SlideShare a Scribd company logo
1 of 46
Download to read offline
SECURITY ISSUES IN MOBILE
APPLICATIONS
HACKERSULI, APRIL 2024
HACKERSULI, APRIL 2024
INTRODUCTION TO IOS
▸ Apple is a very strict vendor
▸ No unauthorized updates and app installation
▸ Strictly one iCloud account per device
▸ Since 2024, alternate app stores are allowed (sideloading)
▸ Apple oversees
▸ The hw, the OS, the API, all the external services (iCloud, iMessage, etc.)
HACKERSULI, APRIL 2024
IOS BASICS
▸ iOS is a full 64-bit OS, based on XNU, a hybrid of FreeBSD and Mach kernels
▸ Lots of restrictions on what apps can do
▸ Kernel level protections in place to separate apps
▸ iOS sandboxing in place (Seatbelt) in a Mandatory Access Control approach
▸ iOS is a closely controlled app ecosystem
▸ Only Apple provided apps can be used (on non-jailbroken devices at least)
▸ Apple controls each OS and app installation on every device, every time
HACKERSULI, APRIL 2024
IOS AND JAILBREAK
iOS16 Jailbreak available
HACKERSULI, APRIL 2024
IOS BASICS - THE SECURE ENCLAVE
▸ A Trusted Processing Module
▸ A separate computer with its own RAM, ROM, power supply, DMA channels etc.
▸ Takes its code from the main iOS image in an encrypted format (SEPOS)
▸ The keys have leaked in 2017
▸ Performs cryptographic operations
▸ The keys never leave the unit
▸ Bundled with the Keychain, the disk encryption engine, the TouchID/FaceID etc.
▸ Even the RAM memory pages are encrypted
HACKERSULI, APRIL 2024
IOS BASICS - THE SECURE ENCLAVE
HACKERSULI, APRIL 2024
IOS DATA STORAGE - WHAT DOES AN APP STORE?
▸ What your code in the app stores intentionally
▸ Whatever in the app bundle (connect strings, API keys etc.), Documents,
NSUserDefaults, NSData, CoreData etc., Material in the KeyChain
▸ What your code frameworks happen to store
▸ Cookies, WebKit caches, Logs (local logs, NSLog etc.)
▸ What the 3rd party SDKs store in your app
▸ Logs, Analytics data, Ad cookies, caches etc.
HACKERSULI, APRIL 2024
IOS DATA STORAGE - INFORMATION IN THE BUNDLE
HACKERSULI, APRIL 2024
IOS DATA STORAGE - INFORMATION IN THE BUNDLE
▸ A React Native app with Firebase back-end
▸ An excerpt from the con
fi
g XML
HACKERSULI, APRIL 2024
IOS DATA STORAGE - INFORMATION IN THE BUNDLE
HACKERSULI, APRIL 2024
IOS DATA STORAGE - INFORMATION IN THE BUNDLE
HACKERSULI, APRIL 2024
IOS DATA STORAGE - INFORMATION IN THE BUNDLE
HACKERSULI, APRIL 2024
IOS DATA STORAGE - INFORMATION IN THE BUNDLE
HACKERSULI, APRIL 2024
IOS BASICS - FULL DISK ENCRYPTION
▸ Full disk encryption
▸ Every
fi
le is AES encrypted with a unique key
▸ Transparent from a developer/user point of view
▸ The hardware key is incorporated (not brute-forcible of
fl
ine)
▸ The users’ PIN is incorporated
▸ One of the coolest bit of engineering in consumer devices
HACKERSULI, APRIL 2024
IOS BASICS - FULL DISK ENCRYPTION
HACKERSULI, APRIL 2024
IOS BASICS - SECURE DATA STORAGE
▸ The sandbox
▸ Not possible for the app to reach out of its sandbox, kernel level protection
mechanisms
▸ Apple has to vouch for any app
▸ From iOS8
▸ App binaries: /var/containers/Bundle/Application
▸ Sandboxes: /var/mobile/Containers/Data/Application/
HACKERSULI, APRIL 2024
IOS BASICS - SECURE DATA STORAGE
▸ How can sandboxes leave the device?
▸ iCloud backups
▸ Local backups
▸ (Local direct access to the sandboxes)
HACKERSULI, APRIL 2024
IOS BASICS - SECURE DATA STORAGE
▸ Typical issues
▸ Sensitive data (passwords, tokens, private keys, etc.) in the sandbox
▸ Application state serialised to NSUserDefaults.plist
▸ Local application PIN bypass
▸ Failed authentication attempts bypass
HACKERSULI, APRIL 2024
IOS BASICS - SECURE DATA STORAGE
▸ https://apps.apple.com/us/app/bither-bitcoin-wallet/
id899478936
▸ Local PIN screen can be bypassed through manually
editing the NSUserDefaults
HACKERSULI, APRIL 2024
IOS BASICS - TLS IOS
▸ App Transport Security
▸ No plain-text connections are allowed.
▸ The X.509 Certi
fi
cate has a SHA256
fi
ngerprint and must be signed with at
least a 2048-bit RSA key or a 256-bit Elliptic-Curve Cryptography (ECC) key.
▸ Transport Layer Security (TLS) version must be 1.2 or above and must
support Perfect Forward Secrecy (PFS) through Elliptic Curve Dif
fi
e-Hellman
Ephemeral (ECDHE) key exchange and AES-128 or AES-256 symmetric
ciphers.
HACKERSULI, APRIL 2024
IOS BASICS - TLS IOS
▸ ATS exception can be manually requested
▸ Apple requires manual review of apps for plain-text traf
fi
c
▸ “An application that loads encrypted media content that contains no
personalized information
▸ Connections to devices that cannot be upgraded to use secure connections
▸ Connection to a server that is managed by another entity and does not
support secure connections”
HACKERSULI, APRIL 2024
IOS BASICS - TLS IOS
▸ App Transport Security in practice
▸ No plain-text HTTP connections
▸ No self-signed certi
fi
cates
▸ Only accepted trust anchors are accepted
▸ Perfect Forward Secrecy is enforced
▸ In theory, it is possible to use you own CA, but de
fi
nitely not recommended
HACKERSULI, APRIL 2024
IOS BASICS - TLS IOS
▸ Certi
fi
cate Pinning
▸ Provides protection for cases when a CA gets compromised
▸ We pin one CA, a leaf cert or the entire chain
▸ The CA still needs to be trusted by the OS
▸ Can be implemented in the info.plist
HACKERSULI, APRIL 2024
IOS BASICS - TLS IOS
▸ Certi
fi
cate Pinning
HACKERSULI, APRIL 2024
IOS - DEEP LINKING
▸ When a link allows an app to directly navigate the user to a subview
▸ iOS supports two methods
▸ Custom URL handlers reddit://
▸ Deep linking https://www.reddit.com/whatever
▸ Kind-of-IPC on iOS
HACKERSULI, APRIL 2024
IOS - DEEP LINKING
▸ Developers need to tell what to do in the following call
HACKERSULI, APRIL 2024
IOS - DEEP LINKING
▸ NSURL provides a secure way to parse URLs
▸ But... URL parsed manually?
▸ ?param1=value1&param1=value2&param1=value3
▸ ?param1=value1=value2=value3
▸ Arbitrary navigation within the app?
SCHEME://LOGIN.PASSWORD@ADDRESS:PORT/
PATH/TO/RESOURCE?QUERYSTRING#FRAGMENT
HACKERSULI, APRIL 2024
INTRODUCTION - ANDROID
▸ Freedom for users
▸ No centralised app management, no mandated app store (like with iOS)
▸ No centralised enforcement of OS versions
▸ Gives real, impactful decisions to users
▸ Security features
▸ Encryption
▸ Device administrator application
HACKERSULI, APRIL 2024
ANDROID THREATS
▸ Negligent users, users not installing patches or manually disabling features
▸ Physical theft and stolen devices
▸ Hostile network environments, Man-in-the-Middle attacks
▸ Negligent vendors, perfectly usable devices with no more updates
▸ Malware attacking legitimate apps, direct attacks on mobile banking apps and
crypto wallets
▸ Fragmented ecosystem
HACKERSULI, APRIL 2024
ANDROID BASICS
▸ The OS and hw vendors are different with contradicting interests
▸ No crypto unit enforced
▸ No full disk encryption
▸ Lots of devices with different security features (e.g. facial recognition
cameras or
fi
ngerprint readers)
HACKERSULI, APRIL 2024
ANDROID - DATA STORAGE
▸ Data storage in the bundle
▸ See the iOS section :)
HACKERSULI, APRIL 2024
ANDROID - DATA STORAGE
▸ The sandbox
▸ Should be treated as public, can be found in /data/data/...
▸ On a rooted device, trivial to access
▸ Can be leaked through cloud backups - 3 different policy settings...
▸ allowBackup
▸ android:dataExtractionRules
▸ android:fullBackupContent
HACKERSULI, APRIL 2024
ANDROID - DATA STORAGE
HACKERSULI, APRIL 2024
ANDROID - DATA STORAGE
▸ External storage
▸ World readable, world writable
▸ Mounted for '/sdcard/'
▸ Scoped storage from 10 Q, but can be opted out
▸ Due to wide spread abuse of the ACCESS_EXTERNAL_STORAGE permission
▸ File path based access model changed
HACKERSULI, APRIL 2024
ANDROID - TLS
▸ Network Security Con
fi
g, NSC
▸ Introduced in 7.0 Nougat
▸ Certi
fi
cate Pinning trivially achievable
HACKERSULI, APRIL 2024
ANDROID - IPC
▸ Permissions
▸ Normal: operates within the sandbox. User approval is not needed, granted automatically
upon installation
▸ Dangerous: involves private data. User approval is needed
▸ Signature: only those apps can use it, which were signed using the same certi
fi
cate as the
de
fi
ner app. Granted automatically upon installation
▸ SignatureOrSystem: signature + system apps can use the permission. Granted
automatically upon installation
▸ KnownSigner: from 12 (API 31), signer identity can be mandated in the Manifest
HACKERSULI, APRIL 2024
ANDROID - IPC, INTENT
▸ A message, delivered to an app component
▸ It can carry information/data or initiate some action
▸ Android uses Intents all over the place
▸ Intent types
▸ Implicit (broadcast, all subscribed components receive the intent)
▸ Explicit (‘app X, activity Y, take this image.')
HACKERSULI, APRIL 2024
ANDROID - IPC
▸ Android apps consist of four components
▸ Activities
▸ Services
▸ Content providers
▸ Broadcast listeners
HACKERSULI, APRIL 2024
ANDROID - IPC, EXPORTEDNESS
▸ Explicitly exported
▸ Implicitly exported
HACKERSULI, APRIL 2024
ANDROID - IPC, EXPORTEDNESS
▸ An exported component will receive all explicit intents
▸ Your Activity expects an image? Prepare it for all sorts of other input types
▸ From Android 14, all components must be explicitly declared for
exportedness
HACKERSULI, APRIL 2024
ANDROID - IPC, EXPORTEDNESS ISSUES
▸ Issue: activities with improper bounds checking
▸ The user is presented with an activity (non-privileged one) and is able to
navigate to another, privileged one
▸ Settings menu on the login screen
▸ ‘Show logs’ menu on the login screen
▸ A sensitive Activity is exported and can be directly invoked
HACKERSULI, APRIL 2024
ANDROID - IPC, CVE-2013-6271
▸ The lock screen can be bypassed on Android on some Samsung ROMs in
com.android.settings.ChooseLockGeneric:
▸ shell@android:/ $ am start -n com.android.settings/
com.android.settings.ChooseLockGeneric --ez con
fi
rm_credentials false --ei
lockscreen.password_type 0 --activity-clear-task
HACKERSULI, APRIL 2024
ANDROID - IPC ISSUES
HACKERSULI, APRIL 2024
ANDROID - IPC, AMAZON PHOTOS APP
▸ Public Activity sends OAuth2 access token to an argument URL
HACKERSULI, APRIL 2024
ANDROID - IPC, AMAZON PHOTOS APP
▸ Public Activity sends OAuth2 access token to an argument URL
HACKERSULI, APRIL 2024
ANDROID - IPC, AMAZON PHOTOS APP
▸ Exploit

More Related Content

Similar to 2024_hackersuli_mobil_ios_android ______

Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013STO STRATEGY
 
Identifying Data Leaks in iOS Applications
Identifying Data Leaks in iOS ApplicationsIdentifying Data Leaks in iOS Applications
Identifying Data Leaks in iOS ApplicationsWiley
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
How to install Kaspersky Antivirus.ppt
How to install Kaspersky Antivirus.pptHow to install Kaspersky Antivirus.ppt
How to install Kaspersky Antivirus.pptjhony64281
 
(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013STO STRATEGY
 
Apple threat-landscape
Apple threat-landscapeApple threat-landscape
Apple threat-landscapeAndrey Apuhtin
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
Wearable Internet Chicken: Exploring the Android Wear Datalayer API
Wearable Internet Chicken: Exploring the Android Wear Datalayer APIWearable Internet Chicken: Exploring the Android Wear Datalayer API
Wearable Internet Chicken: Exploring the Android Wear Datalayer APIkirgy
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.DataArt
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...hackersuli
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Building Fast SQL Analytics on Anything with Presto, Alluxio
Building Fast SQL Analytics on Anything with Presto, AlluxioBuilding Fast SQL Analytics on Anything with Presto, Alluxio
Building Fast SQL Analytics on Anything with Presto, AlluxioAlluxio, Inc.
 
Android - From Zero to Hero @ DEVit 2017
Android - From Zero to Hero @ DEVit 2017Android - From Zero to Hero @ DEVit 2017
Android - From Zero to Hero @ DEVit 2017Ivo Neskovic
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 

Similar to 2024_hackersuli_mobil_ios_android ______ (20)

Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
Raspberry pi and AWS
Raspberry pi and AWSRaspberry pi and AWS
Raspberry pi and AWS
 
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013
 
Identifying Data Leaks in iOS Applications
Identifying Data Leaks in iOS ApplicationsIdentifying Data Leaks in iOS Applications
Identifying Data Leaks in iOS Applications
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
How to install Kaspersky Antivirus.ppt
How to install Kaspersky Antivirus.pptHow to install Kaspersky Antivirus.ppt
How to install Kaspersky Antivirus.ppt
 
(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013
 
From iOS to Android
From iOS to AndroidFrom iOS to Android
From iOS to Android
 
Apple threat-landscape
Apple threat-landscapeApple threat-landscape
Apple threat-landscape
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
Wearable Internet Chicken: Exploring the Android Wear Datalayer API
Wearable Internet Chicken: Exploring the Android Wear Datalayer APIWearable Internet Chicken: Exploring the Android Wear Datalayer API
Wearable Internet Chicken: Exploring the Android Wear Datalayer API
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Building Fast SQL Analytics on Anything with Presto, Alluxio
Building Fast SQL Analytics on Anything with Presto, AlluxioBuilding Fast SQL Analytics on Anything with Presto, Alluxio
Building Fast SQL Analytics on Anything with Presto, Alluxio
 
Android - From Zero to Hero @ DEVit 2017
Android - From Zero to Hero @ DEVit 2017Android - From Zero to Hero @ DEVit 2017
Android - From Zero to Hero @ DEVit 2017
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 

More from hackersuli

[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformonhackersuli
 
[HUN[]Hackersuli] Hornyai Alex - Elliptikus görbék kriptográfiája
[HUN[]Hackersuli] Hornyai Alex - Elliptikus görbék kriptográfiája[HUN[]Hackersuli] Hornyai Alex - Elliptikus görbék kriptográfiája
[HUN[]Hackersuli] Hornyai Alex - Elliptikus görbék kriptográfiájahackersuli
 
[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchain[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchainhackersuli
 
[HUN] 2023_Hacker_Suli_Meetup_Cloud_DFIR_Alapok.pptx
[HUN] 2023_Hacker_Suli_Meetup_Cloud_DFIR_Alapok.pptx[HUN] 2023_Hacker_Suli_Meetup_Cloud_DFIR_Alapok.pptx
[HUN] 2023_Hacker_Suli_Meetup_Cloud_DFIR_Alapok.pptxhackersuli
 
[Hackersuli][HUN] GSM halozatok hackelese
[Hackersuli][HUN] GSM halozatok hackelese[Hackersuli][HUN] GSM halozatok hackelese
[Hackersuli][HUN] GSM halozatok hackelesehackersuli
 
Hackersuli Minecraft hackeles kezdoknek
Hackersuli Minecraft hackeles kezdoknekHackersuli Minecraft hackeles kezdoknek
Hackersuli Minecraft hackeles kezdoknekhackersuli
 
HUN Hackersuli - How to hack an airplane
HUN Hackersuli - How to hack an airplaneHUN Hackersuli - How to hack an airplane
HUN Hackersuli - How to hack an airplanehackersuli
 
[HUN][Hackersuli] Cryptocurrency scams
[HUN][Hackersuli] Cryptocurrency scams[HUN][Hackersuli] Cryptocurrency scams
[HUN][Hackersuli] Cryptocurrency scamshackersuli
 
[Hackersuli] [HUN] Windows a szereloaknan
[Hackersuli] [HUN] Windows a szereloaknan[Hackersuli] [HUN] Windows a szereloaknan
[Hackersuli] [HUN] Windows a szereloaknanhackersuli
 
[HUN][Hackersuli] Szol a szoftveresen definialt radio - SDR alapok
[HUN][Hackersuli] Szol a szoftveresen definialt radio - SDR alapok[HUN][Hackersuli] Szol a szoftveresen definialt radio - SDR alapok
[HUN][Hackersuli] Szol a szoftveresen definialt radio - SDR alapokhackersuli
 
[HUN] Hackersuli - Console and arcade game hacking – history, present, future
[HUN] Hackersuli - Console and arcade game hacking – history, present, future[HUN] Hackersuli - Console and arcade game hacking – history, present, future
[HUN] Hackersuli - Console and arcade game hacking – history, present, futurehackersuli
 
Hackersuli - Linux game hacking with LD_PRELOAD
Hackersuli - Linux game hacking with LD_PRELOADHackersuli - Linux game hacking with LD_PRELOAD
Hackersuli - Linux game hacking with LD_PRELOADhackersuli
 
[HUN][hackersuli] Malware avengers
[HUN][hackersuli] Malware avengers[HUN][hackersuli] Malware avengers
[HUN][hackersuli] Malware avengershackersuli
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Holehackersuli
 
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...hackersuli
 
[Hackersuli][HUN] Greasemonkey, avagy fogod majd a fejed, hogy miért nem hasz...
[Hackersuli][HUN] Greasemonkey, avagy fogod majd a fejed, hogy miért nem hasz...[Hackersuli][HUN] Greasemonkey, avagy fogod majd a fejed, hogy miért nem hasz...
[Hackersuli][HUN] Greasemonkey, avagy fogod majd a fejed, hogy miért nem hasz...hackersuli
 
Kriptovaluták, hashbányászat és okoscicák
Kriptovaluták, hashbányászat és okoscicákKriptovaluták, hashbányászat és okoscicák
Kriptovaluták, hashbányászat és okoscicákhackersuli
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
Hardware hacking 1x1 by Dnet
Hardware hacking 1x1 by DnetHardware hacking 1x1 by Dnet
Hardware hacking 1x1 by Dnethackersuli
 
Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?hackersuli
 

More from hackersuli (20)

[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
 
[HUN[]Hackersuli] Hornyai Alex - Elliptikus görbék kriptográfiája
[HUN[]Hackersuli] Hornyai Alex - Elliptikus görbék kriptográfiája[HUN[]Hackersuli] Hornyai Alex - Elliptikus görbék kriptográfiája
[HUN[]Hackersuli] Hornyai Alex - Elliptikus görbék kriptográfiája
 
[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchain[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchain
 
[HUN] 2023_Hacker_Suli_Meetup_Cloud_DFIR_Alapok.pptx
[HUN] 2023_Hacker_Suli_Meetup_Cloud_DFIR_Alapok.pptx[HUN] 2023_Hacker_Suli_Meetup_Cloud_DFIR_Alapok.pptx
[HUN] 2023_Hacker_Suli_Meetup_Cloud_DFIR_Alapok.pptx
 
[Hackersuli][HUN] GSM halozatok hackelese
[Hackersuli][HUN] GSM halozatok hackelese[Hackersuli][HUN] GSM halozatok hackelese
[Hackersuli][HUN] GSM halozatok hackelese
 
Hackersuli Minecraft hackeles kezdoknek
Hackersuli Minecraft hackeles kezdoknekHackersuli Minecraft hackeles kezdoknek
Hackersuli Minecraft hackeles kezdoknek
 
HUN Hackersuli - How to hack an airplane
HUN Hackersuli - How to hack an airplaneHUN Hackersuli - How to hack an airplane
HUN Hackersuli - How to hack an airplane
 
[HUN][Hackersuli] Cryptocurrency scams
[HUN][Hackersuli] Cryptocurrency scams[HUN][Hackersuli] Cryptocurrency scams
[HUN][Hackersuli] Cryptocurrency scams
 
[Hackersuli] [HUN] Windows a szereloaknan
[Hackersuli] [HUN] Windows a szereloaknan[Hackersuli] [HUN] Windows a szereloaknan
[Hackersuli] [HUN] Windows a szereloaknan
 
[HUN][Hackersuli] Szol a szoftveresen definialt radio - SDR alapok
[HUN][Hackersuli] Szol a szoftveresen definialt radio - SDR alapok[HUN][Hackersuli] Szol a szoftveresen definialt radio - SDR alapok
[HUN][Hackersuli] Szol a szoftveresen definialt radio - SDR alapok
 
[HUN] Hackersuli - Console and arcade game hacking – history, present, future
[HUN] Hackersuli - Console and arcade game hacking – history, present, future[HUN] Hackersuli - Console and arcade game hacking – history, present, future
[HUN] Hackersuli - Console and arcade game hacking – history, present, future
 
Hackersuli - Linux game hacking with LD_PRELOAD
Hackersuli - Linux game hacking with LD_PRELOADHackersuli - Linux game hacking with LD_PRELOAD
Hackersuli - Linux game hacking with LD_PRELOAD
 
[HUN][hackersuli] Malware avengers
[HUN][hackersuli] Malware avengers[HUN][hackersuli] Malware avengers
[HUN][hackersuli] Malware avengers
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
 
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
 
[Hackersuli][HUN] Greasemonkey, avagy fogod majd a fejed, hogy miért nem hasz...
[Hackersuli][HUN] Greasemonkey, avagy fogod majd a fejed, hogy miért nem hasz...[Hackersuli][HUN] Greasemonkey, avagy fogod majd a fejed, hogy miért nem hasz...
[Hackersuli][HUN] Greasemonkey, avagy fogod majd a fejed, hogy miért nem hasz...
 
Kriptovaluták, hashbányászat és okoscicák
Kriptovaluták, hashbányászat és okoscicákKriptovaluták, hashbányászat és okoscicák
Kriptovaluták, hashbányászat és okoscicák
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?
 
Hardware hacking 1x1 by Dnet
Hardware hacking 1x1 by DnetHardware hacking 1x1 by Dnet
Hardware hacking 1x1 by Dnet
 
Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?
 

Recently uploaded

一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样Fi
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样AS
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样AS
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Dewi Agency
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理SS
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书AS
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirtrahman018755
 
Dan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat HoodieDan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat Hoodierahman018755
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理AS
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样AS
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理A
 
Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303Dewi Agency
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfe-Market Hub
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样AS
 
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样AS
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样AS
 

Recently uploaded (20)

一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 
Dan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat HoodieDan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat Hoodie
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
 
Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdf
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
 
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
 

2024_hackersuli_mobil_ios_android ______

  • 1. SECURITY ISSUES IN MOBILE APPLICATIONS HACKERSULI, APRIL 2024
  • 2. HACKERSULI, APRIL 2024 INTRODUCTION TO IOS ▸ Apple is a very strict vendor ▸ No unauthorized updates and app installation ▸ Strictly one iCloud account per device ▸ Since 2024, alternate app stores are allowed (sideloading) ▸ Apple oversees ▸ The hw, the OS, the API, all the external services (iCloud, iMessage, etc.)
  • 3. HACKERSULI, APRIL 2024 IOS BASICS ▸ iOS is a full 64-bit OS, based on XNU, a hybrid of FreeBSD and Mach kernels ▸ Lots of restrictions on what apps can do ▸ Kernel level protections in place to separate apps ▸ iOS sandboxing in place (Seatbelt) in a Mandatory Access Control approach ▸ iOS is a closely controlled app ecosystem ▸ Only Apple provided apps can be used (on non-jailbroken devices at least) ▸ Apple controls each OS and app installation on every device, every time
  • 4. HACKERSULI, APRIL 2024 IOS AND JAILBREAK iOS16 Jailbreak available
  • 5. HACKERSULI, APRIL 2024 IOS BASICS - THE SECURE ENCLAVE ▸ A Trusted Processing Module ▸ A separate computer with its own RAM, ROM, power supply, DMA channels etc. ▸ Takes its code from the main iOS image in an encrypted format (SEPOS) ▸ The keys have leaked in 2017 ▸ Performs cryptographic operations ▸ The keys never leave the unit ▸ Bundled with the Keychain, the disk encryption engine, the TouchID/FaceID etc. ▸ Even the RAM memory pages are encrypted
  • 6. HACKERSULI, APRIL 2024 IOS BASICS - THE SECURE ENCLAVE
  • 7. HACKERSULI, APRIL 2024 IOS DATA STORAGE - WHAT DOES AN APP STORE? ▸ What your code in the app stores intentionally ▸ Whatever in the app bundle (connect strings, API keys etc.), Documents, NSUserDefaults, NSData, CoreData etc., Material in the KeyChain ▸ What your code frameworks happen to store ▸ Cookies, WebKit caches, Logs (local logs, NSLog etc.) ▸ What the 3rd party SDKs store in your app ▸ Logs, Analytics data, Ad cookies, caches etc.
  • 8. HACKERSULI, APRIL 2024 IOS DATA STORAGE - INFORMATION IN THE BUNDLE
  • 9. HACKERSULI, APRIL 2024 IOS DATA STORAGE - INFORMATION IN THE BUNDLE ▸ A React Native app with Firebase back-end ▸ An excerpt from the con fi g XML
  • 10. HACKERSULI, APRIL 2024 IOS DATA STORAGE - INFORMATION IN THE BUNDLE
  • 11. HACKERSULI, APRIL 2024 IOS DATA STORAGE - INFORMATION IN THE BUNDLE
  • 12. HACKERSULI, APRIL 2024 IOS DATA STORAGE - INFORMATION IN THE BUNDLE
  • 13. HACKERSULI, APRIL 2024 IOS DATA STORAGE - INFORMATION IN THE BUNDLE
  • 14. HACKERSULI, APRIL 2024 IOS BASICS - FULL DISK ENCRYPTION ▸ Full disk encryption ▸ Every fi le is AES encrypted with a unique key ▸ Transparent from a developer/user point of view ▸ The hardware key is incorporated (not brute-forcible of fl ine) ▸ The users’ PIN is incorporated ▸ One of the coolest bit of engineering in consumer devices
  • 15. HACKERSULI, APRIL 2024 IOS BASICS - FULL DISK ENCRYPTION
  • 16. HACKERSULI, APRIL 2024 IOS BASICS - SECURE DATA STORAGE ▸ The sandbox ▸ Not possible for the app to reach out of its sandbox, kernel level protection mechanisms ▸ Apple has to vouch for any app ▸ From iOS8 ▸ App binaries: /var/containers/Bundle/Application ▸ Sandboxes: /var/mobile/Containers/Data/Application/
  • 17. HACKERSULI, APRIL 2024 IOS BASICS - SECURE DATA STORAGE ▸ How can sandboxes leave the device? ▸ iCloud backups ▸ Local backups ▸ (Local direct access to the sandboxes)
  • 18. HACKERSULI, APRIL 2024 IOS BASICS - SECURE DATA STORAGE ▸ Typical issues ▸ Sensitive data (passwords, tokens, private keys, etc.) in the sandbox ▸ Application state serialised to NSUserDefaults.plist ▸ Local application PIN bypass ▸ Failed authentication attempts bypass
  • 19. HACKERSULI, APRIL 2024 IOS BASICS - SECURE DATA STORAGE ▸ https://apps.apple.com/us/app/bither-bitcoin-wallet/ id899478936 ▸ Local PIN screen can be bypassed through manually editing the NSUserDefaults
  • 20. HACKERSULI, APRIL 2024 IOS BASICS - TLS IOS ▸ App Transport Security ▸ No plain-text connections are allowed. ▸ The X.509 Certi fi cate has a SHA256 fi ngerprint and must be signed with at least a 2048-bit RSA key or a 256-bit Elliptic-Curve Cryptography (ECC) key. ▸ Transport Layer Security (TLS) version must be 1.2 or above and must support Perfect Forward Secrecy (PFS) through Elliptic Curve Dif fi e-Hellman Ephemeral (ECDHE) key exchange and AES-128 or AES-256 symmetric ciphers.
  • 21. HACKERSULI, APRIL 2024 IOS BASICS - TLS IOS ▸ ATS exception can be manually requested ▸ Apple requires manual review of apps for plain-text traf fi c ▸ “An application that loads encrypted media content that contains no personalized information ▸ Connections to devices that cannot be upgraded to use secure connections ▸ Connection to a server that is managed by another entity and does not support secure connections”
  • 22. HACKERSULI, APRIL 2024 IOS BASICS - TLS IOS ▸ App Transport Security in practice ▸ No plain-text HTTP connections ▸ No self-signed certi fi cates ▸ Only accepted trust anchors are accepted ▸ Perfect Forward Secrecy is enforced ▸ In theory, it is possible to use you own CA, but de fi nitely not recommended
  • 23. HACKERSULI, APRIL 2024 IOS BASICS - TLS IOS ▸ Certi fi cate Pinning ▸ Provides protection for cases when a CA gets compromised ▸ We pin one CA, a leaf cert or the entire chain ▸ The CA still needs to be trusted by the OS ▸ Can be implemented in the info.plist
  • 24. HACKERSULI, APRIL 2024 IOS BASICS - TLS IOS ▸ Certi fi cate Pinning
  • 25. HACKERSULI, APRIL 2024 IOS - DEEP LINKING ▸ When a link allows an app to directly navigate the user to a subview ▸ iOS supports two methods ▸ Custom URL handlers reddit:// ▸ Deep linking https://www.reddit.com/whatever ▸ Kind-of-IPC on iOS
  • 26. HACKERSULI, APRIL 2024 IOS - DEEP LINKING ▸ Developers need to tell what to do in the following call
  • 27. HACKERSULI, APRIL 2024 IOS - DEEP LINKING ▸ NSURL provides a secure way to parse URLs ▸ But... URL parsed manually? ▸ ?param1=value1&param1=value2&param1=value3 ▸ ?param1=value1=value2=value3 ▸ Arbitrary navigation within the app? SCHEME://LOGIN.PASSWORD@ADDRESS:PORT/ PATH/TO/RESOURCE?QUERYSTRING#FRAGMENT
  • 28. HACKERSULI, APRIL 2024 INTRODUCTION - ANDROID ▸ Freedom for users ▸ No centralised app management, no mandated app store (like with iOS) ▸ No centralised enforcement of OS versions ▸ Gives real, impactful decisions to users ▸ Security features ▸ Encryption ▸ Device administrator application
  • 29. HACKERSULI, APRIL 2024 ANDROID THREATS ▸ Negligent users, users not installing patches or manually disabling features ▸ Physical theft and stolen devices ▸ Hostile network environments, Man-in-the-Middle attacks ▸ Negligent vendors, perfectly usable devices with no more updates ▸ Malware attacking legitimate apps, direct attacks on mobile banking apps and crypto wallets ▸ Fragmented ecosystem
  • 30. HACKERSULI, APRIL 2024 ANDROID BASICS ▸ The OS and hw vendors are different with contradicting interests ▸ No crypto unit enforced ▸ No full disk encryption ▸ Lots of devices with different security features (e.g. facial recognition cameras or fi ngerprint readers)
  • 31. HACKERSULI, APRIL 2024 ANDROID - DATA STORAGE ▸ Data storage in the bundle ▸ See the iOS section :)
  • 32. HACKERSULI, APRIL 2024 ANDROID - DATA STORAGE ▸ The sandbox ▸ Should be treated as public, can be found in /data/data/... ▸ On a rooted device, trivial to access ▸ Can be leaked through cloud backups - 3 different policy settings... ▸ allowBackup ▸ android:dataExtractionRules ▸ android:fullBackupContent
  • 34. HACKERSULI, APRIL 2024 ANDROID - DATA STORAGE ▸ External storage ▸ World readable, world writable ▸ Mounted for '/sdcard/' ▸ Scoped storage from 10 Q, but can be opted out ▸ Due to wide spread abuse of the ACCESS_EXTERNAL_STORAGE permission ▸ File path based access model changed
  • 35. HACKERSULI, APRIL 2024 ANDROID - TLS ▸ Network Security Con fi g, NSC ▸ Introduced in 7.0 Nougat ▸ Certi fi cate Pinning trivially achievable
  • 36. HACKERSULI, APRIL 2024 ANDROID - IPC ▸ Permissions ▸ Normal: operates within the sandbox. User approval is not needed, granted automatically upon installation ▸ Dangerous: involves private data. User approval is needed ▸ Signature: only those apps can use it, which were signed using the same certi fi cate as the de fi ner app. Granted automatically upon installation ▸ SignatureOrSystem: signature + system apps can use the permission. Granted automatically upon installation ▸ KnownSigner: from 12 (API 31), signer identity can be mandated in the Manifest
  • 37. HACKERSULI, APRIL 2024 ANDROID - IPC, INTENT ▸ A message, delivered to an app component ▸ It can carry information/data or initiate some action ▸ Android uses Intents all over the place ▸ Intent types ▸ Implicit (broadcast, all subscribed components receive the intent) ▸ Explicit (‘app X, activity Y, take this image.')
  • 38. HACKERSULI, APRIL 2024 ANDROID - IPC ▸ Android apps consist of four components ▸ Activities ▸ Services ▸ Content providers ▸ Broadcast listeners
  • 39. HACKERSULI, APRIL 2024 ANDROID - IPC, EXPORTEDNESS ▸ Explicitly exported ▸ Implicitly exported
  • 40. HACKERSULI, APRIL 2024 ANDROID - IPC, EXPORTEDNESS ▸ An exported component will receive all explicit intents ▸ Your Activity expects an image? Prepare it for all sorts of other input types ▸ From Android 14, all components must be explicitly declared for exportedness
  • 41. HACKERSULI, APRIL 2024 ANDROID - IPC, EXPORTEDNESS ISSUES ▸ Issue: activities with improper bounds checking ▸ The user is presented with an activity (non-privileged one) and is able to navigate to another, privileged one ▸ Settings menu on the login screen ▸ ‘Show logs’ menu on the login screen ▸ A sensitive Activity is exported and can be directly invoked
  • 42. HACKERSULI, APRIL 2024 ANDROID - IPC, CVE-2013-6271 ▸ The lock screen can be bypassed on Android on some Samsung ROMs in com.android.settings.ChooseLockGeneric: ▸ shell@android:/ $ am start -n com.android.settings/ com.android.settings.ChooseLockGeneric --ez con fi rm_credentials false --ei lockscreen.password_type 0 --activity-clear-task
  • 44. HACKERSULI, APRIL 2024 ANDROID - IPC, AMAZON PHOTOS APP ▸ Public Activity sends OAuth2 access token to an argument URL
  • 45. HACKERSULI, APRIL 2024 ANDROID - IPC, AMAZON PHOTOS APP ▸ Public Activity sends OAuth2 access token to an argument URL
  • 46. HACKERSULI, APRIL 2024 ANDROID - IPC, AMAZON PHOTOS APP ▸ Exploit