SlideShare a Scribd company logo

[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Security Testing

PROIDEA
PROIDEA

Practical introduction to iOS Application Security Testing. This presentation covers fundamentals of iOS and its security mechanisms, basic life cycle of a penetration test, setting up testing environment, static and dynamic analysis with some real-world examples. Presentation targeted for those interested in security testing of iOS apps.

Technology
1 of 57
Download to read offline
Introduction to iOS Penetration Testing Confidence 20/05/2016 | Slawomir Kosowski
○ Working as Mobile and Web pentester ○ Focused on iOS ○ Previously worked on wide range of security projects ○ Educational background in Telecommunications About Me 2 https://www.linkedin.com/in/skosowski
Introduction How many iOS developers do we have here? How many of you are actually writing in Swift? Any pentesters? Android folks? 3
Agenda 4 What we will cover: ○ Introduction to iOS ○ Basics of Objective-C runtime ○ Setting up testing environment ○ Fundamentals of app testing ● Focus on black-box testing What we will not cover: ○ Jailbreak development ○ Swift ○ White box testing / code review ○ Webapp pentesting
Introduction to iOS - Mobile operating system from Apple - Based on XNU kernel from Darwin OS (Unix) - iOS is closed-source with some exceptions* - Applications written in Objective-C (and Swift) - Cocoa Touch - main API for iOS handling user interaction 5 * https://opensource.apple.com
Apple controls both hardware and software to provide end-to-end security, with following key features: ○ Secure Boot Chain ○ Secure Enclave (and Touch ID) ○ Encryption and Data Protection ○ Trusted Code Execution ○ Network Security Introduction to iOS security model 6 User Partition Application A Application B Data Protection Class Data Protection Class OS Partition software Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf Kernel
Keychain ○ Stores sensitive data such as passwords, certificates, tokens, etc. ○ Is implemented as SQLite database ○ Application can access only items in its keychain-access-group ○ Can be arbitrarily read on a jailbroken device using keychain-dumper 7
Application Sandbox ○ iOS Sandbox derives from TrustedBSD MAC framework ○ Each third-party application runs as mobile user ○ Only a few system daemons/apps run as root ○ Application can access only its own files and data ○ IPCs are very limited 8
Objective-C ○ Superset of C, adding object-oriented functionality ● This means you can include C code in your apps ○ Based on Smalltalk language, supporting message passing, dynamic typing and infix notation ○ Uses interface and implementation file ● Think about .h and .cpp files in C++ 9
Objective-C Objective-C is using infix notation with arguments listed after colon: 10 [Object method:argument] [NSString stringWithString:@”Confidence2016”]
Class vs Instance Methods ○ Class method can be called on its own ○ Instance method must use instance of an object 11 @interface MyClass : NSObject + (void)aClassMethod; - (void)anInstanceMethod; @end [MyClass aClassMethod]; MyClass *object = [[MyClass alloc] init]; [object anInstanceMethod];
Objective-C - Message Passing When you pass method, a special function objc_msgSend() is called: 12 SaySomething *saySomething = [ [ SaySomething alloc ] init ]; [ saySomething say: @"Hello, world!" ]; [ saySomething release ]; Which gets translated into C calls: objc_msgSend( objc_msgSend( objc_msgSend( objc_msgSend( objc_getClass("SaySomething"), NSSelectorFromString(@"alloc")), NSSelectorFromString(@"init")), NSSelectorFromString(@"say:"), @"Hello, world!"), NSSelectorFromString(@"release:")); Source: Hacking and Securing iOS Applications - J. Zdziarski
Objective-C Call Graph 13 Source:http://blog.zynamics.com/2010/04/27/objective-c-reversing-i
Objective-C Runtime ○ Objective-C runtime is written in C and assembly ○ Very interesting subject on its own! ○ Calls are cached so that subsequent messages are dispatched quicker ○ Decision on which method will be called is resolved dynamically ○ This is called Method Swizzling ○ It will help us during black-box testing and runtime manipulation Read more: https://mikeash.com/pyblog/friday-qa-2009-03-20-objective-c-messaging.html http://cocoasamurai.blogspot.com/2010/01/understanding-objective-c-runtime.html http://www.friday.com/bbum/2009/12/18/objc_msgsend-part-1-the-road-map/ 14
Introduction to Application Analysis 15
Static Binary Analysis ○ IDA Pro ○ Hopper (demo closing after 30 minutes) ○ class-dump ○ otool ○ strings 16
Runtime Manipulation 1. Cycript a. injects into process and enables to manipulate the runtime with interactive console b. supports mixed Objective-C and Javascript syntax 2. Frida a. injects Javascript V8 engine into process runtime b. can inject a hook into starting process 17
Runtime Manipulation - Cont’d 3. Debugger a. Apple moved from GCC and GDB to LLVM and LLDB b. GDB is fully supported until iOS7 c. iOS8 and onwards uses LLDB d. Some key features are still missing in LLDB i. info mach-regions ii. Symbols from stripped ObjC Mach-O binary are not loaded in LLDB 18
Setting up Pentesting Lab ○ Bare minimum is one iDevice, e.g. iPad running iOS 8.x ● Recommended at least two or more iDevices ○ You will need to Jailbreak it ○ Ideally grab another pair of iPads/iPhones running older iOS for any legacy apps ○ OS X and XCode is very useful, but not mandatory ○ Alternatively, grab your favourite Linux 19
Setting up Pentesting Lab - Cont’d ○ Beware: if you fail to JB your device correctly you can restore it and upgrade with iTunes ○ Semi-restore might be handy if your JB fails: https://semi-restore.com/ ○ No possibility to downgrade iOS version 20
Jailbreaking ○ Get appropriate jailbreak (Pangu or TaiG) - straightforward for iOS < 9.2 ○ This will install Cydia - the alternative application store as well as couple of useful services ○ From Cydia install aptitude and openssh ○ Install additional packages with aptitude 21
Jailbreaking - cont’d ○ SSH to your iDevice ● Two users are root and mobile ● Default password: alpine ○ Install additional packages with aptitude 22 inetutils syslogd less com.autopear.installipa class-dump com.ericasadun.utilities odcctools cycript sqlite3 adv-cmds bigbosshackertools
Install Frida ○ Check install guide: www.frida.re/docs/ios ○ Basically add https://build.frida.re to Cydia repo ○ Then install Frida with Cydia 23
IPA file and Binary ○ IPA file is simply a ZIP archive ● Think of APK but for iOS ● Contains all relevant files like binary itself, graphics, certificates, default data, etc. ○ For static analysis, the Mach-O Binary is interesting ○ Usually it contains two architectures ARM7(s) and ARM64 ○ You probably want to stick to 32-bit as long as you can… Read more about Mach-O File Format: https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/index.html 24
Important File Location You can find system applications in /Applications For all the rest use installipa: 25 iOS8-jailbreak:~ root# installipa -l me.scan.qrcodereader iOS8-jailbreak:~ root# installipa -i me.scan.qrcodereader Bundle: /private/var/mobile/Containers/Bundle/Application/09D08A0A-0BC5-423C-8CC3-FF9499E0B19C Application: /private/var/mobile/Containers/Bundle/Application/09D08A0A-0BC5-423C-8CC3-FF9499E0B19C/QR Reader. app Data: /private/var/mobile/Containers/Data/Application/297EEF1B-9CC5-463C-97F7-FB062C864E56
Usual Test Approach 1. Obtain IPA file; do binary checks 2. Bypass jailbreak detection (if present) 3. Bypass certificate pinning (if present) 4. Inspect HTTP(S) traffic - usual web app test 5. Abuse application logic by runtime manipulation 6. Memory forensics 7. Check for local data storage (caches, binary cookies, plists, databases) 8. Check for client-specific bugs, e.g. SQLi, XSS 9. Other checks like: logging to ASL with NSLog, application screenshots, no app backgrounding 26
Binary Encryption - Each app in Apple AppStore uses FairPlay DRM, hence is encrypted - You must decrypt it before doing static analysis - Easiest way to do it is to use Clutch - Alternatively you can use lldb and dump process memory once encrypted - Broadly documented in the Internet - If you are doing a pentest, you will get most likely unencrypted IPA file 27
Binary Security Features ○ ARC - Automatic Reference Counting - memory management feature ● adds retain and release messages when required ○ Stack Canary - helps preventing buffer overflow attacks ○ PIE - Position Independent Executable - enables full ASLR for binary All of above are currently set by default in XCode. 28
$ unzip DamnVulnerableiOSApp.ipa $ cd Payload/DamnVulnerableIOSApp.app $ otool -hv DamnVulnerableIOSApp DamnVulnerableIOSApp (architecture armv7): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC ARM V7 0x00 EXECUTE 38 4292 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE DamnVulnerableIOSApp (architecture arm64): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC_64 ARM64 ALL 0x00 EXECUTE 38 4856 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE Binary Checks - PIE 29
$ otool -Iv DamnVulnerableIOSApp | grep stack 0x0046040c 83177 ___stack_chk_fail 0x0046100c 83521 _sigaltstack 0x004fc010 83178 ___stack_chk_guard 0x004fe5c8 83177 ___stack_chk_fail 0x004fe8c8 83521 _sigaltstack 0x00000001004b3fd8 83077 ___stack_chk_fail 0x00000001004b4890 83414 _sigaltstack 0x0000000100590cf0 83078 ___stack_chk_guard 0x00000001005937f8 83077 ___stack_chk_fail 0x0000000100593dc8 83414 _sigaltstack Binary Checks - SSP 30
$ otool -Iv DamnVulnerableIOSApp | grep release 0x0045b7dc 83156 ___cxa_guard_release 0x0045fd5c 83414 _objc_autorelease 0x0045fd6c 83415 _objc_autoreleasePoolPop 0x0045fd7c 83416 _objc_autoreleasePoolPush 0x0045fd8c 83417 _objc_autoreleaseReturnValue 0x0045ff0c 83441 _objc_release [SNIP] Binary Checks - ARC 31
Setting up Burp 32
Jailbreak Detection - Common Methods ○ Check existence of additional files, e.g.: /bin/bash ○ Check API calls like: ● fork() - forbidden on non-JB devices ● system(NULL) returns 0 on non-JB and 1 on JB devices ○ Check if cydia:// URL scheme is registered Read more: https://www.trustwave.com/Resources/SpiderLabs-Blog/Jailbreak-Detection-Methods/ 33
Bypassing JB detection 1. The easy way: xcon 2. More challenging: a. Debugger/Binary patching b. Frida c. Cycript 34
Getting Info with Class-dump 35 iOS8-jailbreak:~ root# lipo -thin armv7 DamnVulnerableIOSApp -output DVIA32 iOS8-jailbreak:~ root# class-dump DVIA32 @interface FlurryUtil : . /DVIA/DVIA/DamnVulnerableIOSApp/DamnVulnerableIOSApp/YapDatabase/Extensions/View s/Internal/ { } + (BOOL)appIsCracked; + (BOOL)deviceIsJailbroken;
Hopper - Disassembling 36
Cycript 37 iOS8-jailbreak:~ root# cycript -p 12345 cy# [SFAntiPiracy isTheDeviceJailbroken] true cy# a=choose(JailbreakDetectionVC) [] cy# a=choose(JailbreakDetectionVC) [#"<JailbreakDetectionVC: 0x14ee15620>"] cy# [a[0] isJailbroken] True Worth reading: http://iphonedevwiki.net/index.php/Cycript_Tricks
Cycript 38 cy# [a[0] isJailbroken] true cy# JailbreakDetectionVC.prototype. isJailbroken=function(){return false} cy# [a[0] isJailbroken] false
Frida - Method Tracing 1. Install Frida on your workstation and iDevice 2. Connect iDevice to USB 3. Use frida-trace 39 $ frida-trace -U -f /Applications/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp -m "- [JailbreakDetectionVC isJailbroken]:" 4. This creates JS hook with onEnter and onLeave callback functions: onLeave: function (log, retval, state) { console.log("Function [JailbreakDetectionVC isJailbroken] originally returned:"+ retval); retval.replace(0); console.log("Changing the return value to:"+retval); }
Frida - Method Tracing - Output 40 $ frida-trace -U -f /Applications/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp -m "- [JailbreakDetectionVC isJailbroken]:" Instrumenting functions... `... -[JailbreakDetectionVC isJailbroken]: Loaded handler at ". /__handlers__/__JailbreakDetectionVC_isJailbroken_.js" Started tracing 1 function. Press Ctrl+C to stop. Function [JailbreakDetectionVC isJailbroken] originally returned:0x1 Changing the return value to:0x0 /* TID 0x303 */ 6890 ms -[JailbreakDetectionVC isJailbroken] Function [JailbreakDetectionVC isJailbroken] originally returned:0x1 Changing the return value to:0x0 22475 ms -[JailbreakDetectionVC isJailbroken]
Testing for Certificate Pinning Gradually relax requirements for server certificate, and check if traffic is successfully proxied through Burp on each stage: 1. Set Burp in proxy settings, make sure that SSL Killswitch is disabled and that Burp Profile is *not* installed → no certificate validation 2. Install Burp Profile (certificate) → no certificate pinning 3. Enable SSL Killswitch → certificate pinned 4. Bypass certificate pinning manually 41
Bypassing Certificate Pinning - Killswitch: https://github.com/iSECPartners/ios-ssl-kill-switch - Bypassing OpenSSL cert pinning with cycript: https://www.nccgroup.trust/us/about-us/newsroom-and- events/blog/2015/january/bypassing-openssl-certificate-pinning-in-ios-apps/ Other tips: - Certificate is often bundled in the application- look for .der or .pem - Class-dump binary looking for strings like X509 or Cert - Look for the following methods in the binary: NSURLSession, CFStream, AFNetworking 42 Source: iOS Application Security - D. Thiel
Investigating Local Storage 1. Check app Data directory /private/var/mobile/Containers/Data/Application/<app Bundle> a. .db - using SQLite - check with sqlite3 b. plists 2. NSUserDefaults a. /User/Library/Preferences/ b. /<app>/Library/Preferences/ 3. Keychain protection class a. fileDP tool* 43 http://www.securitylearn.net/2012/10/18/extracting-data-protection- class-from-files-on-ios/
Investigating Local Storage - Cont’d 4. Application screenshots a. /private/var/mobile/Containers/Data/Application/<BundleID>/Library/Caches/Snapshots/ 5. WebView caching a. /User/Library/Caches/*/Cache.db b. /Library/Caches/*/Cache.db 6. Forensic approach: a. ls -lR --full-time before application install, after install and after first use diff the results and check any files that changed b. use strings on any binary/unidentified file formats c. check for WAL files that may contain uncommitted DB transactions 44 http://www.securitylearn.net/2012/10/18/extracting-data-protection- class-from-files-on-ios/
iExplorer 45
Introspy 46
Closing Thoughts - Threat Modelling ○ Server-side bugs (LFI, SQLi, RCE) are still among most impactful ○ Device data leakage is only meaningful on JB or NB devices without passcode ● Starting from iPhone 5s the Secure Enclave protects from easy passcode bruteforcing ○ Simple passcode might be an issue (1234, 0000, etc.) ○ User may choose to wipe device after 10 attempts 47
Closing Thoughts - Pentester’s Perspective ○ iOS is an interesting, fast-moving ecosystem ○ The iOS platform is pretty solid, but app design or implementation flaws will remain ○ Moving from webapp to mobile testing is a good way to get into native (OS) security ● This requires broad knowledge on: APIs, OS, ARM assembly, Objective C, RE 48
Closing Thoughts - Pentester’s Perspective ○ Keep up with new technologies: ● Apple Pay ● Health Kit ● Yearly release of new iOS ○ Lots of tools and materials for iOS < 8, but not so many for recent iOSes ○ Debugger, decompiler, Frida and Mobile Substrate are your friends! 49
Closing Thoughts - Mobile App Security Landscape ○ iOS is maturing - both from hardware and software perspective ● Look at: Secure Enclave, Touch ID, Swift ○ Still, common application flaws include: ● home-grown crypto ● security by obscurity ● design flaws ● trusting user input because “it cannot be changed” 50
Q&A or drop me a line: me@skosowski.com 51
○ URL handlers, e.g. mailto:// ● open another app using its URL handler with: [[UIApplication sharedApplication] openURL:myURL]; ● sender can be authenticated :) ● URL scheme can be hijacked :( Read more: https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html Interprocess Communication 52 Note: If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme. - Apple’s Documentation
○ Universal Links introduced in iOS 9 ● solve problems of openURL ● no unregistered schemes - working over https:// ○ App Extensions introduced in iOS 8 ● are installed with host application and can communicate through extension points: Actions, Custom Keyboards, Document Providers, Photo Editing, Sharing, Today Widgets Read more: https://developer.apple.com/library/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html Interprocess Communication 53
File Data Protection 54 Hardware Key Passcode Key Class Key File System Key File Metadata [File Key] File Contents
Secure Boot Chain ○ Only Apple signed code is run on iDevice ○ You need developer’s account to write and run your apps ○ Each level of boot is checked for a valid signature 55 Boot ROM Low-Level Bootloader iBoot iOS Kernel OS Apple Root CA
Secure Boot Chain - Jailbreak ○ Jailbreak permits running self-signed code ○ It does not break Application Sandbox ○ Usually several exploits are chained to perform jailbreak ○ Look for: TaiG, Pangu, redsn0w 56 iOS Kernel OS Apple Root CA Boot ROM Low-Level Bootloader iBoot Exploit this or that
Protection Classes 57 Availability File Data Protection Keychain Data Protection When Unlocked NSFileProtectionComplete kSecAttrAccessibleWhenUnlocked When Locked NSFileProtectionCompleteUnlessOpen N/A After First Unlock NSFileProtectionCompleteUntil FirstUserAuthentication kSecAttrAccessibleAfterFirstUnlock Always NSFileProtectionNone kSecAttrAccessibleAlways Passcode Enabled N/A kSecAttrAccessibleWhenPasscodeSetThis DeviceOnly

Recommended

[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...PROIDEA
 
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015Black Duck by Synopsys
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...Agile Testing Alliance
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROMAnant Shrivastava
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)ClubHack
 

Recommended

[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...PROIDEA
 
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015Black Duck by Synopsys
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...Agile Testing Alliance
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROMAnant Shrivastava
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)ClubHack
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelShakacon
 
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.Ashley Wolf
 
Metasploit3 - David Calligaris
Metasploit3 - David CalligarisMetasploit3 - David Calligaris
Metasploit3 - David CalligarisDaniele Albrizio
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key Linaro
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application ExploitationPositive Hack Days
 
Best Python IDEs
Best Python IDEsBest Python IDEs
Best Python IDEsBenishchoco
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse EngineeringSatria Ady Pradana
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Finding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesFinding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesOllie Whitehouse
 
Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Guy Podjarny
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
PLNOG 17 - Shabbir Ahmad - Dell EMC’s SDN strategy based on Open Networking
PLNOG 17 - Shabbir Ahmad - Dell EMC’s SDN strategy based on Open NetworkingPLNOG 17 - Shabbir Ahmad - Dell EMC’s SDN strategy based on Open Networking
PLNOG 17 - Shabbir Ahmad - Dell EMC’s SDN strategy based on Open NetworkingPROIDEA
 
PLNOG 17 - Grzegorz Wenc - Na co zwracać uwagę przy wyborze podstawowych urzą...
PLNOG 17 - Grzegorz Wenc - Na co zwracać uwagę przy wyborze podstawowych urzą...PLNOG 17 - Grzegorz Wenc - Na co zwracać uwagę przy wyborze podstawowych urzą...
PLNOG 17 - Grzegorz Wenc - Na co zwracać uwagę przy wyborze podstawowych urzą...PROIDEA
 
PLNOG 17 - Shabbir Ahmad - Dell Open Networking i Big Monitoring Fabric: unik...
PLNOG 17 - Shabbir Ahmad - Dell Open Networking i Big Monitoring Fabric: unik...PLNOG 17 - Shabbir Ahmad - Dell Open Networking i Big Monitoring Fabric: unik...
PLNOG 17 - Shabbir Ahmad - Dell Open Networking i Big Monitoring Fabric: unik...PROIDEA
 
MCE^3 - Gregory Kick - Dagger 2
MCE^3 - Gregory Kick - Dagger 2 MCE^3 - Gregory Kick - Dagger 2
MCE^3 - Gregory Kick - Dagger 2 PROIDEA
 
[4developers] - Droga Scrum Mastera do Agile Coacha (Jakub Szczepanik
[4developers] - Droga Scrum Mastera do Agile Coacha (Jakub Szczepanik[4developers] - Droga Scrum Mastera do Agile Coacha (Jakub Szczepanik
[4developers] - Droga Scrum Mastera do Agile Coacha (Jakub SzczepanikPROIDEA
 
PLNOG 17 - Maciej Flak - Cisco Cloud Networking - czyli kompletna infrastrukt...
PLNOG 17 - Maciej Flak - Cisco Cloud Networking - czyli kompletna infrastrukt...PLNOG 17 - Maciej Flak - Cisco Cloud Networking - czyli kompletna infrastrukt...
PLNOG 17 - Maciej Flak - Cisco Cloud Networking - czyli kompletna infrastrukt...PROIDEA
 
MCE^3 - C. Todd Lombardo - Design Sprints: No, Design Doesn't Go Faster, You ...
MCE^3 - C. Todd Lombardo - Design Sprints: No, Design Doesn't Go Faster, You ...MCE^3 - C. Todd Lombardo - Design Sprints: No, Design Doesn't Go Faster, You ...
MCE^3 - C. Todd Lombardo - Design Sprints: No, Design Doesn't Go Faster, You ...PROIDEA
 
Atmosphere 2016 - Pawel Mastalerz, Wojciech Inglot - New way of building inf...
Atmosphere 2016 - Pawel Mastalerz, Wojciech Inglot - New way of building inf...Atmosphere 2016 - Pawel Mastalerz, Wojciech Inglot - New way of building inf...
Atmosphere 2016 - Pawel Mastalerz, Wojciech Inglot - New way of building inf...PROIDEA
 
MCE^3 - Ágnes Vásárhelyi - ReactiveCocoa Reloaded
MCE^3 - Ágnes Vásárhelyi - ReactiveCocoa ReloadedMCE^3 - Ágnes Vásárhelyi - ReactiveCocoa Reloaded
MCE^3 - Ágnes Vásárhelyi - ReactiveCocoa ReloadedPROIDEA
 

More Related Content

What's hot

Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelShakacon
 
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.Ashley Wolf
 
Metasploit3 - David Calligaris
Metasploit3 - David CalligarisMetasploit3 - David Calligaris
Metasploit3 - David CalligarisDaniele Albrizio
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key Linaro
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Best Python IDEs
Best Python IDEsBest Python IDEs
Best Python IDEsBenishchoco
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse EngineeringSatria Ady Pradana
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Finding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesFinding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesOllie Whitehouse
 
Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Guy Podjarny
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 

What's hot (13)

Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
 
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.
 
Metasploit3 - David Calligaris
Metasploit3 - David CalligarisMetasploit3 - David Calligaris
Metasploit3 - David Calligaris
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
 
HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
 
Best Python IDEs
Best Python IDEsBest Python IDEs
Best Python IDEs
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse Engineering
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Finding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesFinding The Weak Link in Windows Binaries
Finding The Weak Link in Windows Binaries
 
Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 

Viewers also liked

PLNOG 17 - Shabbir Ahmad - Dell EMC’s SDN strategy based on Open Networking
PLNOG 17 - Shabbir Ahmad - Dell EMC’s SDN strategy based on Open NetworkingPLNOG 17 - Shabbir Ahmad - Dell EMC’s SDN strategy based on Open Networking
PLNOG 17 - Shabbir Ahmad - Dell EMC’s SDN strategy based on Open NetworkingPROIDEA
 
PLNOG 17 - Grzegorz Wenc - Na co zwracać uwagę przy wyborze podstawowych urzą...
PLNOG 17 - Grzegorz Wenc - Na co zwracać uwagę przy wyborze podstawowych urzą...PLNOG 17 - Grzegorz Wenc - Na co zwracać uwagę przy wyborze podstawowych urzą...
PLNOG 17 - Grzegorz Wenc - Na co zwracać uwagę przy wyborze podstawowych urzą...PROIDEA
 
PLNOG 17 - Shabbir Ahmad - Dell Open Networking i Big Monitoring Fabric: unik...
PLNOG 17 - Shabbir Ahmad - Dell Open Networking i Big Monitoring Fabric: unik...PLNOG 17 - Shabbir Ahmad - Dell Open Networking i Big Monitoring Fabric: unik...
PLNOG 17 - Shabbir Ahmad - Dell Open Networking i Big Monitoring Fabric: unik...PROIDEA
 
MCE^3 - Gregory Kick - Dagger 2
MCE^3 - Gregory Kick - Dagger 2 MCE^3 - Gregory Kick - Dagger 2
MCE^3 - Gregory Kick - Dagger 2 PROIDEA
 
[4developers] - Droga Scrum Mastera do Agile Coacha (Jakub Szczepanik
[4developers] - Droga Scrum Mastera do Agile Coacha (Jakub Szczepanik[4developers] - Droga Scrum Mastera do Agile Coacha (Jakub Szczepanik
[4developers] - Droga Scrum Mastera do Agile Coacha (Jakub SzczepanikPROIDEA
 
PLNOG 17 - Maciej Flak - Cisco Cloud Networking - czyli kompletna infrastrukt...
PLNOG 17 - Maciej Flak - Cisco Cloud Networking - czyli kompletna infrastrukt...PLNOG 17 - Maciej Flak - Cisco Cloud Networking - czyli kompletna infrastrukt...
PLNOG 17 - Maciej Flak - Cisco Cloud Networking - czyli kompletna infrastrukt...PROIDEA
 
MCE^3 - C. Todd Lombardo - Design Sprints: No, Design Doesn't Go Faster, You ...
MCE^3 - C. Todd Lombardo - Design Sprints: No, Design Doesn't Go Faster, You ...MCE^3 - C. Todd Lombardo - Design Sprints: No, Design Doesn't Go Faster, You ...
MCE^3 - C. Todd Lombardo - Design Sprints: No, Design Doesn't Go Faster, You ...PROIDEA
 
Atmosphere 2016 - Pawel Mastalerz, Wojciech Inglot - New way of building inf...
Atmosphere 2016 - Pawel Mastalerz, Wojciech Inglot - New way of building inf...Atmosphere 2016 - Pawel Mastalerz, Wojciech Inglot - New way of building inf...
Atmosphere 2016 - Pawel Mastalerz, Wojciech Inglot - New way of building inf...PROIDEA
 
MCE^3 - Ágnes Vásárhelyi - ReactiveCocoa Reloaded
MCE^3 - Ágnes Vásárhelyi - ReactiveCocoa ReloadedMCE^3 - Ágnes Vásárhelyi - ReactiveCocoa Reloaded
MCE^3 - Ágnes Vásárhelyi - ReactiveCocoa ReloadedPROIDEA
 
4Developers: Łukasz Łysik- Message-driven architecture with RabbitMQ
4Developers: Łukasz Łysik- Message-driven architecture with RabbitMQ4Developers: Łukasz Łysik- Message-driven architecture with RabbitMQ
4Developers: Łukasz Łysik- Message-driven architecture with RabbitMQPROIDEA
 
infraxstructure: Adam Kmin i Łukasz Bederski "Optymalizacja systemu chłodzen...
infraxstructure: Adam Kmin i Łukasz Bederski "Optymalizacja systemu chłodzen...infraxstructure: Adam Kmin i Łukasz Bederski "Optymalizacja systemu chłodzen...
infraxstructure: Adam Kmin i Łukasz Bederski "Optymalizacja systemu chłodzen...PROIDEA
 
[4developers] - Codzienność z Legacy Code (Tomek Gramza)
[4developers] - Codzienność z Legacy Code (Tomek Gramza)[4developers] - Codzienność z Legacy Code (Tomek Gramza)
[4developers] - Codzienność z Legacy Code (Tomek Gramza)PROIDEA
 
PLNOG 17 - Dominik Bocheński, Łukasz Walicki - Zapomnij o VPS - nadeszła era ...
PLNOG 17 - Dominik Bocheński, Łukasz Walicki - Zapomnij o VPS - nadeszła era ...PLNOG 17 - Dominik Bocheński, Łukasz Walicki - Zapomnij o VPS - nadeszła era ...
PLNOG 17 - Dominik Bocheński, Łukasz Walicki - Zapomnij o VPS - nadeszła era ...PROIDEA
 
PLNOG 17 - Leonir Hoxha - Next Generation Network Architecture - Segment Routing
PLNOG 17 - Leonir Hoxha - Next Generation Network Architecture - Segment RoutingPLNOG 17 - Leonir Hoxha - Next Generation Network Architecture - Segment Routing
PLNOG 17 - Leonir Hoxha - Next Generation Network Architecture - Segment RoutingPROIDEA
 
DOD 2016 - Sabina Staszczyk - How We Phased out Motivational System
DOD 2016 - Sabina Staszczyk - How We Phased out Motivational System DOD 2016 - Sabina Staszczyk - How We Phased out Motivational System
DOD 2016 - Sabina Staszczyk - How We Phased out Motivational System PROIDEA
 
JDD 2016 - Sebastian Malaca - You Dont Need Unit Tests
JDD 2016 - Sebastian Malaca - You Dont Need Unit TestsJDD 2016 - Sebastian Malaca - You Dont Need Unit Tests
JDD 2016 - Sebastian Malaca - You Dont Need Unit TestsPROIDEA
 
JDD 2016 - Tomasz Ducin - Backend-less Development Revisited
JDD 2016 - Tomasz Ducin - Backend-less Development RevisitedJDD 2016 - Tomasz Ducin - Backend-less Development Revisited
JDD 2016 - Tomasz Ducin - Backend-less Development RevisitedPROIDEA
 
JDD 2016 - Michal Gruca - Continous Improvement, Developing Yourself And Others
JDD 2016 - Michal Gruca - Continous Improvement, Developing Yourself And OthersJDD 2016 - Michal Gruca - Continous Improvement, Developing Yourself And Others
JDD 2016 - Michal Gruca - Continous Improvement, Developing Yourself And OthersPROIDEA
 

Viewers also liked (18)

PLNOG 17 - Shabbir Ahmad - Dell EMC’s SDN strategy based on Open Networking
PLNOG 17 - Shabbir Ahmad - Dell EMC’s SDN strategy based on Open NetworkingPLNOG 17 - Shabbir Ahmad - Dell EMC’s SDN strategy based on Open Networking
PLNOG 17 - Shabbir Ahmad - Dell EMC’s SDN strategy based on Open Networking
 
PLNOG 17 - Grzegorz Wenc - Na co zwracać uwagę przy wyborze podstawowych urzą...
PLNOG 17 - Grzegorz Wenc - Na co zwracać uwagę przy wyborze podstawowych urzą...PLNOG 17 - Grzegorz Wenc - Na co zwracać uwagę przy wyborze podstawowych urzą...
PLNOG 17 - Grzegorz Wenc - Na co zwracać uwagę przy wyborze podstawowych urzą...
 
PLNOG 17 - Shabbir Ahmad - Dell Open Networking i Big Monitoring Fabric: unik...
PLNOG 17 - Shabbir Ahmad - Dell Open Networking i Big Monitoring Fabric: unik...PLNOG 17 - Shabbir Ahmad - Dell Open Networking i Big Monitoring Fabric: unik...
PLNOG 17 - Shabbir Ahmad - Dell Open Networking i Big Monitoring Fabric: unik...
 
MCE^3 - Gregory Kick - Dagger 2
MCE^3 - Gregory Kick - Dagger 2 MCE^3 - Gregory Kick - Dagger 2
MCE^3 - Gregory Kick - Dagger 2
 
[4developers] - Droga Scrum Mastera do Agile Coacha (Jakub Szczepanik
[4developers] - Droga Scrum Mastera do Agile Coacha (Jakub Szczepanik[4developers] - Droga Scrum Mastera do Agile Coacha (Jakub Szczepanik
[4developers] - Droga Scrum Mastera do Agile Coacha (Jakub Szczepanik
 
PLNOG 17 - Maciej Flak - Cisco Cloud Networking - czyli kompletna infrastrukt...
PLNOG 17 - Maciej Flak - Cisco Cloud Networking - czyli kompletna infrastrukt...PLNOG 17 - Maciej Flak - Cisco Cloud Networking - czyli kompletna infrastrukt...
PLNOG 17 - Maciej Flak - Cisco Cloud Networking - czyli kompletna infrastrukt...
 
MCE^3 - C. Todd Lombardo - Design Sprints: No, Design Doesn't Go Faster, You ...
MCE^3 - C. Todd Lombardo - Design Sprints: No, Design Doesn't Go Faster, You ...MCE^3 - C. Todd Lombardo - Design Sprints: No, Design Doesn't Go Faster, You ...
MCE^3 - C. Todd Lombardo - Design Sprints: No, Design Doesn't Go Faster, You ...
 
Atmosphere 2016 - Pawel Mastalerz, Wojciech Inglot - New way of building inf...
Atmosphere 2016 - Pawel Mastalerz, Wojciech Inglot - New way of building inf...Atmosphere 2016 - Pawel Mastalerz, Wojciech Inglot - New way of building inf...
Atmosphere 2016 - Pawel Mastalerz, Wojciech Inglot - New way of building inf...
 
MCE^3 - Ágnes Vásárhelyi - ReactiveCocoa Reloaded
MCE^3 - Ágnes Vásárhelyi - ReactiveCocoa ReloadedMCE^3 - Ágnes Vásárhelyi - ReactiveCocoa Reloaded
MCE^3 - Ágnes Vásárhelyi - ReactiveCocoa Reloaded
 
4Developers: Łukasz Łysik- Message-driven architecture with RabbitMQ
4Developers: Łukasz Łysik- Message-driven architecture with RabbitMQ4Developers: Łukasz Łysik- Message-driven architecture with RabbitMQ
4Developers: Łukasz Łysik- Message-driven architecture with RabbitMQ
 
infraxstructure: Adam Kmin i Łukasz Bederski "Optymalizacja systemu chłodzen...
infraxstructure: Adam Kmin i Łukasz Bederski "Optymalizacja systemu chłodzen...infraxstructure: Adam Kmin i Łukasz Bederski "Optymalizacja systemu chłodzen...
infraxstructure: Adam Kmin i Łukasz Bederski "Optymalizacja systemu chłodzen...
 
[4developers] - Codzienność z Legacy Code (Tomek Gramza)
[4developers] - Codzienność z Legacy Code (Tomek Gramza)[4developers] - Codzienność z Legacy Code (Tomek Gramza)
[4developers] - Codzienność z Legacy Code (Tomek Gramza)
 
PLNOG 17 - Dominik Bocheński, Łukasz Walicki - Zapomnij o VPS - nadeszła era ...
PLNOG 17 - Dominik Bocheński, Łukasz Walicki - Zapomnij o VPS - nadeszła era ...PLNOG 17 - Dominik Bocheński, Łukasz Walicki - Zapomnij o VPS - nadeszła era ...
PLNOG 17 - Dominik Bocheński, Łukasz Walicki - Zapomnij o VPS - nadeszła era ...
 
PLNOG 17 - Leonir Hoxha - Next Generation Network Architecture - Segment Routing
PLNOG 17 - Leonir Hoxha - Next Generation Network Architecture - Segment RoutingPLNOG 17 - Leonir Hoxha - Next Generation Network Architecture - Segment Routing
PLNOG 17 - Leonir Hoxha - Next Generation Network Architecture - Segment Routing
 
DOD 2016 - Sabina Staszczyk - How We Phased out Motivational System
DOD 2016 - Sabina Staszczyk - How We Phased out Motivational System DOD 2016 - Sabina Staszczyk - How We Phased out Motivational System
DOD 2016 - Sabina Staszczyk - How We Phased out Motivational System
 
JDD 2016 - Sebastian Malaca - You Dont Need Unit Tests
JDD 2016 - Sebastian Malaca - You Dont Need Unit TestsJDD 2016 - Sebastian Malaca - You Dont Need Unit Tests
JDD 2016 - Sebastian Malaca - You Dont Need Unit Tests
 
JDD 2016 - Tomasz Ducin - Backend-less Development Revisited
JDD 2016 - Tomasz Ducin - Backend-less Development RevisitedJDD 2016 - Tomasz Ducin - Backend-less Development Revisited
JDD 2016 - Tomasz Ducin - Backend-less Development Revisited
 
JDD 2016 - Michal Gruca - Continous Improvement, Developing Yourself And Others
JDD 2016 - Michal Gruca - Continous Improvement, Developing Yourself And OthersJDD 2016 - Michal Gruca - Continous Improvement, Developing Yourself And Others
JDD 2016 - Michal Gruca - Continous Improvement, Developing Yourself And Others
 

Similar to [CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Security Testing

Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Codemotion
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...Toradex
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
Using the android ndk - DroidCon Paris 2014
Using the android ndk - DroidCon Paris 2014Using the android ndk - DroidCon Paris 2014
Using the android ndk - DroidCon Paris 2014Paris Android User Group
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Is Android the New Embedded Linux? at AnDevCon V
Is Android the New Embedded Linux? at AnDevCon VIs Android the New Embedded Linux? at AnDevCon V
Is Android the New Embedded Linux? at AnDevCon VOpersys inc.
 
Is Android the New Embedded Linux? at AnDevCon VI
Is Android the New Embedded Linux? at AnDevCon VIIs Android the New Embedded Linux? at AnDevCon VI
Is Android the New Embedded Linux? at AnDevCon VIOpersys inc.
 
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering LabVoxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering LabRon Munitz
 
Modern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinModern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinDjalal Harouni
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapFelipe Prado
 
Android ndk - Introduction
Android ndk - IntroductionAndroid ndk - Introduction
Android ndk - IntroductionRakesh Jha
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiryVishwas N
 
DLL Design with Building Blocks
DLL Design with Building BlocksDLL Design with Building Blocks
DLL Design with Building BlocksMax Kleiner
 
Is Android the New King of Embedded OSes at Embedded World 2014
Is Android the New King of Embedded OSes at Embedded World 2014Is Android the New King of Embedded OSes at Embedded World 2014
Is Android the New King of Embedded OSes at Embedded World 2014Opersys inc.
 
Legacy of Void*
Legacy of Void*Legacy of Void*
Legacy of Void*Adam Crain
 
Qiskit installation guide
Qiskit installation guideQiskit installation guide
Qiskit installation guideSoyoungShin14
 

Similar to [CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Security Testing (20)

Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
Using the android ndk - DroidCon Paris 2014
Using the android ndk - DroidCon Paris 2014Using the android ndk - DroidCon Paris 2014
Using the android ndk - DroidCon Paris 2014
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Is Android the New Embedded Linux? at AnDevCon V
Is Android the New Embedded Linux? at AnDevCon VIs Android the New Embedded Linux? at AnDevCon V
Is Android the New Embedded Linux? at AnDevCon V
 
Is Android the New Embedded Linux? at AnDevCon VI
Is Android the New Embedded Linux? at AnDevCon VIIs Android the New Embedded Linux? at AnDevCon VI
Is Android the New Embedded Linux? at AnDevCon VI
 
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering LabVoxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
 
Modern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinModern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - Berlin
 
C++Basics2022.pptx
C++Basics2022.pptxC++Basics2022.pptx
C++Basics2022.pptx
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
 
Android ndk - Introduction
Android ndk - IntroductionAndroid ndk - Introduction
Android ndk - Introduction
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiry
 
DLL Design with Building Blocks
DLL Design with Building BlocksDLL Design with Building Blocks
DLL Design with Building Blocks
 
Is Android the New King of Embedded OSes at Embedded World 2014
Is Android the New King of Embedded OSes at Embedded World 2014Is Android the New King of Embedded OSes at Embedded World 2014
Is Android the New King of Embedded OSes at Embedded World 2014
 
Legacy of Void*
Legacy of Void*Legacy of Void*
Legacy of Void*
 
Qiskit installation guide
Qiskit installation guideQiskit installation guide
Qiskit installation guide
 

Recently uploaded

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Recently uploaded (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Security Testing

  • 1. Introduction to iOS Penetration Testing Confidence 20/05/2016 | Slawomir Kosowski
  • 2. ○ Working as Mobile and Web pentester ○ Focused on iOS ○ Previously worked on wide range of security projects ○ Educational background in Telecommunications About Me 2 https://www.linkedin.com/in/skosowski
  • 3. Introduction How many iOS developers do we have here? How many of you are actually writing in Swift? Any pentesters? Android folks? 3
  • 4. Agenda 4 What we will cover: ○ Introduction to iOS ○ Basics of Objective-C runtime ○ Setting up testing environment ○ Fundamentals of app testing ● Focus on black-box testing What we will not cover: ○ Jailbreak development ○ Swift ○ White box testing / code review ○ Webapp pentesting
  • 5. Introduction to iOS - Mobile operating system from Apple - Based on XNU kernel from Darwin OS (Unix) - iOS is closed-source with some exceptions* - Applications written in Objective-C (and Swift) - Cocoa Touch - main API for iOS handling user interaction 5 * https://opensource.apple.com
  • 6. Apple controls both hardware and software to provide end-to-end security, with following key features: ○ Secure Boot Chain ○ Secure Enclave (and Touch ID) ○ Encryption and Data Protection ○ Trusted Code Execution ○ Network Security Introduction to iOS security model 6 User Partition Application A Application B Data Protection Class Data Protection Class OS Partition software Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf Kernel
  • 7. Keychain ○ Stores sensitive data such as passwords, certificates, tokens, etc. ○ Is implemented as SQLite database ○ Application can access only items in its keychain-access-group ○ Can be arbitrarily read on a jailbroken device using keychain-dumper 7
  • 8. Application Sandbox ○ iOS Sandbox derives from TrustedBSD MAC framework ○ Each third-party application runs as mobile user ○ Only a few system daemons/apps run as root ○ Application can access only its own files and data ○ IPCs are very limited 8
  • 9. Objective-C ○ Superset of C, adding object-oriented functionality ● This means you can include C code in your apps ○ Based on Smalltalk language, supporting message passing, dynamic typing and infix notation ○ Uses interface and implementation file ● Think about .h and .cpp files in C++ 9
  • 10. Objective-C Objective-C is using infix notation with arguments listed after colon: 10 [Object method:argument] [NSString stringWithString:@”Confidence2016”]
  • 11. Class vs Instance Methods ○ Class method can be called on its own ○ Instance method must use instance of an object 11 @interface MyClass : NSObject + (void)aClassMethod; - (void)anInstanceMethod; @end [MyClass aClassMethod]; MyClass *object = [[MyClass alloc] init]; [object anInstanceMethod];
  • 12. Objective-C - Message Passing When you pass method, a special function objc_msgSend() is called: 12 SaySomething *saySomething = [ [ SaySomething alloc ] init ]; [ saySomething say: @"Hello, world!" ]; [ saySomething release ]; Which gets translated into C calls: objc_msgSend( objc_msgSend( objc_msgSend( objc_msgSend( objc_getClass("SaySomething"), NSSelectorFromString(@"alloc")), NSSelectorFromString(@"init")), NSSelectorFromString(@"say:"), @"Hello, world!"), NSSelectorFromString(@"release:")); Source: Hacking and Securing iOS Applications - J. Zdziarski
  • 14. Objective-C Runtime ○ Objective-C runtime is written in C and assembly ○ Very interesting subject on its own! ○ Calls are cached so that subsequent messages are dispatched quicker ○ Decision on which method will be called is resolved dynamically ○ This is called Method Swizzling ○ It will help us during black-box testing and runtime manipulation Read more: https://mikeash.com/pyblog/friday-qa-2009-03-20-objective-c-messaging.html http://cocoasamurai.blogspot.com/2010/01/understanding-objective-c-runtime.html http://www.friday.com/bbum/2009/12/18/objc_msgsend-part-1-the-road-map/ 14
  • 16. Static Binary Analysis ○ IDA Pro ○ Hopper (demo closing after 30 minutes) ○ class-dump ○ otool ○ strings 16
  • 17. Runtime Manipulation 1. Cycript a. injects into process and enables to manipulate the runtime with interactive console b. supports mixed Objective-C and Javascript syntax 2. Frida a. injects Javascript V8 engine into process runtime b. can inject a hook into starting process 17
  • 18. Runtime Manipulation - Cont’d 3. Debugger a. Apple moved from GCC and GDB to LLVM and LLDB b. GDB is fully supported until iOS7 c. iOS8 and onwards uses LLDB d. Some key features are still missing in LLDB i. info mach-regions ii. Symbols from stripped ObjC Mach-O binary are not loaded in LLDB 18
  • 19. Setting up Pentesting Lab ○ Bare minimum is one iDevice, e.g. iPad running iOS 8.x ● Recommended at least two or more iDevices ○ You will need to Jailbreak it ○ Ideally grab another pair of iPads/iPhones running older iOS for any legacy apps ○ OS X and XCode is very useful, but not mandatory ○ Alternatively, grab your favourite Linux 19
  • 20. Setting up Pentesting Lab - Cont’d ○ Beware: if you fail to JB your device correctly you can restore it and upgrade with iTunes ○ Semi-restore might be handy if your JB fails: https://semi-restore.com/ ○ No possibility to downgrade iOS version 20
  • 21. Jailbreaking ○ Get appropriate jailbreak (Pangu or TaiG) - straightforward for iOS < 9.2 ○ This will install Cydia - the alternative application store as well as couple of useful services ○ From Cydia install aptitude and openssh ○ Install additional packages with aptitude 21
  • 22. Jailbreaking - cont’d ○ SSH to your iDevice ● Two users are root and mobile ● Default password: alpine ○ Install additional packages with aptitude 22 inetutils syslogd less com.autopear.installipa class-dump com.ericasadun.utilities odcctools cycript sqlite3 adv-cmds bigbosshackertools
  • 23. Install Frida ○ Check install guide: www.frida.re/docs/ios ○ Basically add https://build.frida.re to Cydia repo ○ Then install Frida with Cydia 23
  • 24. IPA file and Binary ○ IPA file is simply a ZIP archive ● Think of APK but for iOS ● Contains all relevant files like binary itself, graphics, certificates, default data, etc. ○ For static analysis, the Mach-O Binary is interesting ○ Usually it contains two architectures ARM7(s) and ARM64 ○ You probably want to stick to 32-bit as long as you can… Read more about Mach-O File Format: https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/index.html 24
  • 25. Important File Location You can find system applications in /Applications For all the rest use installipa: 25 iOS8-jailbreak:~ root# installipa -l me.scan.qrcodereader iOS8-jailbreak:~ root# installipa -i me.scan.qrcodereader Bundle: /private/var/mobile/Containers/Bundle/Application/09D08A0A-0BC5-423C-8CC3-FF9499E0B19C Application: /private/var/mobile/Containers/Bundle/Application/09D08A0A-0BC5-423C-8CC3-FF9499E0B19C/QR Reader. app Data: /private/var/mobile/Containers/Data/Application/297EEF1B-9CC5-463C-97F7-FB062C864E56
  • 26. Usual Test Approach 1. Obtain IPA file; do binary checks 2. Bypass jailbreak detection (if present) 3. Bypass certificate pinning (if present) 4. Inspect HTTP(S) traffic - usual web app test 5. Abuse application logic by runtime manipulation 6. Memory forensics 7. Check for local data storage (caches, binary cookies, plists, databases) 8. Check for client-specific bugs, e.g. SQLi, XSS 9. Other checks like: logging to ASL with NSLog, application screenshots, no app backgrounding 26
  • 27. Binary Encryption - Each app in Apple AppStore uses FairPlay DRM, hence is encrypted - You must decrypt it before doing static analysis - Easiest way to do it is to use Clutch - Alternatively you can use lldb and dump process memory once encrypted - Broadly documented in the Internet - If you are doing a pentest, you will get most likely unencrypted IPA file 27
  • 28. Binary Security Features ○ ARC - Automatic Reference Counting - memory management feature ● adds retain and release messages when required ○ Stack Canary - helps preventing buffer overflow attacks ○ PIE - Position Independent Executable - enables full ASLR for binary All of above are currently set by default in XCode. 28
  • 29. $ unzip DamnVulnerableiOSApp.ipa $ cd Payload/DamnVulnerableIOSApp.app $ otool -hv DamnVulnerableIOSApp DamnVulnerableIOSApp (architecture armv7): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC ARM V7 0x00 EXECUTE 38 4292 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE DamnVulnerableIOSApp (architecture arm64): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC_64 ARM64 ALL 0x00 EXECUTE 38 4856 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE Binary Checks - PIE 29
  • 30. $ otool -Iv DamnVulnerableIOSApp | grep stack 0x0046040c 83177 ___stack_chk_fail 0x0046100c 83521 _sigaltstack 0x004fc010 83178 ___stack_chk_guard 0x004fe5c8 83177 ___stack_chk_fail 0x004fe8c8 83521 _sigaltstack 0x00000001004b3fd8 83077 ___stack_chk_fail 0x00000001004b4890 83414 _sigaltstack 0x0000000100590cf0 83078 ___stack_chk_guard 0x00000001005937f8 83077 ___stack_chk_fail 0x0000000100593dc8 83414 _sigaltstack Binary Checks - SSP 30
  • 31. $ otool -Iv DamnVulnerableIOSApp | grep release 0x0045b7dc 83156 ___cxa_guard_release 0x0045fd5c 83414 _objc_autorelease 0x0045fd6c 83415 _objc_autoreleasePoolPop 0x0045fd7c 83416 _objc_autoreleasePoolPush 0x0045fd8c 83417 _objc_autoreleaseReturnValue 0x0045ff0c 83441 _objc_release [SNIP] Binary Checks - ARC 31
  • 33. Jailbreak Detection - Common Methods ○ Check existence of additional files, e.g.: /bin/bash ○ Check API calls like: ● fork() - forbidden on non-JB devices ● system(NULL) returns 0 on non-JB and 1 on JB devices ○ Check if cydia:// URL scheme is registered Read more: https://www.trustwave.com/Resources/SpiderLabs-Blog/Jailbreak-Detection-Methods/ 33
  • 34. Bypassing JB detection 1. The easy way: xcon 2. More challenging: a. Debugger/Binary patching b. Frida c. Cycript 34
  • 35. Getting Info with Class-dump 35 iOS8-jailbreak:~ root# lipo -thin armv7 DamnVulnerableIOSApp -output DVIA32 iOS8-jailbreak:~ root# class-dump DVIA32 @interface FlurryUtil : . /DVIA/DVIA/DamnVulnerableIOSApp/DamnVulnerableIOSApp/YapDatabase/Extensions/View s/Internal/ { } + (BOOL)appIsCracked; + (BOOL)deviceIsJailbroken;
  • 37. Cycript 37 iOS8-jailbreak:~ root# cycript -p 12345 cy# [SFAntiPiracy isTheDeviceJailbroken] true cy# a=choose(JailbreakDetectionVC) [] cy# a=choose(JailbreakDetectionVC) [#"<JailbreakDetectionVC: 0x14ee15620>"] cy# [a[0] isJailbroken] True Worth reading: http://iphonedevwiki.net/index.php/Cycript_Tricks
  • 38. Cycript 38 cy# [a[0] isJailbroken] true cy# JailbreakDetectionVC.prototype. isJailbroken=function(){return false} cy# [a[0] isJailbroken] false
  • 39. Frida - Method Tracing 1. Install Frida on your workstation and iDevice 2. Connect iDevice to USB 3. Use frida-trace 39 $ frida-trace -U -f /Applications/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp -m "- [JailbreakDetectionVC isJailbroken]:" 4. This creates JS hook with onEnter and onLeave callback functions: onLeave: function (log, retval, state) { console.log("Function [JailbreakDetectionVC isJailbroken] originally returned:"+ retval); retval.replace(0); console.log("Changing the return value to:"+retval); }
  • 40. Frida - Method Tracing - Output 40 $ frida-trace -U -f /Applications/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp -m "- [JailbreakDetectionVC isJailbroken]:" Instrumenting functions... `... -[JailbreakDetectionVC isJailbroken]: Loaded handler at ". /__handlers__/__JailbreakDetectionVC_isJailbroken_.js" Started tracing 1 function. Press Ctrl+C to stop. Function [JailbreakDetectionVC isJailbroken] originally returned:0x1 Changing the return value to:0x0 /* TID 0x303 */ 6890 ms -[JailbreakDetectionVC isJailbroken] Function [JailbreakDetectionVC isJailbroken] originally returned:0x1 Changing the return value to:0x0 22475 ms -[JailbreakDetectionVC isJailbroken]
  • 41. Testing for Certificate Pinning Gradually relax requirements for server certificate, and check if traffic is successfully proxied through Burp on each stage: 1. Set Burp in proxy settings, make sure that SSL Killswitch is disabled and that Burp Profile is *not* installed → no certificate validation 2. Install Burp Profile (certificate) → no certificate pinning 3. Enable SSL Killswitch → certificate pinned 4. Bypass certificate pinning manually 41
  • 42. Bypassing Certificate Pinning - Killswitch: https://github.com/iSECPartners/ios-ssl-kill-switch - Bypassing OpenSSL cert pinning with cycript: https://www.nccgroup.trust/us/about-us/newsroom-and- events/blog/2015/january/bypassing-openssl-certificate-pinning-in-ios-apps/ Other tips: - Certificate is often bundled in the application- look for .der or .pem - Class-dump binary looking for strings like X509 or Cert - Look for the following methods in the binary: NSURLSession, CFStream, AFNetworking 42 Source: iOS Application Security - D. Thiel
  • 43. Investigating Local Storage 1. Check app Data directory /private/var/mobile/Containers/Data/Application/<app Bundle> a. .db - using SQLite - check with sqlite3 b. plists 2. NSUserDefaults a. /User/Library/Preferences/ b. /<app>/Library/Preferences/ 3. Keychain protection class a. fileDP tool* 43 http://www.securitylearn.net/2012/10/18/extracting-data-protection- class-from-files-on-ios/
  • 44. Investigating Local Storage - Cont’d 4. Application screenshots a. /private/var/mobile/Containers/Data/Application/<BundleID>/Library/Caches/Snapshots/ 5. WebView caching a. /User/Library/Caches/*/Cache.db b. /Library/Caches/*/Cache.db 6. Forensic approach: a. ls -lR --full-time before application install, after install and after first use diff the results and check any files that changed b. use strings on any binary/unidentified file formats c. check for WAL files that may contain uncommitted DB transactions 44 http://www.securitylearn.net/2012/10/18/extracting-data-protection- class-from-files-on-ios/
  • 47. Closing Thoughts - Threat Modelling ○ Server-side bugs (LFI, SQLi, RCE) are still among most impactful ○ Device data leakage is only meaningful on JB or NB devices without passcode ● Starting from iPhone 5s the Secure Enclave protects from easy passcode bruteforcing ○ Simple passcode might be an issue (1234, 0000, etc.) ○ User may choose to wipe device after 10 attempts 47
  • 48. Closing Thoughts - Pentester’s Perspective ○ iOS is an interesting, fast-moving ecosystem ○ The iOS platform is pretty solid, but app design or implementation flaws will remain ○ Moving from webapp to mobile testing is a good way to get into native (OS) security ● This requires broad knowledge on: APIs, OS, ARM assembly, Objective C, RE 48
  • 49. Closing Thoughts - Pentester’s Perspective ○ Keep up with new technologies: ● Apple Pay ● Health Kit ● Yearly release of new iOS ○ Lots of tools and materials for iOS < 8, but not so many for recent iOSes ○ Debugger, decompiler, Frida and Mobile Substrate are your friends! 49
  • 50. Closing Thoughts - Mobile App Security Landscape ○ iOS is maturing - both from hardware and software perspective ● Look at: Secure Enclave, Touch ID, Swift ○ Still, common application flaws include: ● home-grown crypto ● security by obscurity ● design flaws ● trusting user input because “it cannot be changed” 50
  • 51. Q&A or drop me a line: me@skosowski.com 51
  • 52. ○ URL handlers, e.g. mailto:// ● open another app using its URL handler with: [[UIApplication sharedApplication] openURL:myURL]; ● sender can be authenticated :) ● URL scheme can be hijacked :( Read more: https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html Interprocess Communication 52 Note: If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme. - Apple’s Documentation
  • 53. ○ Universal Links introduced in iOS 9 ● solve problems of openURL ● no unregistered schemes - working over https:// ○ App Extensions introduced in iOS 8 ● are installed with host application and can communicate through extension points: Actions, Custom Keyboards, Document Providers, Photo Editing, Sharing, Today Widgets Read more: https://developer.apple.com/library/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html Interprocess Communication 53
  • 54. File Data Protection 54 Hardware Key Passcode Key Class Key File System Key File Metadata [File Key] File Contents
  • 55. Secure Boot Chain ○ Only Apple signed code is run on iDevice ○ You need developer’s account to write and run your apps ○ Each level of boot is checked for a valid signature 55 Boot ROM Low-Level Bootloader iBoot iOS Kernel OS Apple Root CA
  • 56. Secure Boot Chain - Jailbreak ○ Jailbreak permits running self-signed code ○ It does not break Application Sandbox ○ Usually several exploits are chained to perform jailbreak ○ Look for: TaiG, Pangu, redsn0w 56 iOS Kernel OS Apple Root CA Boot ROM Low-Level Bootloader iBoot Exploit this or that
  • 57. Protection Classes 57 Availability File Data Protection Keychain Data Protection When Unlocked NSFileProtectionComplete kSecAttrAccessibleWhenUnlocked When Locked NSFileProtectionCompleteUnlessOpen N/A After First Unlock NSFileProtectionCompleteUntil FirstUserAuthentication kSecAttrAccessibleAfterFirstUnlock Always NSFileProtectionNone kSecAttrAccessibleAlways Passcode Enabled N/A kSecAttrAccessibleWhenPasscodeSetThis DeviceOnly