Dmitry Evdokimov presents an overview of analyzing iOS apps through blackbox testing techniques. The document outlines the iOS platform and architecture, common iOS vulnerabilities, and static and dynamic analysis tools that can be used to identify vulnerabilities in iOS apps without access to source code. The agenda includes topics on the iOS platform, Objective-C, app structure, common vulnerabilities, and static and dynamic testing techniques.

1. Blackbox analysis of iOS apps
Dmitry 'D1g1' Evdokimov,
Security researcher at Digital Security (ERPScan)

2. Blackbox analysis of iOS apps
#whoami
• Director of DSecRG (ERPScan Research Group)
• Section editor in the Xakep magazine
• Co-organizer of
DEFCON Russia & ZeroNights
• Author of Python arsenal for RE
Specialized in finding vulnerabilities in
binary applications without source code
2
© 2002—2013, Digital Security

3. Blackbox analysis of iOS apps
Attention please!
It is not rocket science =)
This work is a compilation of public information
and my own experience
3
© 2002—2013, Digital Security

4. Blackbox analysis of iOS apps
Goals of this workshop
• How iOS and iOS applications work
• The basics of iOS vulnerabilities
• The skill of using common tools to find
vulnerabilities in iOS apps
4
© 2002—2013, Digital Security

5. Blackbox analysis of iOS apps
Agenda
1. iOS platform
1. How it works, Objective-C, ARM, security
mechanisms, jailbreak
2. Introduction to Objective-C
3. iOS apps
1. Mach-O format, application structure, …
4. iOS vulns
5. Blackbox testing
1. Static and dynamic analysis
5
© 2002—2013, Digital Security

6. Blackbox analysis of iOS apps
iOS
• iOS is derived from OS X, with which it shares
Darwin
•
•
ARM
The kernel sources remain closed
• __arm__, ARM_ARCH
• Touch-based
• SpringBoard
• Security mechanisms
• Sandbox as a jail
• …
6
© 2002—2013, Digital Security

7. Blackbox analysis of iOS apps
iOS security mechanisms
• Code Signing
- X.509v3 certificates
• Sandboxing (SeatBelt)
- Inability to break the app’s directory
- /var/mobile/Applications/<app-GUID>/
- Inability to access any other process
- Inability to use any hardware devices directly
- Inability to generate code dynamically
• Privilege separation
- Mobile user + Entitlements
© 2002—2013, Digital Security
7

8. Blackbox analysis of iOS apps
Jailbreak
• Jaibreak depends on SW & HW
• Tethered
• Untethered
• Ability to access file system
• Copy/edit any file in the system
• Bypassing sandbox restrictions
• Break out of the app’s directory
• Launching unsigned applications
• Launch applications that do not belong to App Store
© 2002—2013, Digital Security
8

9. Blackbox analysis of iOS apps
Apple about jailbreak
http://support.apple.com/kb/HT3743
9
© 2002—2013, Digital Security

10. Blackbox analysis of iOS apps
ARM
•
•
•
•
•
Advanced RISC Machine
Load-store architecture
Fixed-length instructions
3-address instruction formats
Instructions:
• Data transfer
• Data processing
• Control flow
10
© 2002—2013, Digital Security

11. Blackbox analysis of iOS apps
ARM modes
1. ARM
• Length(Instr) = 4 bytes
2. Thumb
• Length(Instr) = 2 bytes
3. Thumb2
• Length(Instr) = 2/4 bytes
4. Jazzle
• Java bytecode + ARM/Thumb
11
© 2002—2013, Digital Security

12. Blackbox analysis of iOS apps
ARM32
• Registers:
• General Purpose: r0-r12
• Stack Pointer: r13 (SP)
• Link Register: r14 (LR)
• Program Counter: r15 (PC)
• Current Program Status Register (CPSR)
• Calling Convention:
• Argument Values: r0-r3
• Local Values: r4-r12
• Return Value: r0
© 2002—2013, Digital Security
12

13. Blackbox analysis of iOS apps
ARM 64-bit Architecture
1. iPhone 5S
2. AArch64 (ARM), ARM64 (Apple)
13
© 2002—2013, Digital Security

14. Blackbox analysis of iOS apps
Divergences, divergences, divergences...
14
© 2002—2013, Digital Security

15. Blackbox analysis of iOS apps
Development for iOS
•
•
Mac
Xcode
• gcc/LLVM/LLVM-gcc compilers
• iPhone Simulator (i386)
• Cocoa Touch
• Objective-C
• Other: HTML, JavaScript, C# & .NET
(Xamarin)
15
© 2002—2013, Digital Security

16. Blackbox analysis of iOS apps
Objective-C
•
•
Object-oriented language
Based on:
• Strict superset C
• Smalltalk
16
© 2002—2013, Digital Security

17. Blackbox analysis of iOS apps
Calling methods
C++
ObjectPointer->MethodName(param1, param2)
Obj-C
[ObjectPointer MethodName:param1 param2Name:param2]
objc_msgSend(ObjectPointer, "MethodName“,”param1”, “param2”)
objc_msgSend()
objc_msgSendSuper()
objc_msgSend_fpret()
objc_msgSend_stret()
objc_msgSendSuper_stret()
objc_msgSendSuper2()
© 2002—2013, Digital Security
17

18. Blackbox analysis of iOS apps
Go to device
•
•
•
•
•
Jailbreak
Cydia
SSH/putty
itunnel_mux
WinSCP/scp
18
© 2002—2013, Digital Security

19. Blackbox analysis of iOS apps
Prepare env in device
• otool
• class-dump-z
• APT 0.6 Transitional
• apt-get
• Command line tools
• curl, dpkg, file, grep, netcat, python, sed, …
19
© 2002—2013, Digital Security

20. Blackbox analysis of iOS apps
Install apps from console
• Debian package
dpkg -i <package.deb>
killall -HUP SpringBoard
• App without developer license or patched
scp -r HelloWorld.app/ root@yourIP:/Applications/
uicache
killall -HUP SpringBoard
• IPA:
o
o
IPA Installer Console
iPhone Configuration Utility
© 2002—2013, Digital Security
20

21. Blackbox analysis of iOS apps
Useful commands
•
•
cd /private/var/mobile/Applications
find . -name '*Appname*‘
•
•
cd /private/var/mobile/Applications
ls –l | grep ‘Time’
21
© 2002—2013, Digital Security

22. Blackbox analysis of iOS apps
Applications
•
AppStore
•
•
On devices
•
•
IPA packages = ZIP files
/private/var/mobile/Applications/<UUID>/<AppName>.app/
Apple apps
•
/Applications/
22
© 2002—2013, Digital Security

23. Blackbox analysis of iOS apps
Mach-O file format basic structure
23
© 2002—2013, Digital Security

24. Blackbox analysis of iOS apps
Mach-O header
1. 32bit (ARMv6,ARMv7)
• 0xFEEDFACE
2. 64bit
• 0xFEEDFACF
3. Universal binaries (FAT)
• 0xCAFEBABE
24
© 2002—2013, Digital Security

25. Blackbox analysis of iOS apps
Application structure
AppName.app/
App
Documents/
Data files saved by the app
Library/
Miscellaneous app files
iTunesArtwork
App icon
iTunesMetadata.plist
The property list of the app
tmp/
Directory for temporary files
25
© 2002—2013, Digital Security

26. Blackbox analysis of iOS apps
Decrypt app from AppStore
1. gdb
• Choosing the right architecture (if FAT)
• Breakpoint at start
2. Clutch
3. dumpdecrypted.dylib
26
© 2002—2013, Digital Security

27. Blackbox analysis of iOS apps
Decrypt
•
•
Clutch
•
/var/root/Documents/Cracked/
dumpdecrypted.dylib
27
© 2002—2013, Digital Security

28. Blackbox analysis of iOS apps
OWASP Mobile Top 10 Risks
28
© 2002—2013, Digital Security

29. Blackbox analysis of iOS apps
Traffic analysis
•
Passive network traffic monitoring with tcpdump
Then load the *.pcap file into wireshark for analysis
• Gateway method
• BurpSuite
• HTTPS: Import PortSwigger CA to the iDevice
• dnsRedir
• Mallory (by Intrepidus Group)
29
© 2002—2013, Digital Security

30. Blackbox analysis of iOS apps
Certificate pinning?!
•
•
•
Pinning is the process of associating a host with
their expected X509 certificate or public key.
OWASP
• https://www.owasp.org/index.php/Certificate_and_Pu
blic_Key_Pinning#iOS
Attack
• trustme
• SecTrustEvaluate
• ios-ssl-killswitch
• SSLCreateContext,SSLSetSessionOption,
SSLHandshake
30
© 2002—2013, Digital Security

31. Blackbox analysis of iOS apps
Working with SSL certificates
• NSURLConnection class
• Accepting a self-signed certificate or incorrect
error processing
•
•
•
allowsAnyHTTPSCertificateForHost
setAllowsAnyHTTPSCertificate
continueWithoutCredentialForAuthentica
tionChallenge
31
© 2002—2013, Digital Security

32. Blackbox analysis of iOS apps
CFStreams sockets
• kCFStreamPropertySSLSettings
•
•
•
•
•
•
kCFStreamSSLLevel
kCFStreamSSLAllowsExpiredCertificates
kCFStreamSSLAllowsExpiredRoots
kCFStreamSSLAllowsAnyRoot
kCFStreamSSLValidatesCertificateChain
kCFStreamSSLPeerName
32
© 2002—2013, Digital Security

33. Blackbox analysis of iOS apps
Cross-site scripting
• UIWebView class
•
•
stringByEvaluatingJavaScriptFromString
shouldStartLoadWithRequest
33
© 2002—2013, Digital Security

34. Blackbox analysis of iOS apps
List of interesting strings
•
Don’t use and don’t leak
• UDID
• IMEI
• ICCID
• PII
• OSN-ID
• LID
34
© 2002—2013, Digital Security

35. Blackbox analysis of iOS apps
XML injections
•
•
XML External Entity (XXE) flaws
NSXMLParser class
•
•
•
libxml2 library
•
•
setShouldResolveExternalEntities
foundExternalEntityDeclarationWithName
_xmlParseMemory
3rd party libraries and classes
35
© 2002—2013, Digital Security

36. Blackbox analysis of iOS apps
Directory traversal
•
NSFileManager class
•
•
•
contentsAtPath
fileHandleForReadingAtPath
C functions
•
•
fopen
…
© 2002—2013, Digital Security

37. Blackbox analysis of iOS apps
File storage
•
NSFileManager class
• NSFileProtectionKey attribute
•
•
•
•
•
NSFileProtectionNone
NSFileProtectionComplete
NSFileProtectionCompleteUnlessOpen
NSFileProtectionCompleteUntilFirstUserAuthe
ntication
Tools:
• filemon.iOS
• FileDP
37
© 2002—2013, Digital Security

38. Blackbox analysis of iOS apps
filemon.iOS
38
© 2002—2013, Digital Security

39. Blackbox analysis of iOS apps
Plist files
•
plist – property lists
• Serialized objects
• XML
• NSUserDefaults class
•
Tools:
• Python library: plistlib, bplist
• plist Editor
• plutil
• plutil - convert xml1
39
© 2002—2013, Digital Security

40. Blackbox analysis of iOS apps
SQLite and SQL injections
•
SQLite database
•
•
•
•
•
/usr/lib/libsqlite3.dylib
/<GUID>/Documents/
•
*.sqlite, *.db, *.sqlite3
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
• Use parameterized queries
•
sqlite3_bind_*
40
© 2002—2013, Digital Security

41. Blackbox analysis of iOS apps
Keychain
•
Secure storage
•
•
•
•
•
File /private/var/Keychains/keychain-2.db
SecItemAdd()
SecItemUpdate()
SecItemCopyMatching()
SecItemDelete()
• Tools:
• keychain_dumper
• keychain_dump
41
© 2002—2013, Digital Security

42. Blackbox analysis of iOS apps
Cookies
• Persistent cookies: Cookies.binarycookies
• /private/var/mobile/Library/
• /private/var/mobile/<App GUID>/Library/Cookies
• Tool: BinaryCookieReader.py
42
© 2002—2013, Digital Security

43. Blackbox analysis of iOS apps
Logs
NSLog()
Tools:
• iPhone Configuration Utility
• syslogd
43
© 2002—2013, Digital Security

44. Blackbox analysis of iOS apps
Cache
• UIPasteboard class
•
generalPasteboard
• Backgrounding
• <Application
GUID>/Library/Caches/Snapshots/*/*.png
• applicationDidEnterBackground
• Keyboard cache
•
•
•
/var/mobile/Library/Keyboard/en_GB-dynamictext.dat
secureTextEntry = Yes
autocorrectionType = UITextAutocorrectionTypeNo
44
© 2002—2013, Digital Security

45. Blackbox analysis of iOS apps
IPC
•
URL schemes
• handleOpenURL
• openURL
• http://wiki.akosma.com/IPhone_URL_Sche
mes
45
© 2002—2013, Digital Security

46. Blackbox analysis of iOS apps
Memory corruptions
•
Obj-C + C/C++ function =
• Format string
•
•
•
•
•
•
•
•
•
•
NSLog()
[NSString stringWithFormat:]
[NSString initWithFormat:]
[NSMutableString appendFormat:]
[NSAlert informativeTextWithFormat:]
[NSPredicate predicateWithFormat:]
[NSException format:]
NSRunAlertPanel
Buffer overflow
Use-after-free
© 2002—2013, Digital Security

47. Blackbox analysis of iOS apps
Check for exploit mitigations
•
Stack cookie
•
•
_stack_chk_fail
_stack_chk_guard
•
PIE
•
ARC
•
•
•
•
•
•
_objc_release
_objc_retainAutoreleaseReturnValue
_objc_autoreleaseReturnValue
_objc_storeStrong
_objc_retain
_objc_retainAutoreleasedReturnValue
© 2002—2013, Digital Security

48. Blackbox analysis of iOS apps
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
48
© 2002—2013, Digital Security

49. Blackbox analysis of iOS apps
IDA Pro
49
© 2002—2013, Digital Security

50. Blackbox analysis of iOS apps
radare2 ARM64 Mach-O
1. ???
50
© 2002—2013, Digital Security

51. Blackbox analysis of iOS apps
Hopper
51
© 2002—2013, Digital Security

52. Blackbox analysis of iOS apps
iNalyzer
52
© 2002—2013, Digital Security

53. Blackbox analysis of iOS apps
cycript
53
© 2002—2013, Digital Security

54. Blackbox analysis of iOS apps
Introspy
54
© 2002—2013, Digital Security

55. Blackbox analysis of iOS apps
Snoop-it
55
© 2002—2013, Digital Security

56. Blackbox analysis of iOS apps
Q&A
d.evdokimov@dsec.ru
@evdokimovds
56
© 2002—2013, Digital Security