SlideShare a Scribd company logo

Hacking and Securing iOS Applications

n|u - The Open Security Community
n|u - The Open Security Community

This document provides an overview of iOS security concepts and loopholes, and how they can be exploited to hack iOS applications or steal user data. It discusses various local storage mechanisms like plist files, SQLite databases, and the keychain that applications use, and how unencrypted or poorly secured data stored in these locations could potentially be compromised. It also covers other issues like screenshot caching, error logs, and the keyboard cache that could potentially leak sensitive data. Strategies for developing more secure applications to avoid such issues are also presented.

1 of 46
Download to read offline
HACKING AND SECURING IOS APPLICATIONS -Satish B
Agenda  iOS Security Concepts  Loopholes in iOS  Hacking & Securing iOS Applications  How does loophole in iOS affects the apps  How easy it’s to steal data from the apps  How to protect these apps
Who Am I? <1 • Framework for functional testing tools Development 5+ Information • Web & Mobile application security Security • iOS Forensics & hacking Other Interests • Tool development & Knowledge Sharing
iOS Basics  iOS is the Operating System that run on Apple devices like iPhone, iPod, iPad & Apple TV  Stripped down Mac OS X + XNU kernel  Provides multi tasking  Only allows to run Apple signed applications  New features & Bug fixes with every release  Current version is iOS 6.1.1
iOS Security Features  Boot Chain  Chain of trust  Series of signature checks  BootRom->LLB->iBoot->kernel->file system  Code Signing  Prevents running of unauthorized apps/code  Verifies the integrity of the app code at rest & runtime  Malware prevention  Passcode  Prevents unauthorized access to the device  Default is 4-digit passcode & Support for complex passcode  Configurable data wipe after 10 failed attempts
Access data without passcode  Breaking Chain of trust  Bootrom exploit  Patch the series of signature checks  Boot with custom ramdisk  Access file system  No Bootrom exploit for latest devices  iPhone 4s & 5, iPad 2 &3, iPad Mini
iOS Security Features  Encryption  Dedicated crypto engine  Two hardcoded keys – UID & GID  Usage of UID & GID is limited  Data Protection  Ties the data encryption to the user’s passcode  Files are not accessible when the device is locked  No Passcode = No data protection  File Encryption  Every File is encrypted with unique key  File key is stored in the file metadata  Metadata is encrypted with EMF Key
Bypassing the iPhone passcode  Custom ram disk gives access to the file system  Passcode is required to access those protected files  Passcode is not stored on the device in any format  Brute force is the only option  Brute forcing at Springboard  6 failed attempts introduces delay  Delay from 1 min to several days  Brute forcing at kernel level  Passcode validity is verified by unlocking the System Keybag  Load brute force script in custom ramdisk and try to unlock Keybag
Bypassing the iPhone passcode  Brute force time depends on the iPhone hardware  On iPhone 4 –
iOS Security Features  ASLR - Address Space layout randomization  Randomizes the memory address  Apps can built with partial or full ASLR  Full - Compiled with PIE  DEP – Data Execution Prevention  Differentiates code and data  Prevents the execution of code from non executable memory pages  Stack Canaries  Stack smashing protection  Canary is placed after the local variables  Protects from buffer overflows
iOS Software Stack Security APIs iOS Security Features Ahmad-Reza Sadeghi et al, “Overview on apple iOS” paper
Types of iOS Applications  Browser based  Run inside safari  Built with server side technology like PHP, .NET,…  HTML, CSS & JavaScript rendering styled to the device  Native  Built with iOS SDK & ARM compiled  Written in Objective C & Cocoa Touch API  Hybrid  Native container that leverage browser engine  Objective C, HTML 5 & JavaScript
Areas of focus for hacking  Device storage  Plist  Sqlite  Cookies  Keychain  Run time analysis  Breaking simple locks  Sniffing Networks  MITM & Transport security
Local Storage
App Sandbox  Apps run in a self-contained environment called Sandbox  Apps can not access data from other apps  All apps run as one user: mobile
Plist files  Property list files - Key value pairs stored in binary or XML format  Easily viewed and modified using property list editors (plutil)  Designed to store user’s properties and configuration information  But Apps store usernames, passwords, email ids and session info  Ex: Facebook stores the authentication tokens
Plist files  Apps create plist files with any or without a file extension  Plists are identified by a file header – bplist  Plist files are not protected by Data protection  Plists are stored un-encrypted in the iOS normal backups (iTunes).  Apps may delete the plist files upon logout  File system changes are recorded in HFS Journal  Deleted files can be recovered by carving the HFS Journal
Plist files  Do not store sensitive data in Plist files  If required, use custom encryption  Protect plist files with data protection API  Create plist files Library/Caches folder  iTunes does not backup caches directory  For better security, Implement classes for secure file wipe  Before deleting the file overwrite the file bytes with junk values
Data Protection for files
Facebook Session Hijacking  Facebook stores authentication tokens in plist file  Gaining access to the plist allows to log into the app  Plist files can be stolen  Upon physical access to the device  From backups : Metasploit post exploitation script to read iOS backup  In addition to that, Tokens never expired even on Logout
Sqlite files  Lightweight database for structured data storage  Sqlite is portable, reliable, small and available as a single flat file  Sqlite is preferred as it gives good memory usage and speed  Apps store usernames, passwords, emails and sensitive data Ex: Gmail stores the emails in Sqlite db file for offline access
Sqlite files  Sqlite can be created with any or without a file extension  Sqlite files can be viewed using Sqlite Spy or sqlite3  Data stored in the Sqlite is un-encrypted  Sqlite files are stored un-encrypted in the iOS backups (iTunes)  Apps may delete Sqlite files upon logout  Delete files can be recovered by carving the HFS Journal
Sqlite files  Apps may delete the Sqlite records  Sqlite – tags the records as deleted but not purge them  Records which are marked as deleted can be recovered by reading the WAL (Write Ahead Log)  Recovering Sqlite records is easy compare to recovering the files  Strings command can be used to print the deleted records
Sqlite files  Do not store sensitive data in clear text  Use custom encryption  Protect Sqlite files with data protection API  Implement classes for secure file wipe  Purge the data upon deletion with VACUUM SQL command.  VACUUM rebuilds the database  Doing it for every delete consumes time  Before deleting the Sqlite record, replace the data with junk values  Data and Junk value length has to be same
Keychain  Sqlite database for sensitive data storage  Apple says “keychain is a secure place to store keys and passwords”  Located at: /var/Keychains/keychain-2.db  Four tables: genp, inet, cert, keys  Keychain encryption is tied to the device  Protected entries are tied to the user’s passcode  Keychain file is accessible to all the applications  Application can only access it’s own key chain items  Based on app keychain access group
Keychain  On a JailBroken device Keychain restrictions can be bypassed  Design an app as a member of all keychain access groups (*)  Keychain Dumper Tool  Design app with com.apple.keystore.access-keychain-keys permission  Keychain viewer – by Sogeti
Keychain  Keychain is also not secure. Do not store sensitive data in clear text.  Encrypt the data using custom encryption (CCCrypt)  Use data protection API while storing data in keychain  BY default entries are created with kSecAttrAccessibleWhenUnlocked data protection  Apple may change the default protection any time  Do not store the encryption keys in the binary
Data Protection for keychain
Error Logs  Apps may write sensitive data in logs  Debugging (NSLog calls)  Trouble shooting  Requests & Responses  Located at - /private/var/log/syslog  To view iPhone logs  Console App (from AppStore)  iTunes Sync (CrashReporter folder)  iPhone configuration utility - Console
Error Logs  Syslog is out of sandbox – Any app can access it  Do not write sensitive data in the syslog file
Screenshot  Home button shrinks your application with a nice effect  iOS takes screen shots of the application to create that effect  Sensitive data may get cached  App directory/Library/Caches/Snapshots  Remove sensitive data or change the screen before the applicationDidEnterBackground() function returns  Instead of hiding or removing sensitive data you can also prevent back- grounding altogether by setting the "Application does not run in background" property in the application's Info.plist file
Screenshot  Gmail Screenshot
Keyboard cache  iPhone records everything that a user types in clear text  Designed to auto complete the predictive common words  Located at - Library/Keyboard/en_GB-dynamic-text.dat  Viewed using a hex editor
Keyboard cache  Secure fields are not stored  Passwords are safe  Strings with all digits are not stored  Pins and credit card numbers are safe  Data typed into text fields are cached  Usernames and security question answers…  To disable auto complete of a text field  Mark it as a secure field mytextField.secureTextEntry = YES  Disable auto correction mytextField.autocorrectionType = UITextAutocorrectionTypeNo;
Cookies.binarycookies  Binary file to store the cookies  Persistent cookies are stored along with the flags (Secure, HTTPOnly)  Most iOS apps does not prompt the user for login every time and creates persistent cookies  Apps store the session cookies locally  Grabbing cookies allows to log into the user’s account
Cookies.binarycookies  BinaryCookieReader.py can be used to read the cookie files  For critical applications don’t create persistent cookies
Run Time Analysis
Binary Analysis  Self distributed Apps are not encrypted  AppStore binaries are encrypted  Similar to Fairplay DRM used on iTunes music  Loader decrypts the apps when loaded into memory  Debugger can be used to dump the decrypted app from memory into a file  Tools are available: Craculous & Installous  GNU Debugger or IDA Pro are used on decrypted binary for better analysis  Look for Hard coded passwords, encryption keys, buffer over flows and format string attacks
Runtime Analysis  Use class-dump-z on decrypted binary and map the application  iOS app centralized point of control (MVC) – UIApplication class  Analyze the class dump output and identify the interesting class
Runtime Analysis  App runtime can be easily modified using Cycript (Cydia pkg)  Combination of JavaScript and Objective-C interpreter  Can be hooked to a running process (like GDB)  Gives access to all classes and instance variables within the app  Existing methods can be overwritten easily  Create object for the class and directly access the instance variables and invoke methods
Runtime Analysis  Possible attacks with Cycript  Authentication bypass  Breaking simple locks  Bypassing restrictions that stops apps from running on Jailbroken device  Extract hardcode encryption keys  Extract app passcodes  Malicious code injection  Do not store encryption keys / passcode in memory  Implement code that restricts debugger attachment
Transport Security
Transport Security  iOS apps use SSL/https to do secure transactions  NSURLRequest / NSURLConnection are commonly used  CFNetwork – Alternate low level framework to implement SSL  Frameworks by default rejects the self signed certificates to prevent MITM attacks  Provides API to accept any un-trusted certificate  NSURLRequest  setAllowsAnyHTTPSCertificate  NSURLConnection delegate  continueWithoutCredentialForAuthenticationChallenge  CFNetwork  kCFStreamSSLAllowsExpiredCertificates …
Transport Security  DO not deploy iOS applications with cert validation bypass code
Transport Security  API uses a default set of ciphers to setup a connection  Does not provide option to choose the cipher  Apps can built with embedded SSL libraries  MatrixSSL, yaSSL  Apps compiled with latest SDK (>5) does not support weak ciphers Image from iOS Application In-Security paper by MDSec
Thank You Email: Satish.bommisetty@gmail.com Twitter: @Satishb3

Recommended

iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
IOS security
IOS securityIOS security
IOS security
bakhti rahman
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
Lookout
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
NowSecure
 

Recommended

iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
IOS security
IOS securityIOS security
IOS security
bakhti rahman
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
Lookout
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
NowSecure
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Android SQLite Database Forensics
Android SQLite Database ForensicsAndroid SQLite Database Forensics
Android SQLite Database Forensics
forensicEmailAnalysis
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Mobile security
Mobile securityMobile security
Mobile security
CyberoamAcademy
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Mobile device privacy and security
Mobile device privacy and securityMobile device privacy and security
Mobile device privacy and security
Imran Khan
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Mobile Operating System
Mobile Operating SystemMobile Operating System
Mobile Operating System
Sonal Poddar
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
MarketingArrowECS_CZ
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
iOS PPT
iOS PPTiOS PPT
iOS PPTSarika Naidu
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
Subho Halder
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
Peter Teufl
 

More Related Content

What's hot

iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Android SQLite Database Forensics
Android SQLite Database ForensicsAndroid SQLite Database Forensics
Android SQLite Database Forensics
forensicEmailAnalysis
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Mobile security
Mobile securityMobile security
Mobile security
CyberoamAcademy
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Mobile device privacy and security
Mobile device privacy and securityMobile device privacy and security
Mobile device privacy and security
Imran Khan
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Mobile Operating System
Mobile Operating SystemMobile Operating System
Mobile Operating System
Sonal Poddar
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
MarketingArrowECS_CZ
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 

What's hot (20)

iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Mobile security
Mobile securityMobile security
Mobile security
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Android SQLite Database Forensics
Android SQLite Database ForensicsAndroid SQLite Database Forensics
Android SQLite Database Forensics
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Mobile security
Mobile securityMobile security
Mobile security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Mobile device privacy and security
Mobile device privacy and securityMobile device privacy and security
Mobile device privacy and security
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Mobile Operating System
Mobile Operating SystemMobile Operating System
Mobile Operating System
 
Android Security
Android SecurityAndroid Security
Android Security
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
Android Security
Android SecurityAndroid Security
Android Security
 
iOS PPT
iOS PPTiOS PPT
iOS PPT
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Android security
Android securityAndroid security
Android security
 
Mobile security
Mobile securityMobile security
Mobile security
 

Similar to Hacking and Securing iOS Applications

iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
Subho Halder
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
Peter Teufl
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
Brent Muir
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption Systems
Peter Teufl
 
Ios file management
Ios file managementIos file management
Ios file management
Rajeev Venkata
 
osi semair.pptx
osi semair.pptxosi semair.pptx
osi semair.pptx
amerdawood2
 
iOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdfiOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdf
Cyber security professional services- Detox techno
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
Satish b
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
deepikakumari643428
 
OWASP for iOS
OWASP for iOSOWASP for iOS
OWASP for iOS
Phineas Huang
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.
DataArt
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app development
Dusan Klinec
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
iphonepentest
 
Security in iOS
Security in iOSSecurity in iOS
Security in iOS
Clement Prem
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationTop 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Lumension
 
RelyPass - Fortify Your Digital Fortress
RelyPass - Fortify Your Digital FortressRelyPass - Fortify Your Digital Fortress
RelyPass - Fortify Your Digital Fortress
RelyPass
 

Similar to Hacking and Securing iOS Applications (20)

iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption Systems
 
Ios file management
Ios file managementIos file management
Ios file management
 
osi semair.pptx
osi semair.pptxosi semair.pptx
osi semair.pptx
 
iOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdfiOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdf
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
 
OWASP for iOS
OWASP for iOSOWASP for iOS
OWASP for iOS
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app development
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
Security in iOS
Security in iOSSecurity in iOS
Security in iOS
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationTop 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
 
RelyPass - Fortify Your Digital Fortress
RelyPass - Fortify Your Digital FortressRelyPass - Fortify Your Digital Fortress
RelyPass - Fortify Your Digital Fortress
 

More from n|u - The Open Security Community

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
n|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
n|u - The Open Security Community
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
n|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
n|u - The Open Security Community
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
n|u - The Open Security Community
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
n|u - The Open Security Community
 
Cloud security
Cloud security Cloud security
Cloud security
n|u - The Open Security Community
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
n|u - The Open Security Community
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
n|u - The Open Security Community
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
n|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
n|u - The Open Security Community
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
n|u - The Open Security Community
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdfMASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
goswamiyash170123
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
tarandeep35
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
EduSkills OECD
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptxChapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
The Diamond Necklace by Guy De Maupassant.pptx
The Diamond Necklace by Guy De Maupassant.pptxThe Diamond Necklace by Guy De Maupassant.pptx
The Diamond Necklace by Guy De Maupassant.pptx
DhatriParmar
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Thiyagu K
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
Jean Carlos Nunes Paixão
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBCSTRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
kimdan468
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
Scholarhat
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
Academy of Science of South Africa
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 
The Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collectionThe Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collection
Israel Genealogy Research Association
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
Pavel ( NSTU)
 

Recently uploaded (20)

Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdfMASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptxChapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
 
The Diamond Necklace by Guy De Maupassant.pptx
The Diamond Necklace by Guy De Maupassant.pptxThe Diamond Necklace by Guy De Maupassant.pptx
The Diamond Necklace by Guy De Maupassant.pptx
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBCSTRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 
The Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collectionThe Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collection
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
 

Hacking and Securing iOS Applications

  • 1. HACKING AND SECURING IOS APPLICATIONS -Satish B
  • 2. Agenda  iOS Security Concepts  Loopholes in iOS  Hacking & Securing iOS Applications  How does loophole in iOS affects the apps  How easy it’s to steal data from the apps  How to protect these apps
  • 3. Who Am I? <1 • Framework for functional testing tools Development 5+ Information • Web & Mobile application security Security • iOS Forensics & hacking Other Interests • Tool development & Knowledge Sharing
  • 4. iOS Basics  iOS is the Operating System that run on Apple devices like iPhone, iPod, iPad & Apple TV  Stripped down Mac OS X + XNU kernel  Provides multi tasking  Only allows to run Apple signed applications  New features & Bug fixes with every release  Current version is iOS 6.1.1
  • 5. iOS Security Features  Boot Chain  Chain of trust  Series of signature checks  BootRom->LLB->iBoot->kernel->file system  Code Signing  Prevents running of unauthorized apps/code  Verifies the integrity of the app code at rest & runtime  Malware prevention  Passcode  Prevents unauthorized access to the device  Default is 4-digit passcode & Support for complex passcode  Configurable data wipe after 10 failed attempts
  • 6. Access data without passcode  Breaking Chain of trust  Bootrom exploit  Patch the series of signature checks  Boot with custom ramdisk  Access file system  No Bootrom exploit for latest devices  iPhone 4s & 5, iPad 2 &3, iPad Mini
  • 7. iOS Security Features  Encryption  Dedicated crypto engine  Two hardcoded keys – UID & GID  Usage of UID & GID is limited  Data Protection  Ties the data encryption to the user’s passcode  Files are not accessible when the device is locked  No Passcode = No data protection  File Encryption  Every File is encrypted with unique key  File key is stored in the file metadata  Metadata is encrypted with EMF Key
  • 8. Bypassing the iPhone passcode  Custom ram disk gives access to the file system  Passcode is required to access those protected files  Passcode is not stored on the device in any format  Brute force is the only option  Brute forcing at Springboard  6 failed attempts introduces delay  Delay from 1 min to several days  Brute forcing at kernel level  Passcode validity is verified by unlocking the System Keybag  Load brute force script in custom ramdisk and try to unlock Keybag
  • 9. Bypassing the iPhone passcode  Brute force time depends on the iPhone hardware  On iPhone 4 –
  • 10. iOS Security Features  ASLR - Address Space layout randomization  Randomizes the memory address  Apps can built with partial or full ASLR  Full - Compiled with PIE  DEP – Data Execution Prevention  Differentiates code and data  Prevents the execution of code from non executable memory pages  Stack Canaries  Stack smashing protection  Canary is placed after the local variables  Protects from buffer overflows
  • 11. iOS Software Stack Security APIs iOS Security Features Ahmad-Reza Sadeghi et al, “Overview on apple iOS” paper
  • 12. Types of iOS Applications  Browser based  Run inside safari  Built with server side technology like PHP, .NET,…  HTML, CSS & JavaScript rendering styled to the device  Native  Built with iOS SDK & ARM compiled  Written in Objective C & Cocoa Touch API  Hybrid  Native container that leverage browser engine  Objective C, HTML 5 & JavaScript
  • 13. Areas of focus for hacking  Device storage  Plist  Sqlite  Cookies  Keychain  Run time analysis  Breaking simple locks  Sniffing Networks  MITM & Transport security
  • 15. App Sandbox  Apps run in a self-contained environment called Sandbox  Apps can not access data from other apps  All apps run as one user: mobile
  • 16. Plist files  Property list files - Key value pairs stored in binary or XML format  Easily viewed and modified using property list editors (plutil)  Designed to store user’s properties and configuration information  But Apps store usernames, passwords, email ids and session info  Ex: Facebook stores the authentication tokens
  • 17. Plist files  Apps create plist files with any or without a file extension  Plists are identified by a file header – bplist  Plist files are not protected by Data protection  Plists are stored un-encrypted in the iOS normal backups (iTunes).  Apps may delete the plist files upon logout  File system changes are recorded in HFS Journal  Deleted files can be recovered by carving the HFS Journal
  • 18. Plist files  Do not store sensitive data in Plist files  If required, use custom encryption  Protect plist files with data protection API  Create plist files Library/Caches folder  iTunes does not backup caches directory  For better security, Implement classes for secure file wipe  Before deleting the file overwrite the file bytes with junk values
  • 20. Facebook Session Hijacking  Facebook stores authentication tokens in plist file  Gaining access to the plist allows to log into the app  Plist files can be stolen  Upon physical access to the device  From backups : Metasploit post exploitation script to read iOS backup  In addition to that, Tokens never expired even on Logout
  • 21. Sqlite files  Lightweight database for structured data storage  Sqlite is portable, reliable, small and available as a single flat file  Sqlite is preferred as it gives good memory usage and speed  Apps store usernames, passwords, emails and sensitive data Ex: Gmail stores the emails in Sqlite db file for offline access
  • 22. Sqlite files  Sqlite can be created with any or without a file extension  Sqlite files can be viewed using Sqlite Spy or sqlite3  Data stored in the Sqlite is un-encrypted  Sqlite files are stored un-encrypted in the iOS backups (iTunes)  Apps may delete Sqlite files upon logout  Delete files can be recovered by carving the HFS Journal
  • 23. Sqlite files  Apps may delete the Sqlite records  Sqlite – tags the records as deleted but not purge them  Records which are marked as deleted can be recovered by reading the WAL (Write Ahead Log)  Recovering Sqlite records is easy compare to recovering the files  Strings command can be used to print the deleted records
  • 24. Sqlite files  Do not store sensitive data in clear text  Use custom encryption  Protect Sqlite files with data protection API  Implement classes for secure file wipe  Purge the data upon deletion with VACUUM SQL command.  VACUUM rebuilds the database  Doing it for every delete consumes time  Before deleting the Sqlite record, replace the data with junk values  Data and Junk value length has to be same
  • 25. Keychain  Sqlite database for sensitive data storage  Apple says “keychain is a secure place to store keys and passwords”  Located at: /var/Keychains/keychain-2.db  Four tables: genp, inet, cert, keys  Keychain encryption is tied to the device  Protected entries are tied to the user’s passcode  Keychain file is accessible to all the applications  Application can only access it’s own key chain items  Based on app keychain access group
  • 26. Keychain  On a JailBroken device Keychain restrictions can be bypassed  Design an app as a member of all keychain access groups (*)  Keychain Dumper Tool  Design app with com.apple.keystore.access-keychain-keys permission  Keychain viewer – by Sogeti
  • 27. Keychain  Keychain is also not secure. Do not store sensitive data in clear text.  Encrypt the data using custom encryption (CCCrypt)  Use data protection API while storing data in keychain  BY default entries are created with kSecAttrAccessibleWhenUnlocked data protection  Apple may change the default protection any time  Do not store the encryption keys in the binary
  • 29. Error Logs  Apps may write sensitive data in logs  Debugging (NSLog calls)  Trouble shooting  Requests & Responses  Located at - /private/var/log/syslog  To view iPhone logs  Console App (from AppStore)  iTunes Sync (CrashReporter folder)  iPhone configuration utility - Console
  • 30. Error Logs  Syslog is out of sandbox – Any app can access it  Do not write sensitive data in the syslog file
  • 31. Screenshot  Home button shrinks your application with a nice effect  iOS takes screen shots of the application to create that effect  Sensitive data may get cached  App directory/Library/Caches/Snapshots  Remove sensitive data or change the screen before the applicationDidEnterBackground() function returns  Instead of hiding or removing sensitive data you can also prevent back- grounding altogether by setting the "Application does not run in background" property in the application's Info.plist file
  • 32. Screenshot  Gmail Screenshot
  • 33. Keyboard cache  iPhone records everything that a user types in clear text  Designed to auto complete the predictive common words  Located at - Library/Keyboard/en_GB-dynamic-text.dat  Viewed using a hex editor
  • 34. Keyboard cache  Secure fields are not stored  Passwords are safe  Strings with all digits are not stored  Pins and credit card numbers are safe  Data typed into text fields are cached  Usernames and security question answers…  To disable auto complete of a text field  Mark it as a secure field mytextField.secureTextEntry = YES  Disable auto correction mytextField.autocorrectionType = UITextAutocorrectionTypeNo;
  • 35. Cookies.binarycookies  Binary file to store the cookies  Persistent cookies are stored along with the flags (Secure, HTTPOnly)  Most iOS apps does not prompt the user for login every time and creates persistent cookies  Apps store the session cookies locally  Grabbing cookies allows to log into the user’s account
  • 36. Cookies.binarycookies  BinaryCookieReader.py can be used to read the cookie files  For critical applications don’t create persistent cookies
  • 38. Binary Analysis  Self distributed Apps are not encrypted  AppStore binaries are encrypted  Similar to Fairplay DRM used on iTunes music  Loader decrypts the apps when loaded into memory  Debugger can be used to dump the decrypted app from memory into a file  Tools are available: Craculous & Installous  GNU Debugger or IDA Pro are used on decrypted binary for better analysis  Look for Hard coded passwords, encryption keys, buffer over flows and format string attacks
  • 39. Runtime Analysis  Use class-dump-z on decrypted binary and map the application  iOS app centralized point of control (MVC) – UIApplication class  Analyze the class dump output and identify the interesting class
  • 40. Runtime Analysis  App runtime can be easily modified using Cycript (Cydia pkg)  Combination of JavaScript and Objective-C interpreter  Can be hooked to a running process (like GDB)  Gives access to all classes and instance variables within the app  Existing methods can be overwritten easily  Create object for the class and directly access the instance variables and invoke methods
  • 41. Runtime Analysis  Possible attacks with Cycript  Authentication bypass  Breaking simple locks  Bypassing restrictions that stops apps from running on Jailbroken device  Extract hardcode encryption keys  Extract app passcodes  Malicious code injection  Do not store encryption keys / passcode in memory  Implement code that restricts debugger attachment
  • 43. Transport Security  iOS apps use SSL/https to do secure transactions  NSURLRequest / NSURLConnection are commonly used  CFNetwork – Alternate low level framework to implement SSL  Frameworks by default rejects the self signed certificates to prevent MITM attacks  Provides API to accept any un-trusted certificate  NSURLRequest  setAllowsAnyHTTPSCertificate  NSURLConnection delegate  continueWithoutCredentialForAuthenticationChallenge  CFNetwork  kCFStreamSSLAllowsExpiredCertificates …
  • 44. Transport Security  DO not deploy iOS applications with cert validation bypass code
  • 45. Transport Security  API uses a default set of ciphers to setup a connection  Does not provide option to choose the cipher  Apps can built with embedded SSL libraries  MatrixSSL, yaSSL  Apps compiled with latest SDK (>5) does not support weak ciphers Image from iOS Application In-Security paper by MDSec