Building&Hacking modern iOS apps

www.securing.pl
Wojciech Reguła
Building&Hacking
modern iOS apps
@_r3ggi
wojciech.regula@securing.pl

www.securing.plwww.securing.pl
WHOAMI
-Senior IT Security Consultant @ SecuRing
-Focused on iOS apps security
-Blogger https://wojciechregula.blog/
-OWASP SKF contributor
@_r3ggi wojciech.regula@securing.pl

INTRODUCTION

AGENDA
1. iOS platform myths and reality
2. securityProblemsInMASVSCategories.forEach { problem in
2.1 Discuss problem
2.2 Show solution
2.3 Present new Apple WWDC feature
}
3. My new library – iOS Security Suite 🚀
4. Short and long term things to implement in your code

PART I
PLATFORM MYTHS AND REALITY

MYTH #1 APPLE’S
REVIEW IS 100% RELIABLE
https://twitter.com/orhaneee/status/1076147994574184449

MYTH #2 THERE IS NO JAILBREAK
FOR IOS 11+
https://github.com/pwn20wndstuff/Undecimus

MYTH #3 NO JAILBREAK
MEANS NO REVERSING APPS

PART II
SECURE DEVELOPMENT

V1 ARCHITECTURE

SWIFT VS OBJECTIVE-C
-Integer overflow -> Runtime error
-No direct memory access (unless
usage of UnsafePointer)
-Format string mitigated through
string interpolation

MYTH – SWIFT AUTOOBFUSCATES
ITSELF
-There is no obfuscation
-Swift uses ”name mangling”

MYTH – SWIFT
AUTOOBFUSCATES
ITSELF
-Class TestClass
-1 Instance variable
-Constructor
-2 Methods

MYTH – SWIFT
AUTOOBFUSCATES
ITSELF
- _$ Swift Symbol
- Length and module name
- Length and class name
- C function of class (method)
- Length and method name
- Parameters and return type
MYTH – SWIFT
AUTOOBFUSCATES
ITSELF
- _$ Swift Symbol
- Length and module name
- Length and class name
- C function of class (method)
- Length and method name
- Parameters and return type

www.securing.plwww.securing.pl@_r3ggi wojciech.regula@securing.pl

MYTH – SWIFT METHODS CANNOT
BE DYNAMICALLY CHANGED
-They can, using for example Frida
-You just need to hook the symbol

MYTH – SWIFT METHODS CANNOT
BE DYNAMICALLY CHANGED

DEMO
HTTPS://VIMEO.COM/334861122

TAKEAWAYS
-Binary vulnerabilities mitigated
-Mostly no memory access
-Obufscation ⬇
https://github.com/rockbruno/swiftshield

AUTOMATED SMS CODES INPUT
(WWDC 2018)
-Controversial feature since
other app may have access
to the one time password
-Low risk but there is
possibility to do social
engineering

DEMO

V2 DATA STORAGE

ON-DEVICE DATA STORAGE
-Most common issue is storing sensitive data on the
device that should not be there:
• API Keys
• SSH Keys
• Cloud credentials
• Test env credentials

-Sensitive data may be insecurely stored in:
•Info.plist
•User defaults
•Regular ﬁles
•Hardcoded into the binary
•Even in Keychain (as they shouldn’t be
stored client-side)

-Directories that are backed up:
• Documents/
• Library/Application Support/
• Library/Preferences/
• Library/*
-Directories not backed up:
• Library/Caches/
• tmp/

CREDENTIAL PROVIDER
EXTENSION (WWDC 2018)
-Password managers in native apps
-Add UITextContentType

TAKEAWAYS
-No sensitive data in IPA
-kSecAttrAccessibleWhen with
ThisDeviceOnly
-UIKit DataProtection
-Credential Providers

V3 CRYPTOGRAPHY

CRYPTOGRAPHY
- Insecure token generation
- Bear case

https://wojciechregula.blog/post/stealing-bear-notes-with-url-schemes/

AUTOMATIC STRONG PASSWORDS
(WWDC 2018)
- Mentioned before Autoﬁll can create new passwords
connected with your domain
- You are able to set the password policy that will be applied

TAKEAWAYS
-No home-made ciphers
-Everything in IPA is public
-SecKeyCreateEncryptedData
instead of 3rd party AES/RSA
-Native password policy

V4 SESSION
MANAGEMENT

SESSION MANAGEMENT
-Local access control…
-JWT -> sign the token!

V5 NETWORK
COMMUNICATION

NETWORK COMMUNICATION
-Avoid HTTP
-Use HTTPS ✅
-App Transport Security
-HTTPS -> make sure if
cert is trusted

V6 PLATFORM
INTERACTION

INTER-PROCESS (APPLICATION)
COMMUNICATION
-XPC (macOS, iOS not allowed)
-Mach messages (macOS, iOS not allowed)
-URL Schemes
-AirDrop
-Clipboard (please, do not do that)

TAKEAWAYS
-Verify sender
-Check parameters
-If WebView -> check
permissions

V7 CODE QUALITY

CODE QUALITY
-No deprecated APIs
-Vulnerable libraries
-CocoaPods/Carthage -> no
ﬁxed versions please

AFNetworking 2.5.1
allowed to perform
Man in the Middle
attack when app did
not use SSL pinning

DEPRECATED UIWEBVIEW
(WWDC 2018)
-UIWebView has access to local files via file://
handler BY DEFAULT
-WKWebView also has if you turn some flags on
btw
-XSS ☠

DICTIONARY THAT LOOKS
YOU UP

DEMO

HELP VIEWER PROBLEMS

DEMO

YAHOO IOS XSS EXAMPLE BY @OMESPINO

V8 RESILIENCY
REQUIREMENTS

ANTI TAMPERING
For those who:
• Don’t want their app to be
tampered with
• Consider malware as a risk
• Have to be complaint with
OWASP MASVS

IOS SECURITY SUITE V1.0 LIBRARY
-What it detects:
• Jailbreaks with new
indicators
• Attached debuggers
• Tampering tools (e.g. Frida)
• If your app is run in
emulator

IOS
SECURITY
SUITE
V1.0
LIBRARY
h"ps://github.com/securing/IOSSecuritySuite

PART III
SUMMARY

COMMON VULNERABILTIES SUMMARY
-Backed up sensitive data
-Keys/accounts in IPA
-Network issues
-Vulnerable URL schemes
-Fixed lib versions

RECOMMENDATIONS
-Short term
• Password managers & autofill
• Anti-tampering for high-risk apps
-Long term
• WKWebView
• Native password policy
• Swift > Objective-C

Security Aware
Developers
Pentesters
SECURITY ISSUES

MOBILE
APPLICATION
SECURITY
BEST
PRACTICES
https://www.securing.biz/en/mobile-application-security-best-practices/index.html

www.securing.pl
SecuRing
Kalwaryjska 65/6
30-504 Kraków, Poland
info@securing.pl
tel. +48 124252575
http://www.securing.biz/en
Contact
Wojciech Reguła
wojciech.regula@securing.pl
@_r3ggi
wojciech-regula

Building&Hacking modern iOS apps

More Related Content

What's hot

Similar to Building&Hacking modern iOS apps

More from SecuRing

Recently uploaded

Building&Hacking modern iOS apps