Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Practical iOS App Attack and Defense – Seth Law © 2015
Practical iOS App Attack and
Defense
CodeMash 2.0.1.5
Introduction
• Seth Law
– Director of R&D @ nVisium
– Developer/Contributor to Swift.nV, SiRATool,
RAFT, Grails.nV
– Hacke...
Abusing Trust
Disclaimer
Hacking of App Store apps is not condoned or encouraged in any way. What you do on your own time
is your respon...
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Requirements
• Xcode (developer.apple.com)
– Command-line tools
– Xcode-select --install
– iOS Simulators
• Jailbroken iDe...
Tools - idb
• idb - https://github.com/dmayer/idb
Tools - idb
• idb - https://github.com/dmayer/idb
Tools - iFunBox
• https://www.i-funbox.com/ifunboxmac
Tools - Cydia Apps
• Cycript
• OpenSSH
• Erica Utilities
• Class Dump
• GNU Debugger
• network-cmds
• BigBoss Recommended ...
Tools - Swift.nV
• INTENTIONALLY VULNERABLE
• Training Tool - Not for production use
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Application Anatomy
Application Anatomy
• .app Directory
–Folder with distributed binary and artifacts
–iOS 8
•AppStore Apps - /var/mobile/Con...
Application Anatomy
• Info.plist
Application Anatomy
• Deployed Application Data Directories
• iOS 8
• /var/mobile/Containers/Data/Application/<APP_GUID>/
...
Application Anatomy
Application Anatomy
Application Anatomy
Application Anatomy
Application Anatomy
• Library/…
• Other folders may exist for specific purposes
• Files not exposed to the user
• SyncedPr...
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Data Storage
• M2 in OWASP Mobile Top 10
• Anything stored by the App on purpose
• Data at rest on a mobile device
• Major...
Attack!
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Defense
Data Storage - Defense
• Databases – Defenses
• Encryption (SQLCipher)
• Rewrites crypto into database controller
• Don’t ...
Data Storage - NSUserDefaults
• Property Lists - Code
Data Storage - Attack
• Property Lists
Data Storage - Attack
• Property Lists - idb
Data Storage - Defense
• Property List - Countermeasures
– Don’t store sensitive data using NSUserDefaults
– When ignoring...
Data Storage - Defense
• Keychain
– Mac OS X/iOS Password Manager
– OS enforces security
– CAREFUL
• Keychain can be acces...
Data Storage - Defense
• Keychain Analysis – know your attributes
Attribute Data is...
kSecAttrAccessibleWhenUnlocked Only...
Data Storage - Defense
• Keychain Analysis – know your attributes
Attribute Data is...
kSecAttrAccessibleWhenUnlocked Only...
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Network Communications
• M3 - Insufficient Transport Layer
Protection
• Are network communications
secure?
• Encryption (o...
CodeMash Scanner?
Become a Sponsor!
Network Communications
• LIVE DEMO
• Device: Jailbroken iPod Touch
• Proxy: Burp Suite Pro
• App: CodeMash Scanner
Volunteers?
Whoops
Network Communications
• Issues Exploited during demo
• Proxied Communications
• Do NOT require Jailbreak
• Corporations i...
Network Communications
Network Communications
• Defense
– Good: Use an Internal Certificate Authority and
create certificates for all environment...
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Client Side Injection
• M7 - Client Side Injection
• Fuzzing all application inputs
• Text Fields
• URLSchemes
• Stored Da...
Injection
• Text Field Injection
–Manually intensive
Client Side Injection
• URLScheme Injection
• Safari FTW!
• Still manual
• location bar
• Fuzz URL values
• Info.plist
Client Side Injection
Client Side Injection
Client Side Injection
• Demo - Injection with Swift.nV
Client Side Injection
• Defense
• Input Validation
• Don’t trust the user
• Input Validation
• Output Encoding
• Input Val...
Client Side Injection
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Privacy
• Revealing of PII
• Location Information
• Shoulder surfing
• Physical Access
• Background screenshots
• Borrowed...
FRIENDS DON’T LET FRIENDS
LEAVE THEIR PHONE BEHIND
Background Screenshots
Logs
Logs
iOS Backup Analyzer
iOS Backup Analyzer
Privacy - Defense
• Mask mask mask
• No NSLog in production apps
• What is stored on the device is
also stored in the back...
Agenda
• Tools
• Application Anatomy
• Data Storage
• Network Communications
• Client Side Injection
• Privacy
Other Mobile Concerns
• Authentication
• Authorization
• Binary Protections
• Cryptography
• Unintended Functionality
• Un...
Conclusion
Security is hard.
Try harder.
Thanks
• Questions?
• Contact:
• Seth Law
• Email: seth@nvisium.com
• Twitter: @sethlaw
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
Upcoming SlideShare
Loading in …5
×

CodeMash 2.0.1.5 - Practical iOS App Attack & Defense

773 views

Published on

Mobile apps are a fixture in today's digital world. With the release of Apple's new Swift language, the barrier to entry to create iOS apps has been lowered and may increase the number of offerings in the App Store. Learn how to find vulnerabilities in today's apps, attack and manipulate them, and finally fix the issue. Explore common mobile vulnerabilities hands-on (or just follow along) through the new open-source, intentionally vulnerable Swift iOS application, Swift.nV (https://github.com/nVisium/Swift.nV).

Talk given @ CodeMash 2015 by Seth Law

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CodeMash 2.0.1.5 - Practical iOS App Attack & Defense

  1. 1. Practical iOS App Attack and Defense – Seth Law © 2015 Practical iOS App Attack and Defense CodeMash 2.0.1.5
  2. 2. Introduction • Seth Law – Director of R&D @ nVisium – Developer/Contributor to Swift.nV, SiRATool, RAFT, Grails.nV – Hacker, AppSec Architect, Security Consultant – Soccer Hooligan
  3. 3. Abusing Trust
  4. 4. Disclaimer Hacking of App Store apps is not condoned or encouraged in any way. What you do on your own time is your responsibility. @sethlaw & nVisium take no responsibility if you use knowledge shared in this presentation for unsavory acts.
  5. 5. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  6. 6. Requirements • Xcode (developer.apple.com) – Command-line tools – Xcode-select --install – iOS Simulators • Jailbroken iDevice (iPhone/iPad/iPod) * – Cydia Tools • Vulnerable App – Swift.nV - https://github.com/nVisium/Swift.nV * Only required to “test” apps from the App Store. **
  7. 7. Tools - idb • idb - https://github.com/dmayer/idb
  8. 8. Tools - idb • idb - https://github.com/dmayer/idb
  9. 9. Tools - iFunBox • https://www.i-funbox.com/ifunboxmac
  10. 10. Tools - Cydia Apps • Cycript • OpenSSH • Erica Utilities • Class Dump • GNU Debugger • network-cmds • BigBoss Recommended Tools
  11. 11. Tools - Swift.nV • INTENTIONALLY VULNERABLE • Training Tool - Not for production use
  12. 12. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  13. 13. Application Anatomy
  14. 14. Application Anatomy • .app Directory –Folder with distributed binary and artifacts –iOS 8 •AppStore Apps - /var/mobile/Containers/Bundle/ Application/<APP GUID>/Application.app/ •Pre-installed Apps - /Applications/Application.app/ –iOS 7 •AppStore Apps - /var/mobile/Applications/<APP GUID>/Application.app/ •Pre-installed Apps - /Applications/Application.app/
  15. 15. Application Anatomy • Info.plist
  16. 16. Application Anatomy • Deployed Application Data Directories • iOS 8 • /var/mobile/Containers/Data/Application/<APP_GUID>/ • iOS 7 • /var/mobile/Applications/<APP_GUID> Documents/ Library/ Caches/ Preferences/ ... tmp/
  17. 17. Application Anatomy
  18. 18. Application Anatomy
  19. 19. Application Anatomy
  20. 20. Application Anatomy
  21. 21. Application Anatomy • Library/… • Other folders may exist for specific purposes • Files not exposed to the user • SyncedPreferences/ - iCloud NSUserDefaults • Cookies/ - Persistent cookie values • Application Support/ - Other App files • FlurryFiles/ - iAd files • tmp/ • Scratch space • Can be cleared by iOS when App not running
  22. 22. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  23. 23. Data Storage • M2 in OWASP Mobile Top 10 • Anything stored by the App on purpose • Data at rest on a mobile device • Majority of “mobile security” issues in the news. • Relevant functionality • Core Data • NSUserDefaults • Keychain • Documents • Cache
  24. 24. Attack!
  25. 25. Data Storage - Attack
  26. 26. Data Storage - Attack
  27. 27. Data Storage - Attack
  28. 28. Data Storage - Attack
  29. 29. Data Storage - Attack
  30. 30. Data Storage - Defense
  31. 31. Data Storage - Defense • Databases – Defenses • Encryption (SQLCipher) • Rewrites crypto into database controller • Don’t store sensitive data on the device. • Weaknesses • Key Storage
  32. 32. Data Storage - NSUserDefaults • Property Lists - Code
  33. 33. Data Storage - Attack • Property Lists
  34. 34. Data Storage - Attack • Property Lists - idb
  35. 35. Data Storage - Defense • Property List - Countermeasures – Don’t store sensitive data using NSUserDefaults – When ignoring rule #1, encrypt the data – Use checksums or signatures to validate that data returned from NSUserDefaults is appropriate – iOS Keychain – For quick Keychain conversion, use a library – https://github.com/matthewpalmer/Locksmith
  36. 36. Data Storage - Defense • Keychain – Mac OS X/iOS Password Manager – OS enforces security – CAREFUL • Keychain can be accessed by apps running on jailbroken devices. • idb – Don’t assume Keychain is secure. – Know your Keychain Attributes. – Layered Security • The application will be used under the worst possible conditions, protect for THAT instance.
  37. 37. Data Storage - Defense • Keychain Analysis – know your attributes Attribute Data is... kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked. kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. kSecAttrAccessibleAlways Always accessible. kSecAttrAccessibleWhenUnlockedThis DeviceOnly Only accessible when device is unlocked. Data is not migrated via backups. kSecAttrAccessibleAfterFirstUnlockThis DeviceOnly Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups. kSecAttrAccessibleAlwaysThisDeviceO nly Always accessible. Data is not migrated via backups.
  38. 38. Data Storage - Defense • Keychain Analysis – know your attributes Attribute Data is... kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked. kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. kSecAttrAccessibleAlways Always accessible. kSecAttrAccessibleWhenUnlockedThis DeviceOnly Only accessible when device is unlocked. Data is not migrated via backups. kSecAttrAccessibleAfterFirstUnlockThis DeviceOnly Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups. kSecAttrAccessibleAlwaysThisDeviceO nly Always accessible. Data is not migrated via backups.
  39. 39. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  40. 40. Network Communications • M3 - Insufficient Transport Layer Protection • Are network communications secure? • Encryption (or not) • Key Handling • Ciphers • Proxy Communication
  41. 41. CodeMash Scanner?
  42. 42. Become a Sponsor!
  43. 43. Network Communications • LIVE DEMO • Device: Jailbroken iPod Touch • Proxy: Burp Suite Pro • App: CodeMash Scanner
  44. 44. Volunteers?
  45. 45. Whoops
  46. 46. Network Communications • Issues Exploited during demo • Proxied Communications • Do NOT require Jailbreak • Corporations implement proxies all the time • Accepting a proxy’s CA cert == full access to traffic • Certificate Pinning • App doesn’t insure traffic isn’t being messed with. • Can be defeated with jailbroken device • Web Service Vulnerabilities • Missing Function Level Access Control • Insecure Direct Object Reference
  47. 47. Network Communications
  48. 48. Network Communications • Defense – Good: Use an Internal Certificate Authority and create certificates for all environments. – Better: Buy actual certificates for all environments – Best: Pin the Certificate within the application to public certificate or CA. continueWithoutCredentialForAuthenticatio nChallenge == BAD
  49. 49. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  50. 50. Client Side Injection • M7 - Client Side Injection • Fuzzing all application inputs • Text Fields • URLSchemes • Stored Data (DBs, PLists, etc) • Multiple Types • XSS/HTML • XML/JSON • ...
  51. 51. Injection • Text Field Injection –Manually intensive
  52. 52. Client Side Injection • URLScheme Injection • Safari FTW! • Still manual • location bar • Fuzz URL values • Info.plist
  53. 53. Client Side Injection
  54. 54. Client Side Injection
  55. 55. Client Side Injection • Demo - Injection with Swift.nV
  56. 56. Client Side Injection • Defense • Input Validation • Don’t trust the user • Input Validation • Output Encoding • Input Validation
  57. 57. Client Side Injection
  58. 58. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  59. 59. Privacy • Revealing of PII • Location Information • Shoulder surfing • Physical Access • Background screenshots • Borrowed Phone attacks • Backups/Logs
  60. 60. FRIENDS DON’T LET FRIENDS LEAVE THEIR PHONE BEHIND
  61. 61. Background Screenshots
  62. 62. Logs
  63. 63. Logs
  64. 64. iOS Backup Analyzer
  65. 65. iOS Backup Analyzer
  66. 66. Privacy - Defense • Mask mask mask • No NSLog in production apps • What is stored on the device is also stored in the backup
  67. 67. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  68. 68. Other Mobile Concerns • Authentication • Authorization • Binary Protections • Cryptography • Unintended Functionality • Untrusted Input
  69. 69. Conclusion Security is hard. Try harder.
  70. 70. Thanks • Questions? • Contact: • Seth Law • Email: seth@nvisium.com • Twitter: @sethlaw

×