SlideShare a Scribd company logo
Hacking & Securing
iOS Apps

@GeekCampSG
18th Aug 2012

                     Subhransu Behera (Subh)
                        Twitter: @subhransu
                     Email: subh@subhb.org
1. Hacking iOS Apps
About Me
•   iOS Application Architect in SAP

•   Developing iOS Apps for last 4 Yrs.

•   Co-organizer of iOS Dev Scout (iOS Developer Group in SG)

•   Worked as a RoR and Linux Developer prior to iOS

•   Understand Web, Mobile and Unix Systems

•   Have built iOS apps ranging from games to large scale enterprise apps.
So, 2 questions


•   Are the iDevices secure?

•   Are the apps that you developer using iOS SDK secure?



              Answer to both the questions are NO
I will be Talking on


•   How easy it’s to steal data from the apps you are developing

•   How to protect these apps

•   Not on how to protect your iDevices.
System Data


File System     Database       Bundle




                 User’s own
                  iDevice
                running your
                    APP
                                                  Backend
                                                            Database
                                                   Server




 other users    other users    other users
 running the    running the    running the
  same app       same app       same app




                                             You need to protect
File System     Database       Bundle        data both on client
                                             and server side
               System Data
Apple’s Security Model
                                      Crypto Engine
                   Data
                Protection
Software          Class
                App Sandbox                                 Hardware and
               User Partition                                 Firmware
                                         Device Key
                                         Group Key
                OS Partition        Apple Root Certificate

            Encrypted File System




                  Kernel
Breaking down further
• Reduced Attack Surface
• User & Group Permissions
• Code Signing
• Data Execution Prevention (Data vs Code)
• Sandboxing
• Address Space Layout Randomization
In spite of all these, a hacker can

• Steal Data from File System
• Steal Data from Network
• Attack App Server
• Run an Exploit from the iDevice
Developers usually store their
           application data in
•   Bundle

•   Document Directory

•   Library Directory

•   Key Chain

•   iCloud or on their own Server
Let’s Hack
Some Apps
Data from
Bundle Directory
Easiest of All

•   Some Developers put their database, plist and other data files in bundle
    directory

•   It’s very easy to extract data available in bundle directory from the
    application payload

•   Data that you can extract are images, audio, video files, plist, xml files or
    any other files that are stored in bundle directory
Steps to do it
•   Go to iTunes App Directory

•   Right click on any app whose data you want to extract

•   Select “Show in Finder” option

•   You can extract the content of the file if you have tools like “Stuffit
    expander”. Otherwise, just rename the app.ipa >> app.zip

•   Extract using any unarchive tool

•   The binary of the app is within Payload directory.

•   Right click on the binary and “Show Package Contents” to
    extract the content of bundle directory.
Steps to do it




1. Show in                     3. Show Package
                2. Unarchive
  Finder                           Contents
Contents from SGCarParks App
•   The app uses sqlite database file stored on Bundle directory to display car park
    information in Singapore.

•   Below is the content of sqlite file that contains Name of car parks, location
    (Latitude, Longitude), ERP Rates of the parking lots on weekdays and
    weekends.
Following the above steps

•   You can extract unencrypted Resource and Media Files

•   However, images are encoded by Apple to reduce the size of the binary.

•   So by following the above process you can’t extract the images of apps
    directly.

•   To extract reusable images you need to extraction tools like: Crunch

           •   http://www.pragmaticcode.com/crunch/
Images from Instagram App
•   Search the name of the app.

•   Select the application and
    Click on Export Icon.

•   Uncheck “only export
    highest definition” to
    export all images

•   Choose a directory to
    export the contents.           Images Extracted from
                                  Instagram using Crunch
Displaying PVR Images
•   PNG images use a significant amount of
    memory when a lot of frames are used for
    animation.

•   So game applications like AngryBird use
    PowerVR (commonly known as PVR)
    Texture images in stead of PNG images to
    reduce memory usage.

•   You can use TexturePacker tool to
    both create and display PVR Images.
                                               Images extracted from AngryBird
    http://www.codeandweb.com/texturepacker      iPhone App displayed using
                                                        TexturePacker
Data from
Document / Library
Directory
Document / Library Directory
•   It’s possible to extract unprotected files from Document directory on
    an authorized computer using iTunes.

•   It’s possible to extract unprotected files from Document / Library
    directory using Tools like iExplorer even if device is locked.

•   Hacker can jailbreak a device using softwares like redsn0w or
    ac1dsnow even if device is locked.

•   Extracting data from a jailbroken device is super easy.
Data Extraction using iExplorer
•   Download iExplorer from: http://www.macroplant.com/iexplorer/

•   Connect the target iDevice

•   Browse to the Application whose data you want to extract under

         •   Apps > “App Name”, replace App Name with the target app name. In
             this example we will be extract messages from Whatsapp iOS app.

•   Whatsapp messenger stores imported Addressbook in Document
    Directory by the name Contacts.sqlite and all conversations locally in
    ChatStorage.sqlite

•   You can export these files or any other files from Library Directory to a
    folder.
Extracting Chats from Whatsapp

  1. Export DB File from
   Document Directory




       2. Display Content on SQLite Manager
Sniffing
Network Traffic
Network Sniffing using Paros
•   Download and Install Paros : http://www.parosproxy.org/
    download.shtml

•   Make sure your Mac and iDevice use same WiFi hotspot.

•   Launch Paros. Go to Tools > Options > Local Proxy

•   Set local proxy Address as the IP address of your mac and port
    as 8080

•   On your iDevice, select the WiFi network you are connected to and set
    manual proxy with the above details. This direct the traffic of iDevice
    through Paros.
Network Sniffing using Paros



1. Configuring Paros with
   local IP on Port 8080


                           2. Configuring iPhone
Sniffing Instagram Traffic
•   Instagram store photos taken by users on Amazon Web Server

•   Whenever the app makes an internal API call either to get an user’s timeline or user’s own
    photos, the application fetches photos from AWS using public URL.

•   Using Paros you can sniff the network traffic and find out request parameters and responses
    of such API calls.

•   If you are sitting in a cafe which have public WiFI. Then you can capture packets and get
    photos of everyone who are using the same network.

•   For some apps you can even get username and password if those are being passed in clear
    text or even if its base64 encoded.
Sniffing Instagram Traffic




                API response
                captured by Paros
Manipulating
Runtime
Libraries & Frameworks
•   If you have ever wondered what are some of the libraries and
    framework your favorite iOS applications are using. Then you can use
    otool (object file displaying tool) to display object information
    from its binary.

        •   http://goo.gl/o4EwT

•   You can also find class interface of an app using class-dump-z. This
    usually consists of the header file (.h) file of the application whose
    information you’re extracting.

        •   http://code.google.com/p/networkpx/wiki/class_dump_z
Frameworks & Interfaces of apps
Breaking ObjC Codes
•   As ObjC is a dynamic language that’s based on the principle of message passing.
    It’s possible to inject custom code in a jailbroken device during runtime modifying
    the content of a variable or method to perform malicious activities.

•   On a jailbroken device you can install OpenSSH utility that will allow you to
    login as root user to the target device.

•   You can ssh to the target device using the command
    root@<ip_address_of_device>. Default password is alpine

•   After successfully logging into the device you can reverse engineer or modify the
    runtime in gdb mode.
Abusing Runtime with Cycript




    Using Cycript to manipulate runtime
Download Cycript from: http://www.cycript.org/
ObjC variables in runtime



1. Extracting Existing pin   2. Overwriting Existing pin.
of PhotoVault App from        Now original user can not
   its pinLock instance      even access his own photos
Next Steps
•   Start hacking your own apps and see if it’s easy to steal sensitive data
    from those apps.

•   Attend my talk on “Securing iOS Apps” at iOS Dev Scout # Sept
    Meetup

       •   On 13th Sept 2012 (Thursday) at PlugIn@BLK71

       •   RSVP here: https://www.facebook.com/events/340285926062221/

•   Go through the Books and Resources mentioned in next slides.
Books




Hacking and Securing iOS
                           iOS Hacker’s Handbook   iPhone and iOS Forensics
Applications (Must Read)
                           By : Charlie Miller     By : Andrew Hoog
By : Jonathan Zdziarski
•
                                         Resources
    Apple Reference Guides

          •   Security Overview

          •   Security Starting Point for iOS

          •   Keychain Service Programming Guide

          •   Secure Coding Guide

          •   Cryptographic Services Guide

          •   Certificate, Key,Trust Services Programming Guide

•   Sample Codes

          •   Crypto Exercise : https://developer.apple.com/library/ios/samplecode/CryptoExercise/
              CryptoExercise.zip

          •   Generic Keychain : https://developer.apple.com/library/ios/samplecode/GenericKeychain/
              GenericKeychain.zip
iOS Conf SG - 2013
31st Jan : Workshop & Hands-on Sessions
1st & 2nd Feb : Conference

(15 Awesome Talks by renowned
iOS Authors, Bloggers, App Creators)

For Updates:

Join Our Facebook Group:
https://www.facebook.com/groups/iosdevscout/

Follow on Twitter: @iOSConfSG
Thank You

Subhransu Behera (Subh)
Twitter: @subhransu
Email: subh@subhb.org

More Related Content

What's hot

Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
Yow connected developing secure i os applications
Yow connected   developing secure i os applicationsYow connected   developing secure i os applications
Yow connected developing secure i os applications
mgianarakis
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOS
Kai Aras
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
eightbit
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
Herman Duarte
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
Kuba Břečka
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
wireharbor
 
iPhone forensics on iOS5
iPhone forensics on iOS5iPhone forensics on iOS5
iPhone forensics on iOS5
Satish b
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09
Gonzalo Parra
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
Salesforce Developers
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
Satish b
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
Sam Bowne
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Yandex
 

What's hot (20)

Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
 
Yow connected developing secure i os applications
Yow connected   developing secure i os applicationsYow connected   developing secure i os applications
Yow connected developing secure i os applications
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOS
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
iPhone forensics on iOS5
iPhone forensics on iOS5iPhone forensics on iOS5
iPhone forensics on iOS5
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
 

Viewers also liked

Security and Encryption on iOS
Security and Encryption on iOSSecurity and Encryption on iOS
Security and Encryption on iOS
Graham Lee
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
iOS Views
iOS ViewsiOS Views
iOS Views
Marian Ignev
 
WhatsApp security
WhatsApp securityWhatsApp security
WhatsApp security
Javi Hurtado
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious Profiles
Yair Amit
 
Fast-paced Introduction to Android Internals
Fast-paced Introduction to Android InternalsFast-paced Introduction to Android Internals
Fast-paced Introduction to Android Internals
Hamilton Turner
 
Space, Galaxies & Blackholes
Space, Galaxies & BlackholesSpace, Galaxies & Blackholes
Space, Galaxies & Blackholes
Subhransu Behera
 
Semantic Pattern Transformation
Semantic Pattern TransformationSemantic Pattern Transformation
Semantic Pattern Transformation
Peter Teufl
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption Systems
Peter Teufl
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app development
Dusan Klinec
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
Moe Tanabian
 
eMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutioneMMC 5.0 Total IP Solution
eMMC 5.0 Total IP Solution
Arasan Chip Systems
 
Rahmenbedingungen mobile security
Rahmenbedingungen mobile securityRahmenbedingungen mobile security
Rahmenbedingungen mobile securityPeter Teufl
 
Forward Swift 2017: Media Frameworks and Swift: This Is Fine
Forward Swift 2017: Media Frameworks and Swift: This Is FineForward Swift 2017: Media Frameworks and Swift: This Is Fine
Forward Swift 2017: Media Frameworks and Swift: This Is Fine
Chris Adamson
 
Q4.11: Introduction to eMMC
Q4.11: Introduction to eMMCQ4.11: Introduction to eMMC
Q4.11: Introduction to eMMC
Linaro
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
Peter Teufl
 
File systems for Embedded Linux
File systems for Embedded LinuxFile systems for Embedded Linux
File systems for Embedded Linux
Emertxe Information Technologies Pvt Ltd
 
Malware
MalwareMalware
Malware
Tuhin_Das
 
Computer Malware
Computer MalwareComputer Malware
Computer Malware
aztechtchr
 
Presentation on iOS
Presentation on iOSPresentation on iOS
Presentation on iOS
Harry Lovylife
 

Viewers also liked (20)

Security and Encryption on iOS
Security and Encryption on iOSSecurity and Encryption on iOS
Security and Encryption on iOS
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
iOS Views
iOS ViewsiOS Views
iOS Views
 
WhatsApp security
WhatsApp securityWhatsApp security
WhatsApp security
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious Profiles
 
Fast-paced Introduction to Android Internals
Fast-paced Introduction to Android InternalsFast-paced Introduction to Android Internals
Fast-paced Introduction to Android Internals
 
Space, Galaxies & Blackholes
Space, Galaxies & BlackholesSpace, Galaxies & Blackholes
Space, Galaxies & Blackholes
 
Semantic Pattern Transformation
Semantic Pattern TransformationSemantic Pattern Transformation
Semantic Pattern Transformation
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption Systems
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app development
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
 
eMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutioneMMC 5.0 Total IP Solution
eMMC 5.0 Total IP Solution
 
Rahmenbedingungen mobile security
Rahmenbedingungen mobile securityRahmenbedingungen mobile security
Rahmenbedingungen mobile security
 
Forward Swift 2017: Media Frameworks and Swift: This Is Fine
Forward Swift 2017: Media Frameworks and Swift: This Is FineForward Swift 2017: Media Frameworks and Swift: This Is Fine
Forward Swift 2017: Media Frameworks and Swift: This Is Fine
 
Q4.11: Introduction to eMMC
Q4.11: Introduction to eMMCQ4.11: Introduction to eMMC
Q4.11: Introduction to eMMC
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
 
File systems for Embedded Linux
File systems for Embedded LinuxFile systems for Embedded Linux
File systems for Embedded Linux
 
Malware
MalwareMalware
Malware
 
Computer Malware
Computer MalwareComputer Malware
Computer Malware
 
Presentation on iOS
Presentation on iOSPresentation on iOS
Presentation on iOS
 

Similar to Hacking and Securing iOS Apps : Part 1

Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
Kelwin Yang
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
Surabaya Blackhat
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
Positive Hack Days
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
OWASPKerala
 
Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
Mohammed Adam
 
Introduction to android sessions new
Introduction to android   sessions newIntroduction to android   sessions new
Introduction to android sessions new
Joe Jacob
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
DefconRussia
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
saurabhharit
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
iphonepentest
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
hakersinfo
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1
Nikhil Kulkarni
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
G Prachi
 
Android application development fundamentals
Android application development fundamentalsAndroid application development fundamentals
Android application development fundamentals
indiangarg
 
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
Seth Law
 
Android Workshop Part 1
Android Workshop Part 1Android Workshop Part 1
Android Workshop Part 1
NAILBITER
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Droidcon Tunisia 2014 connect your mobile app to your backend
Droidcon Tunisia 2014 connect your mobile app to your backendDroidcon Tunisia 2014 connect your mobile app to your backend
Droidcon Tunisia 2014 connect your mobile app to your backend
Nacef Labidi
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
Denim Group
 

Similar to Hacking and Securing iOS Apps : Part 1 (20)

Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Introduction to android sessions new
Introduction to android   sessions newIntroduction to android   sessions new
Introduction to android sessions new
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Android application development fundamentals
Android application development fundamentalsAndroid application development fundamentals
Android application development fundamentals
 
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
 
Android Workshop Part 1
Android Workshop Part 1Android Workshop Part 1
Android Workshop Part 1
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Droidcon Tunisia 2014 connect your mobile app to your backend
Droidcon Tunisia 2014 connect your mobile app to your backendDroidcon Tunisia 2014 connect your mobile app to your backend
Droidcon Tunisia 2014 connect your mobile app to your backend
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 

Recently uploaded

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 

Recently uploaded (20)

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 

Hacking and Securing iOS Apps : Part 1

  • 1. Hacking & Securing iOS Apps @GeekCampSG 18th Aug 2012 Subhransu Behera (Subh) Twitter: @subhransu Email: subh@subhb.org
  • 3. About Me • iOS Application Architect in SAP • Developing iOS Apps for last 4 Yrs. • Co-organizer of iOS Dev Scout (iOS Developer Group in SG) • Worked as a RoR and Linux Developer prior to iOS • Understand Web, Mobile and Unix Systems • Have built iOS apps ranging from games to large scale enterprise apps.
  • 4. So, 2 questions • Are the iDevices secure? • Are the apps that you developer using iOS SDK secure? Answer to both the questions are NO
  • 5. I will be Talking on • How easy it’s to steal data from the apps you are developing • How to protect these apps • Not on how to protect your iDevices.
  • 6. System Data File System Database Bundle User’s own iDevice running your APP Backend Database Server other users other users other users running the running the running the same app same app same app You need to protect File System Database Bundle data both on client and server side System Data
  • 7. Apple’s Security Model Crypto Engine Data Protection Software Class App Sandbox Hardware and User Partition Firmware Device Key Group Key OS Partition Apple Root Certificate Encrypted File System Kernel
  • 8. Breaking down further • Reduced Attack Surface • User & Group Permissions • Code Signing • Data Execution Prevention (Data vs Code) • Sandboxing • Address Space Layout Randomization
  • 9. In spite of all these, a hacker can • Steal Data from File System • Steal Data from Network • Attack App Server • Run an Exploit from the iDevice
  • 10. Developers usually store their application data in • Bundle • Document Directory • Library Directory • Key Chain • iCloud or on their own Server
  • 13. Easiest of All • Some Developers put their database, plist and other data files in bundle directory • It’s very easy to extract data available in bundle directory from the application payload • Data that you can extract are images, audio, video files, plist, xml files or any other files that are stored in bundle directory
  • 14. Steps to do it • Go to iTunes App Directory • Right click on any app whose data you want to extract • Select “Show in Finder” option • You can extract the content of the file if you have tools like “Stuffit expander”. Otherwise, just rename the app.ipa >> app.zip • Extract using any unarchive tool • The binary of the app is within Payload directory. • Right click on the binary and “Show Package Contents” to extract the content of bundle directory.
  • 15. Steps to do it 1. Show in 3. Show Package 2. Unarchive Finder Contents
  • 16. Contents from SGCarParks App • The app uses sqlite database file stored on Bundle directory to display car park information in Singapore. • Below is the content of sqlite file that contains Name of car parks, location (Latitude, Longitude), ERP Rates of the parking lots on weekdays and weekends.
  • 17. Following the above steps • You can extract unencrypted Resource and Media Files • However, images are encoded by Apple to reduce the size of the binary. • So by following the above process you can’t extract the images of apps directly. • To extract reusable images you need to extraction tools like: Crunch • http://www.pragmaticcode.com/crunch/
  • 18. Images from Instagram App • Search the name of the app. • Select the application and Click on Export Icon. • Uncheck “only export highest definition” to export all images • Choose a directory to export the contents. Images Extracted from Instagram using Crunch
  • 19. Displaying PVR Images • PNG images use a significant amount of memory when a lot of frames are used for animation. • So game applications like AngryBird use PowerVR (commonly known as PVR) Texture images in stead of PNG images to reduce memory usage. • You can use TexturePacker tool to both create and display PVR Images. Images extracted from AngryBird http://www.codeandweb.com/texturepacker iPhone App displayed using TexturePacker
  • 20. Data from Document / Library Directory
  • 21. Document / Library Directory • It’s possible to extract unprotected files from Document directory on an authorized computer using iTunes. • It’s possible to extract unprotected files from Document / Library directory using Tools like iExplorer even if device is locked. • Hacker can jailbreak a device using softwares like redsn0w or ac1dsnow even if device is locked. • Extracting data from a jailbroken device is super easy.
  • 22. Data Extraction using iExplorer • Download iExplorer from: http://www.macroplant.com/iexplorer/ • Connect the target iDevice • Browse to the Application whose data you want to extract under • Apps > “App Name”, replace App Name with the target app name. In this example we will be extract messages from Whatsapp iOS app. • Whatsapp messenger stores imported Addressbook in Document Directory by the name Contacts.sqlite and all conversations locally in ChatStorage.sqlite • You can export these files or any other files from Library Directory to a folder.
  • 23. Extracting Chats from Whatsapp 1. Export DB File from Document Directory 2. Display Content on SQLite Manager
  • 25. Network Sniffing using Paros • Download and Install Paros : http://www.parosproxy.org/ download.shtml • Make sure your Mac and iDevice use same WiFi hotspot. • Launch Paros. Go to Tools > Options > Local Proxy • Set local proxy Address as the IP address of your mac and port as 8080 • On your iDevice, select the WiFi network you are connected to and set manual proxy with the above details. This direct the traffic of iDevice through Paros.
  • 26. Network Sniffing using Paros 1. Configuring Paros with local IP on Port 8080 2. Configuring iPhone
  • 27. Sniffing Instagram Traffic • Instagram store photos taken by users on Amazon Web Server • Whenever the app makes an internal API call either to get an user’s timeline or user’s own photos, the application fetches photos from AWS using public URL. • Using Paros you can sniff the network traffic and find out request parameters and responses of such API calls. • If you are sitting in a cafe which have public WiFI. Then you can capture packets and get photos of everyone who are using the same network. • For some apps you can even get username and password if those are being passed in clear text or even if its base64 encoded.
  • 28. Sniffing Instagram Traffic API response captured by Paros
  • 30. Libraries & Frameworks • If you have ever wondered what are some of the libraries and framework your favorite iOS applications are using. Then you can use otool (object file displaying tool) to display object information from its binary. • http://goo.gl/o4EwT • You can also find class interface of an app using class-dump-z. This usually consists of the header file (.h) file of the application whose information you’re extracting. • http://code.google.com/p/networkpx/wiki/class_dump_z
  • 32. Breaking ObjC Codes • As ObjC is a dynamic language that’s based on the principle of message passing. It’s possible to inject custom code in a jailbroken device during runtime modifying the content of a variable or method to perform malicious activities. • On a jailbroken device you can install OpenSSH utility that will allow you to login as root user to the target device. • You can ssh to the target device using the command root@<ip_address_of_device>. Default password is alpine • After successfully logging into the device you can reverse engineer or modify the runtime in gdb mode.
  • 33. Abusing Runtime with Cycript Using Cycript to manipulate runtime Download Cycript from: http://www.cycript.org/
  • 34. ObjC variables in runtime 1. Extracting Existing pin 2. Overwriting Existing pin. of PhotoVault App from Now original user can not its pinLock instance even access his own photos
  • 35. Next Steps • Start hacking your own apps and see if it’s easy to steal sensitive data from those apps. • Attend my talk on “Securing iOS Apps” at iOS Dev Scout # Sept Meetup • On 13th Sept 2012 (Thursday) at PlugIn@BLK71 • RSVP here: https://www.facebook.com/events/340285926062221/ • Go through the Books and Resources mentioned in next slides.
  • 36. Books Hacking and Securing iOS iOS Hacker’s Handbook iPhone and iOS Forensics Applications (Must Read) By : Charlie Miller By : Andrew Hoog By : Jonathan Zdziarski
  • 37. Resources Apple Reference Guides • Security Overview • Security Starting Point for iOS • Keychain Service Programming Guide • Secure Coding Guide • Cryptographic Services Guide • Certificate, Key,Trust Services Programming Guide • Sample Codes • Crypto Exercise : https://developer.apple.com/library/ios/samplecode/CryptoExercise/ CryptoExercise.zip • Generic Keychain : https://developer.apple.com/library/ios/samplecode/GenericKeychain/ GenericKeychain.zip
  • 38. iOS Conf SG - 2013 31st Jan : Workshop & Hands-on Sessions 1st & 2nd Feb : Conference (15 Awesome Talks by renowned iOS Authors, Bloggers, App Creators) For Updates: Join Our Facebook Group: https://www.facebook.com/groups/iosdevscout/ Follow on Twitter: @iOSConfSG
  • 39. Thank You Subhransu Behera (Subh) Twitter: @subhransu Email: subh@subhb.org