binary is exposed to hacking? Get Free Assessment of your app’s binary exposures in 9 categories
  35. 35. © 2015 IBM Corporation QUESTIONS
  36. 36. © Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOU www.ibm.com/security

×