Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Practical iOS App Attack and Defense – Seth Law © 2015
Practical iOS App Attack and
Defense
CactusCon
Introduction
• Seth Law
– Director of R&D @ nVisium
– Developer/Contributor to Swift.nV, SiRATool,
RAFT, Grails.nV
– Hacke...
Abusing Trust
Your  App
Hopefully,  not  your  App
Disclaimer
Hacking of App Store apps is not condoned or encouraged in any way. What you do on your own time
is your respon...
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Requirements
• Xcode (developer.apple.com)
– Command-line tools
– Xcode-select --install
– iOS Simulators
• Jailbroken iDe...
Tools - idb
• idb - https://github.com/dmayer/idb
Tools - idb
• idb - https://github.com/dmayer/idb
Tools - iFunBox
• https://www.i-funbox.com/ifunboxmac
Tools - Cydia Apps
• Cycript
• OpenSSH
• Erica Utilities
• Class Dump
• GNU Debugger
• network-cmds
• BigBoss Recommended ...
Tools - Swift.nV
• INTENTIONALLY VULNERABLE
• Training Tool - Not for production use
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Application Anatomy
Application Anatomy
• .app Directory
–Folder with distributed binary and artifacts
–iOS 8
•AppStore Apps - /var/mobile/Con...
Application Anatomy
• Info.plist
Application Anatomy
• Deployed Application Data Directories
• iOS 8
• /var/mobile/Containers/Data/Application/<APP_GUID>/
...
Application Anatomy
Application Anatomy
Application Anatomy
Application Anatomy
Application Anatomy
• Library/…
• Other folders may exist for specific purposes
• Files not exposed to the user
• SyncedPr...
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Data Storage
• M2 in OWASP Mobile Top 10
• Anything stored by the App on purpose
• Data at rest on a mobile device
• Major...
Attack!
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Demo
Data Storage - Defense
Data Storage - Defense
• Databases – Defenses
• Encryption (SQLCipher)
• Rewrites crypto into database controller
• Don’t ...
Data Storage - NSUserDefaults
• Property Lists - Code
Data Storage - Attack
• Property Lists
Data Storage - Attack
• Property Lists - idb
Data Storage - Defense
• Property List - Countermeasures
– Don’t store sensitive data using NSUserDefaults
– When ignoring...
Data Storage - Defense
• Keychain
– Mac OS X/iOS Password Manager
– OS enforces security
– CAREFUL
• Keychain can be acces...
Data Storage - Defense
• Keychain Analysis – know your attributes
Attribute Data is...
kSecAttrAccessibleWhenUnlocked Only...
Data Storage - Defense
• Keychain Analysis – know your attributes
Attribute Data is...
kSecAttrAccessibleWhenUnlocked Only...
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Network Communications
• M3 - Insufficient Transport Layer
Protection
• Are network communications
secure?
• Encryption (o...
CodeMash Scanner?
Become a Sponsor!
Volunteers?
Whoops
Network Communications
• DEMO
• Device: Jailbroken iPod Touch
• Proxy: Burp Suite Pro
• App: Casino
Exploited Issues
• Proxied Communications
•Certificate Pinning
•Web Service Vulnerabilities
Network Communications
Network Communications
• Defense
– Good: Internal Certificate Authority
– Better: External CA
– Best: Certificate Pinning
...
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Client Side Injection
• M7 - Client Side Injection
• Fuzzing all application inputs
• Text Fields
• URLSchemes
• Stored Da...
Injection
• Text Field Injection
–Manually intensive
Client Side Injection
• URLScheme Injection
• Safari FTW!
• Still manual
• location bar
• Fuzz URL values
• Info.plist
Client Side Injection
Client Side Injection
Client Side Injection
• Demo - Injection with Swift.nV
Client Side Injection
• Defense
• Input Validation
• Don’t trust the user
• Input Validation
• Output Encoding
• Input Val...
Client Side Injection
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Privacy
• Revealing of PII
• Location Information
• Shoulder surfing
• Physical Access
• Background screenshots
• Borrowed...
FRIENDS DON’T LET FRIENDS
LEAVE THEIR PHONE BEHIND
Background Screenshots
Information Overload
Logs
Logs
iOS Backup Analyzer
iOS Backup Analyzer
Privacy - Defense
• Mask mask mask
• No NSLog in production apps
• What is stored on the device is
also stored in the back...
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Other Mobile Concerns
• Authentication
• Authorization
• Binary Protections
• Cryptography
• Unintended Functionality
• Un...
Conclusion
Security is hard.
Try harder.
Thanks
• Questions?
• nVisibility Tape
• Contact:
• Seth Law
• Email: seth@nvisium.com
• Twitter: @sethlaw
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
Upcoming SlideShare
Loading in …5
×

CactusCon - Practical iOS App Attack and Defense

825 views

Published on

Presentation given by Seth Law at CactusCon 2015. How to attack and defend mobile applications using known security weaknesses.

Published in: Technology
  • Be the first to comment

CactusCon - Practical iOS App Attack and Defense

  1. 1. Practical iOS App Attack and Defense – Seth Law © 2015 Practical iOS App Attack and Defense CactusCon
  2. 2. Introduction • Seth Law – Director of R&D @ nVisium – Developer/Contributor to Swift.nV, SiRATool, RAFT, Grails.nV – Hacker, AppSec Architect, Security Consultant – Soccer Hooligan
  3. 3. Abusing Trust
  4. 4. Your  App
  5. 5. Hopefully,  not  your  App
  6. 6. Disclaimer Hacking of App Store apps is not condoned or encouraged in any way. What you do on your own time is your responsibility. @sethlaw & nVisium take no responsibility if you use knowledge shared in this presentation for unsavory acts.
  7. 7. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  8. 8. Requirements • Xcode (developer.apple.com) – Command-line tools – Xcode-select --install – iOS Simulators • Jailbroken iDevice (iPhone/iPad/iPod) * – Cydia Tools • Vulnerable App – Swift.nV - https://github.com/nVisium/Swift.nV * Only required to “test” apps from the App Store. **
  9. 9. Tools - idb • idb - https://github.com/dmayer/idb
  10. 10. Tools - idb • idb - https://github.com/dmayer/idb
  11. 11. Tools - iFunBox • https://www.i-funbox.com/ifunboxmac
  12. 12. Tools - Cydia Apps • Cycript • OpenSSH • Erica Utilities • Class Dump • GNU Debugger • network-cmds • BigBoss Recommended Tools
  13. 13. Tools - Swift.nV • INTENTIONALLY VULNERABLE • Training Tool - Not for production use
  14. 14. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  15. 15. Application Anatomy
  16. 16. Application Anatomy • .app Directory –Folder with distributed binary and artifacts –iOS 8 •AppStore Apps - /var/mobile/Containers/Bundle/ Application/<APP GUID>/Application.app/ •Pre-installed Apps - /Applications/Application.app/ –iOS 7 •AppStore Apps - /var/mobile/Applications/<APP GUID>/Application.app/ •Pre-installed Apps - /Applications/Application.app/
  17. 17. Application Anatomy • Info.plist
  18. 18. Application Anatomy • Deployed Application Data Directories • iOS 8 • /var/mobile/Containers/Data/Application/<APP_GUID>/ • iOS 7 • /var/mobile/Applications/<APP_GUID> Documents/ Library/ Caches/ Preferences/ ... tmp/
  19. 19. Application Anatomy
  20. 20. Application Anatomy
  21. 21. Application Anatomy
  22. 22. Application Anatomy
  23. 23. Application Anatomy • Library/… • Other folders may exist for specific purposes • Files not exposed to the user • SyncedPreferences/ - iCloud NSUserDefaults • Cookies/ - Persistent cookie values • Application Support/ - Other App files • FlurryFiles/ - iAd files • tmp/ • Scratch space • Can be cleared by iOS when App not running
  24. 24. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  25. 25. Data Storage • M2 in OWASP Mobile Top 10 • Anything stored by the App on purpose • Data at rest on a mobile device • Majority of “mobile security” issues in the news. • Relevant functionality • Core Data • NSUserDefaults • Keychain • Documents • Cache
  26. 26. Attack!
  27. 27. Data Storage - Attack
  28. 28. Data Storage - Attack
  29. 29. Data Storage - Attack
  30. 30. Data Storage - Attack
  31. 31. Data Storage - Attack
  32. 32. Data Storage - Demo
  33. 33. Data Storage - Defense
  34. 34. Data Storage - Defense • Databases – Defenses • Encryption (SQLCipher) • Rewrites crypto into database controller • Don’t store sensitive data on the device. • Weaknesses • Key Storage
  35. 35. Data Storage - NSUserDefaults • Property Lists - Code
  36. 36. Data Storage - Attack • Property Lists
  37. 37. Data Storage - Attack • Property Lists - idb
  38. 38. Data Storage - Defense • Property List - Countermeasures – Don’t store sensitive data using NSUserDefaults – When ignoring rule #1, encrypt the data – Use checksums or signatures to validate that data returned from NSUserDefaults is appropriate – iOS Keychain – For quick Keychain conversion, use a library – https://github.com/matthewpalmer/Locksmith
  39. 39. Data Storage - Defense • Keychain – Mac OS X/iOS Password Manager – OS enforces security – CAREFUL • Keychain can be accessed by apps running on jailbroken devices. • idb – Don’t assume Keychain is secure. – Know your Keychain Attributes. – Layered Security • The application will be used under the worst possible conditions, protect for THAT instance.
  40. 40. Data Storage - Defense • Keychain Analysis – know your attributes Attribute Data is... kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked. kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. kSecAttrAccessibleAlways Always accessible. kSecAttrAccessibleWhenUnlockedThis DeviceOnly Only accessible when device is unlocked. Data is not migrated via backups. kSecAttrAccessibleAfterFirstUnlockThis DeviceOnly Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups. kSecAttrAccessibleAlwaysThisDeviceO nly Always accessible. Data is not migrated via backups.
  41. 41. Data Storage - Defense • Keychain Analysis – know your attributes Attribute Data is... kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked. kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. kSecAttrAccessibleAlways Always accessible. kSecAttrAccessibleWhenUnlockedThis DeviceOnly Only accessible when device is unlocked. Data is not migrated via backups. kSecAttrAccessibleAfterFirstUnlockThis DeviceOnly Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups. kSecAttrAccessibleAlwaysThisDeviceO nly Always accessible. Data is not migrated via backups.
  42. 42. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  43. 43. Network Communications • M3 - Insufficient Transport Layer Protection • Are network communications secure? • Encryption (or not) • Key Handling • Ciphers • Proxy Communication
  44. 44. CodeMash Scanner?
  45. 45. Become a Sponsor!
  46. 46. Volunteers?
  47. 47. Whoops
  48. 48. Network Communications • DEMO • Device: Jailbroken iPod Touch • Proxy: Burp Suite Pro • App: Casino
  49. 49. Exploited Issues • Proxied Communications •Certificate Pinning •Web Service Vulnerabilities
  50. 50. Network Communications
  51. 51. Network Communications • Defense – Good: Internal Certificate Authority – Better: External CA – Best: Certificate Pinning continueWithoutCredentialForAuthenticatio nChallenge == BAD
  52. 52. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  53. 53. Client Side Injection • M7 - Client Side Injection • Fuzzing all application inputs • Text Fields • URLSchemes • Stored Data (DBs, PLists, etc) • Multiple Types • XSS/HTML • XML/JSON • ...
  54. 54. Injection • Text Field Injection –Manually intensive
  55. 55. Client Side Injection • URLScheme Injection • Safari FTW! • Still manual • location bar • Fuzz URL values • Info.plist
  56. 56. Client Side Injection
  57. 57. Client Side Injection
  58. 58. Client Side Injection • Demo - Injection with Swift.nV
  59. 59. Client Side Injection • Defense • Input Validation • Don’t trust the user • Input Validation • Output Encoding • Input Validation
  60. 60. Client Side Injection
  61. 61. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  62. 62. Privacy • Revealing of PII • Location Information • Shoulder surfing • Physical Access • Background screenshots • Borrowed Phone attacks • Backups/Logs
  63. 63. FRIENDS DON’T LET FRIENDS LEAVE THEIR PHONE BEHIND
  64. 64. Background Screenshots
  65. 65. Information Overload
  66. 66. Logs
  67. 67. Logs
  68. 68. iOS Backup Analyzer
  69. 69. iOS Backup Analyzer
  70. 70. Privacy - Defense • Mask mask mask • No NSLog in production apps • What is stored on the device is also stored in the backup
  71. 71. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  72. 72. Other Mobile Concerns • Authentication • Authorization • Binary Protections • Cryptography • Unintended Functionality • Untrusted Input
  73. 73. Conclusion Security is hard. Try harder.
  74. 74. Thanks • Questions? • nVisibility Tape • Contact: • Seth Law • Email: seth@nvisium.com • Twitter: @sethlaw

×