Hacking iOS with Proxies - dc612

Hacking iOS GameCenter and Passbook with Proxies
DC612
November 14, 2013

Who am I?

• Karl Fosaaen
Senior Security Consultant
At NetSPI
Twitter: @kfosaaen

Presentation Overview
• Intercepting iOS Traffic
• Proxies
• Why and How
• Tools
• Certificates
• Attack Examples
• GameCenter Scores
• GameCenter Hashes
• Passbook files
• Conclusions

Intercepting traffic: Proxies
• What are they?
‒ A tool that allows you to intercept, modify,
and store HTTP and HTTPs requests

• Examples
‒ Burp
‒ ZAP
‒ Fiddler
‒ WebScarab

Intercepting traffic: Why
• iOS traffic can be interesting
‒ Most apps use web service calls
‒ Most apps are just pretty web browsers

• Traffic tampering
‒ Can you name your own price/score?
‒ Most back ends have the same vulnerabilities
as normal web apps (XSS, SQLi, etc.)

• Server responses can be interesting
‒ Modify what the server says to trick your app
‒ Intercepting files (ie: Passbook Passes)

• Same goes for Android

Intercepting traffic: How
• Use an intercepting proxy
‒ Be on the same Wi-Fi network as the iOS device
‒ Set it up to capture your traffic
‒ Store and forward allows for tampering

• SSL Interception
‒ Requires a trusted certificate
‒ Some apps don’t trust iOS cert stores
•

This is a good thing, just a pain for interception

• Traffic sniffing
‒ Some apps send requests in the clear
‒ Packet sniffing can be useful

Intercepting traffic: Tools
• Burp
• iOS simulator
• Other Proxies
‒ ZAP
‒ Fiddler
‒ WebScarab

Intercepting Traffic: Certs
• Exporting the Burp Root CA

• Save the root cert as
PortSwiggerCA.crt
• Send the cert to yourself via email
and add it to your iOS device
• Instructions from Portswigger:
http://portswigger.net/burp/help/proxy_options_installingCAcert.html#iphone

• Certificate installed on iPhone

Intercepting Traffic: Burp
• Burp Set Up

• iOS Proxy Set Up

• Intercepted iOS traffic
• HTTPS request to Google from iPhone

• A quick warning…
‒ Watch your credentials
•
•

Exchange ActiveSync sends encoded passwords
Your login creds for other apps and sites will get
stored in your proxy

‒ Mostly watch the data getting stored in your
proxy
•

You never know when you will need to send your
Burp session to someone else

• Identifying pinned apps
• Able to intercept normal browser SSL
traffic
• Can’t get app specific data
• Pinning might be in use
• The app may also be looking for specific
cert parameters
•

This is not pinning
• It’s cert checking

• Avoiding issues with cert pinned apps
•
•
•

•

Open the app without the proxy enabled
Get to a spot where you request an
external resource
Switch over to your preferences
• Turn on the Proxy
Request the resource
•
•
•

•

Passbook pass
Coupons
Etc.

Or just use the exclusions in Burp

Attack Examples

Example Time!

Attack Examples

• GameCenter High Scores
• GameCenter Email Hashes
• Passbook files

Attack Examples: GameCenter
GameCenter High Scores

• Attacking High Scores
‒ GameCenter scores update with
HTTPS POST requests
‒ No input validation on “score-value”
parameter
• Max score of
9,223,372,036,844,775,807

• Attack Process
‒ Set up intercepting proxy
‒ Play a game
•

Beat the first level
or

•

Trigger a score update

‒ Intercept the score update
•

Look for “submitScores” page

‒ Replace score value with
9,223,372,036,844,775,807

‒ Bad News
•
•

This was fixed in iOS 7
There’s a token now

=

Capturing GameCenter Email Hashes

• Capturing Email Hashes
• Unsalted SHA1 email hashes can be
leaked by requesting player
information
• This can be done for current friends
and accounts of “friends of friends”
• Why would they allow this?

• Step One: Add a bunch of friends
•

Current recommendations,
leaderboards, friends of your friends

• Step Two: Get a list of all of their friends
•
•

So “friends of friends”

Use Burp for this

• Step Three: Friend request all of them

• RETURN to Step One multiple times
• Step Four: Query for the email hashes
for all of your friends and all of their
friends too
•
•

This will be done with intruder in Burp
Much like step three – Send the request on the
next slide to intruder

• *Step Five: Write a worm that tries to
friend everyone (*Very Optional)

• Next Steps
‒ So you have some hashes, so what…
•

You have their handle, first and last names too

‒ What’s your email address?
•

Common email user names
•
•
•
•

First.last
FirstinitialLast
Handle/username
NameBirthYear (or other “significant” number)

‒ Who’s your email provider?
•

Gmail, Yahoo, Hotmail, AOL

• Cracking Email Hashes
‒ PowerShell Script to Guess Email user names
• kfosaaen@example.com
• k.fosaaen@example.com
• karlfosaaen@example.com
• karl.fosaaen@example.com
• karl.f@example.com
• karlf@example.com

‒ Append the top 500 email domains to the
end and SHA1 each one

• Cracking Email Hashes
‒ PowerShell Script to SHA1 hash the guessed
emails
•

This was basic, but worked well

‒ Use the email guesses as a dictionary for
Hashcat
•

The rule set can be customized to make cracking
easier

• Final Numbers:
‒ 225 friends added* (as of 10/16/13)
*Records collection stopped after 45 friends

‒ 1,635 records gathered
• 1,534 after Unicode removal
• 14,377 available to me currently
‒ 300 email hashes cracked (19.5%)
Records Example:
SHA1 Email Hash
: username : First Name : last Name
591542B50A99EAA8E41136305075F9FF708F1992:bubblefish:Deb:Morgan

Attack Examples: Passbook

Passbook

• Multiple Apps are now available with Passbook
• Mostly used to store loyalty cards, coupons, and
boarding passes
‒ Gift cards are now getting adopted

• Can actually be pretty convenient to use

• Passes are sent as .pkpass files
‒ .pkpass is just a renamed .zip file
‒ Required contents:
• manifest.json
• pass.json
• Signature
•
•

A signature file for integrity
Prevents file replacement and a re-zip

• Creating your own
‒ Join the Apple Developer Program ($99)
‒ Create a pass.json file to match your info
• The teamIdentifier and passTypeIdentifier
fields need to match your Apple cert info
• Make the pass details what you want
•
•

Boarding pass, coupon, etc.
Add images

‒ Use the signpass application (from Apple) to
generate the new .pkpass file
‒ Can be done in Windows and Linux

• Deployment
‒ Can be done via email or web server

• Common Application Issues:
• Failure to securely deliver .pkpass files
• No HTTPs or certificate pinning
• Failure to validate pass information on
backend systems
•

Do you really have $1,000 on that gift
card?

• Attack overview – Proxy method
‒ Set up your intercepting proxy
‒ Request a Passbook pass from the app
•

Look for the “Add to Passbook” button

‒ Intercept the request for the pass
•

Usually to a third party site

‒ Request and save the pass in your browser
‒ Modify your pass
‒ Re-sign and use your new and improved pass

• Attack overview – Easier way
‒ Add your pass to Passbook
‒ Send yourself the pass from the Passbook app
‒ Modify your pass
‒ Re-sign and use your new and improved pass

=

• Delta Boarding Passes
‒ One of many Passbook apps, but it’s the one
that I use the most
‒ Main Delta App does not do certificate
pinning

‒ Request for Passbook pass

• Attack overview – Easier way

‒ Extracted pkpass file

‒ Extracted Sky Priority pkpass file

‒ Modify the pass.json file
‒ And include the footer images in the directory

‒ Run the Signpass utility and email yourself the
pass

• Modified and Original Delta Boarding Passes

Conclusions
•Fixes
•
•
•

Certificate pinning
Better input validation
Limiting data leakage from apps

Hacking iOS Game Center and Passbook
• Questions?
• Karl Fosaaen
‒ Senior Security Consultant at NetSPI
‒ Twitter: @kfosaaen

Hacking iOS with Proxies - dc612

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Viewers also liked

Viewers also liked (16)

Similar to Hacking iOS with Proxies - dc612

Similar to Hacking iOS with Proxies - dc612 (20)

Recently uploaded

Recently uploaded (20)

Hacking iOS with Proxies - dc612