This document provides an overview of iOS security concepts and loopholes, and how they can be exploited to hack iOS applications or steal user data. It discusses various local storage mechanisms like plist files, SQLite databases, and the keychain that applications use, and how unencrypted or poorly secured data stored in these locations could potentially be compromised. It also covers other issues like screenshot caching, error logs, and the keyboard cache that could potentially leak sensitive data. Strategies for developing more secure applications to avoid such issues are also presented.
The fundamentals of Android and iOS app securityNowSecure
Looking for a high-intensity bootcamp covering the basics of secure mobile development? This slideshare was originally presented by mobile security expert and NowSecure CEO Andrew Hoog for a 60-minute workshop at Security by Design covering the following topics:
+ Introduction to identifying security flaws in mobile apps (and how to avoid them)
+ Examples of secure and insecure mobile apps and how to secure them
+ Overview of secure mobile development based on the NowSecure Secure Mobile Development Best Practices
The fundamentals of Android and iOS app securityNowSecure
Looking for a high-intensity bootcamp covering the basics of secure mobile development? This slideshare was originally presented by mobile security expert and NowSecure CEO Andrew Hoog for a 60-minute workshop at Security by Design covering the following topics:
+ Introduction to identifying security flaws in mobile apps (and how to avoid them)
+ Examples of secure and insecure mobile apps and how to secure them
+ Overview of secure mobile development based on the NowSecure Secure Mobile Development Best Practices
The OWASP Mobile Top 10 is a nice start for any developer or a security professional, but the road is still ahead and there is so much to do to destroy most of the possible doors that hackers can use to find out about app’s vulnerabilities. We look forward to the OWASP to continue their work, but let’s not stay on the sidelines!
Learn about the OWASP Top 10 Mobile Risks and best practices to avoid mobile application security pitfalls such as insecure data storage, insecure communication, reverse engineering, and more.
These slides were originally presented on a webinar November 2016. Watch the presentation here: https://youtu.be/LuDe3u0cSVs
As Mobile has become an integral part of our lives and our organization. This presentation enlist some of the points which will help us to secure health information while accessing through mobile device.
The OWASP Mobile Top 10 is a nice start for any developer or a security professional, but the road is still ahead and there is so much to do to destroy most of the possible doors that hackers can use to find out about app’s vulnerabilities. We look forward to the OWASP to continue their work, but let’s not stay on the sidelines!
Learn about the OWASP Top 10 Mobile Risks and best practices to avoid mobile application security pitfalls such as insecure data storage, insecure communication, reverse engineering, and more.
These slides were originally presented on a webinar November 2016. Watch the presentation here: https://youtu.be/LuDe3u0cSVs
As Mobile has become an integral part of our lives and our organization. This presentation enlist some of the points which will help us to secure health information while accessing through mobile device.
Presentation on conducting mobile device forensics without the use of expensive commercial tools, instead utilising FOSS alternatives. Conducting manual analysis makes you a better forensic analyst as well as helps to discover more potential evidence. From acquisition, to analysis, to malware disassembly, this presentation will provide a primer on all facets of mobile forensics.
Pentesting iPhone Applications - It mainly focuses on the techniques and the tools that will help security testers while assessing the security of iPhone applications.
Fore more info visit - http://www.securitylearn.net
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
Few tips for iOS application development from security perspective.
Google docs presentation: https://docs.google.com/presentation/d/1eLQ40YCReg_pXp2as9FrbTgkNfOjOoPxDYUbFNyrT-M/pub?start=false&loop=false&delayms=3000
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationLumension
Security expert Randy Franklin Smith from Ultimate Windows Security, shows you a technical and pragmatic approach to mobile security for iOS and Android. For instance, for iOS-based devices, he talks about:
• System security
• Encryption and data protection
• App Security
• Device controls
Randy also discusses Android-based devices. While Android gets its kernel from Linux, it builds on Linux security in a very specialized way to isolate applications from each other. And learn about iOS and Android mobile device management needs: Password and remote wipe capabilities are obvious but there’s much more to the story. And you’ll hear Randy's list of top-10 things you need to secure and manage on mobile devices in order to protect access to your organization’s network and information.
Hey everyone, we wanted to share a presentation we put together on the importance of using a password manager to stay secure online. It covers the growing threat of data breaches, the benefits of iOS password managers, best practices for storing passwords, and some top free options.
Looking for a secure iOS Password manager with secure password sharing? Check out RelyPass, our free iOS Password manager app.
RelyPass is a free iOS password organizer that makes it easy to securely maintain all of your passwords. To obtain access to your secure password vault, you only need to remember one master password rather than several different ones. This makes password management easy to learn and apply.
Visit out website: www.relypass.com
Similar to Hacking and Securing iOS Applications (20)
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
2. Agenda
iOS Security Concepts
Loopholes in iOS
Hacking & Securing iOS Applications
How does loophole in iOS affects the apps
How easy it’s to steal data from the apps
How to protect these apps
3. Who Am I?
<1 • Framework for functional testing tools
Development
5+ Information
• Web & Mobile application security
Security
• iOS Forensics & hacking
Other Interests • Tool development & Knowledge Sharing
4. iOS Basics
iOS is the Operating System that run on Apple devices like iPhone, iPod,
iPad & Apple TV
Stripped down Mac OS X + XNU kernel
Provides multi tasking
Only allows to run Apple signed applications
New features & Bug fixes with every release
Current version is iOS 6.1.1
5. iOS Security Features
Boot Chain
Chain of trust
Series of signature checks
BootRom->LLB->iBoot->kernel->file system
Code Signing
Prevents running of unauthorized apps/code
Verifies the integrity of the app code at rest & runtime
Malware prevention
Passcode
Prevents unauthorized access to the device
Default is 4-digit passcode & Support for complex passcode
Configurable data wipe after 10 failed attempts
6. Access data without passcode
Breaking Chain of trust
Bootrom exploit
Patch the series of signature checks
Boot with custom ramdisk
Access file system
No Bootrom exploit for latest devices
iPhone 4s & 5, iPad 2 &3, iPad Mini
7. iOS Security Features
Encryption
Dedicated crypto engine
Two hardcoded keys – UID & GID
Usage of UID & GID is limited
Data Protection
Ties the data encryption to the user’s passcode
Files are not accessible when the device is locked
No Passcode = No data protection
File Encryption
Every File is encrypted with unique key
File key is stored in the file metadata
Metadata is encrypted with EMF Key
8. Bypassing the iPhone passcode
Custom ram disk gives access to the file system
Passcode is required to access those protected files
Passcode is not stored on the device in any format
Brute force is the only option
Brute forcing at Springboard
6 failed attempts introduces delay
Delay from 1 min to several days
Brute forcing at kernel level
Passcode validity is verified by unlocking the System Keybag
Load brute force script in custom ramdisk and try to unlock Keybag
9. Bypassing the iPhone passcode
Brute force time depends on the iPhone hardware
On iPhone 4 –
10. iOS Security Features
ASLR - Address Space layout randomization
Randomizes the memory address
Apps can built with partial or full ASLR
Full - Compiled with PIE
DEP – Data Execution Prevention
Differentiates code and data
Prevents the execution of code from non executable memory pages
Stack Canaries
Stack smashing protection
Canary is placed after the local variables
Protects from buffer overflows
11. iOS Software Stack
Security
APIs
iOS
Security
Features
Ahmad-Reza Sadeghi et al, “Overview on apple iOS” paper
12. Types of iOS Applications
Browser based
Run inside safari
Built with server side technology like PHP, .NET,…
HTML, CSS & JavaScript rendering styled to the device
Native
Built with iOS SDK & ARM compiled
Written in Objective C & Cocoa Touch API
Hybrid
Native container that leverage browser engine
Objective C, HTML 5 & JavaScript
13. Areas of focus for hacking
Device storage
Plist
Sqlite
Cookies
Keychain
Run time analysis
Breaking simple locks
Sniffing Networks
MITM & Transport security
15. App Sandbox
Apps run in a self-contained environment called Sandbox
Apps can not access data from other apps
All apps run as one user: mobile
16. Plist files
Property list files - Key value pairs stored in binary or XML format
Easily viewed and modified using property list editors (plutil)
Designed to store user’s properties and configuration information
But Apps store usernames, passwords, email ids and session info
Ex: Facebook stores the authentication tokens
17. Plist files
Apps create plist files with any or without a file extension
Plists are identified by a file header – bplist
Plist files are not protected by Data protection
Plists are stored un-encrypted in the iOS normal backups (iTunes).
Apps may delete the plist files upon logout
File system changes are recorded in HFS Journal
Deleted files can be recovered by carving the HFS Journal
18. Plist files
Do not store sensitive data in Plist files
If required, use custom encryption
Protect plist files with data protection API
Create plist files Library/Caches folder
iTunes does not backup caches directory
For better security, Implement classes for secure file wipe
Before deleting the file overwrite the file bytes with junk values
20. Facebook Session Hijacking
Facebook stores authentication tokens in plist file
Gaining access to the plist allows to log into the app
Plist files can be stolen
Upon physical access to the device
From backups : Metasploit post exploitation script to read iOS backup
In addition to that, Tokens never expired even on Logout
21. Sqlite files
Lightweight database for structured data storage
Sqlite is portable, reliable, small and available as a single flat file
Sqlite is preferred as it gives good memory usage and speed
Apps store usernames, passwords, emails and sensitive data
Ex: Gmail stores the emails in Sqlite db file for offline access
22. Sqlite files
Sqlite can be created with any or without a file extension
Sqlite files can be viewed using Sqlite Spy or sqlite3
Data stored in the Sqlite is un-encrypted
Sqlite files are stored un-encrypted in the iOS backups (iTunes)
Apps may delete Sqlite files upon logout
Delete files can be recovered by carving the HFS Journal
23. Sqlite files
Apps may delete the Sqlite records
Sqlite – tags the records as deleted but not purge them
Records which are marked as deleted can be recovered by reading the
WAL (Write Ahead Log)
Recovering Sqlite records is easy compare to recovering the files
Strings command can be used to print the deleted records
24. Sqlite files
Do not store sensitive data in clear text
Use custom encryption
Protect Sqlite files with data protection API
Implement classes for secure file wipe
Purge the data upon deletion with VACUUM SQL command.
VACUUM rebuilds the database
Doing it for every delete consumes time
Before deleting the Sqlite record, replace the data with junk values
Data and Junk value length has to be same
25. Keychain
Sqlite database for sensitive data storage
Apple says “keychain is a secure place to store keys and passwords”
Located at: /var/Keychains/keychain-2.db
Four tables: genp, inet, cert, keys
Keychain encryption is tied to the device
Protected entries are tied to the user’s passcode
Keychain file is accessible to all the applications
Application can only access it’s own key chain items
Based on app keychain access group
26. Keychain
On a JailBroken device Keychain restrictions can be bypassed
Design an app as a member of all keychain access groups (*)
Keychain Dumper Tool
Design app with com.apple.keystore.access-keychain-keys permission
Keychain viewer – by Sogeti
27. Keychain
Keychain is also not secure. Do not store sensitive data in clear text.
Encrypt the data using custom encryption (CCCrypt)
Use data protection API while storing data in keychain
BY default entries are created with kSecAttrAccessibleWhenUnlocked data
protection
Apple may change the default protection any time
Do not store the encryption keys in the binary
29. Error Logs
Apps may write sensitive data in logs
Debugging (NSLog calls)
Trouble shooting
Requests & Responses
Located at - /private/var/log/syslog
To view iPhone logs
Console App (from AppStore)
iTunes Sync (CrashReporter folder)
iPhone configuration utility - Console
30. Error Logs
Syslog is out of sandbox – Any app can access it
Do not write sensitive data in the syslog file
31. Screenshot
Home button shrinks your application with a nice effect
iOS takes screen shots of the application to create that effect
Sensitive data may get cached
App directory/Library/Caches/Snapshots
Remove sensitive data or change the screen before the
applicationDidEnterBackground() function returns
Instead of hiding or removing sensitive data you can also prevent back-
grounding altogether by setting the "Application does not run in
background" property in the application's Info.plist file
33. Keyboard cache
iPhone records everything that a user types in clear text
Designed to auto complete the predictive common words
Located at - Library/Keyboard/en_GB-dynamic-text.dat
Viewed using a hex editor
34. Keyboard cache
Secure fields are not stored
Passwords are safe
Strings with all digits are not stored
Pins and credit card numbers are safe
Data typed into text fields are cached
Usernames and security question answers…
To disable auto complete of a text field
Mark it as a secure field
mytextField.secureTextEntry = YES
Disable auto correction
mytextField.autocorrectionType = UITextAutocorrectionTypeNo;
35. Cookies.binarycookies
Binary file to store the cookies
Persistent cookies are stored along with the flags (Secure, HTTPOnly)
Most iOS apps does not prompt the user for login every time and creates
persistent cookies
Apps store the session cookies locally
Grabbing cookies allows to log into the user’s account
36. Cookies.binarycookies
BinaryCookieReader.py can be used to read the cookie files
For critical applications don’t create persistent cookies
38. Binary Analysis
Self distributed Apps are not encrypted
AppStore binaries are encrypted
Similar to Fairplay DRM used on iTunes music
Loader decrypts the apps when loaded into memory
Debugger can be used to dump the decrypted app from memory into a file
Tools are available: Craculous & Installous
GNU Debugger or IDA Pro are used on decrypted binary for better
analysis
Look for Hard coded passwords, encryption keys, buffer over flows and
format string attacks
39. Runtime Analysis
Use class-dump-z on decrypted binary and map the application
iOS app centralized point of control (MVC) – UIApplication class
Analyze the class dump output and identify the interesting class
40. Runtime Analysis
App runtime can be easily modified using Cycript (Cydia pkg)
Combination of JavaScript and Objective-C interpreter
Can be hooked to a running process (like GDB)
Gives access to all classes and instance variables within the app
Existing methods can be overwritten easily
Create object for the class and directly access the instance variables and
invoke methods
41. Runtime Analysis
Possible attacks with Cycript
Authentication bypass
Breaking simple locks
Bypassing restrictions that stops apps from running on Jailbroken device
Extract hardcode encryption keys
Extract app passcodes
Malicious code injection
Do not store encryption keys / passcode in memory
Implement code that restricts debugger attachment
43. Transport Security
iOS apps use SSL/https to do secure transactions
NSURLRequest / NSURLConnection are commonly used
CFNetwork – Alternate low level framework to implement SSL
Frameworks by default rejects the self signed certificates to prevent MITM
attacks
Provides API to accept any un-trusted certificate
NSURLRequest
setAllowsAnyHTTPSCertificate
NSURLConnection delegate
continueWithoutCredentialForAuthenticationChallenge
CFNetwork
kCFStreamSSLAllowsExpiredCertificates …
44. Transport Security
DO not deploy iOS applications with cert validation bypass code
45. Transport Security
API uses a default set of ciphers to setup a connection
Does not provide option to choose the cipher
Apps can built with embedded SSL libraries
MatrixSSL, yaSSL
Apps compiled with latest SDK (>5) does not support weak ciphers
Image from iOS Application In-Security paper by MDSec