Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Testing iOS apps without jailbreak in 2018

1,070 views

Published on

Penetration tests of iOS applications usually require jailbreak. On the other hand, software developers often enforce a new version of iOS to run the application. Unfortunately, as history shows, with the release of subsequent versions of the iOS system, pentesters have to wait longer and longer for a stable jailbreak. Finally, by testing iDevices, we become participants of the Russian roulette - remain with an out-of-date iOS with the hope that there won’t be an application requiring a newer version; or take the risk of updating and maybe never get the new jailbreak version? During my presentation, I will show you that it is not necessary to put iRevolver to the head and I will present the techniques of conducting the penetration tests without the need to have a jailbreak. The presentation will also include a live demo presenting the solution to the problem of access to protected application resources on the latest version of iOS.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Testing iOS apps without jailbreak in 2018

  1. 1. Testing iOS Apps without Jailbreak in 2018 Wojciech Reguła
  2. 2. Pwning WebView ⬇️ https://medium.com/securing
  3. 3. Testing iOS Apps without Jailbreak in 2018 > Whoami Wojciech Reguła • Pentester @ SecuRing • Creator of Ruby secure code examples for OWASP SKF • 🍎 products fan • Blogger – https://wojciechregula.blog wojciech.regula@securing.pl @_r3ggi wojciech-regula
  4. 4. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 Agenda 1. Introduction to iOS apps pentests 2. Current jailbreak situation 3. Pentesting without jailbreak • Setting environment 💻 📲 • Pentesting 👾 4. Summary wojciech.regula@securing.pl @_r3ggi wojciech-regula
  5. 5. Why should we care about iOS? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  6. 6. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
  7. 7. ❤️ SEXUAL ACTIVITY ❤️ BY SMART PHONE BRAND Men Women
  8. 8. Do we really need checking iOS apps security? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  9. 9. Selected problems with iOS apps Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  10. 10. Selected problems with iOS apps Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  11. 11. Selected problems with iOS apps Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  12. 12. So what we have to check? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  13. 13. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 OWASP MASVS V1: Architecture, Design and Threat Modelling V2: Data Storage and Privacy V3: Cryptography Verification V4: Authentication and Session Management V5: Network Communication V6: Platform Interaction V7: Code Quality and Build Settings V8: Resiliency Against Reverse Engineering wojciech.regula@securing.pl @_r3ggi wojciech-regula
  14. 14. Let's split the tests into two stages Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 Static analysis Dynamic analysis wojciech.regula@securing.pl @_r3ggi wojciech-regula
  15. 15. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 Static analysis Examples: • Excessive data in application package • Binaries security • Obfuscation • ATS configuration, iTunes file sharing wojciech.regula@securing.pl @_r3ggi wojciech-regula
  16. 16. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 Examples: • Files saved by application • Data in Keychain • Vulnerable URL handlers (IPC) • Application logs • Certificate pinning • Cache • Confidential information in snapshot Dynamic analysis wojciech.regula@securing.pl @_r3ggi wojciech-regula
  17. 17. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 Examples: • Files saved by application • Data in Keychain • Vulnerable URL handlers (IPC) • Application logs • Certificate pinning • Cache • Confidential information in snapshot Dynamic analysis wojciech.regula@securing.pl @_r3ggi wojciech-regula
  18. 18. What do we need a Jailbreak for? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 1. Usually for dynamic analysis 2. For static analysis when we don’t have app package (*ipa) wojciech.regula@securing.pl @_r3ggi wojciech-regula
  19. 19. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 #update – recently it gets better
  20. 20. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 But could have been even better
  21. 21. So, if you are a security guy, why can’t you just create your own jailbreak? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  22. 22. Alriiight, let’s start jailbreaking 😈 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  23. 23. Not so fast! 👿 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  24. 24. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  25. 25. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 FAIL: Jailbreak on your iOS but for 32-bit devices wojciech.regula@securing.pl @_r3ggi wojciech-regula
  26. 26. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  27. 27. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 FAIL: Jailbreak exploiting bug in iPhone 7 driver wojciech.regula@securing.pl @_r3ggi wojciech-regula
  28. 28. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  29. 29. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 FAIL: Jailbreak from iOS x.3.0 but you have only iOS x.2.9 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  30. 30. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  31. 31. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 FAIL: Jailbreak for your iOS in not public wojciech.regula@securing.pl @_r3ggi wojciech-regula
  32. 32. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  33. 33. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 FAIL: Jailbreak up to iOS y.1.0 but you have only iOS y.1.2 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  34. 34. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  35. 35. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 SUCCESS: Congratz, you have working jailbreak! 👑 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  36. 36. But there is a way! Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  37. 37. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 Injecting custom dylib 0*. Downloading application package 1. Setting up the environment 2. Injecting custom dylib & modification of executable file 3. Repacking and signing the package 4. Installing the app on device in debug mode wojciech.regula@securing.pl @_r3ggi wojciech-regula
  38. 38. 0*. Downloading application package Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  39. 39. 1. Setting up the environment Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 embedded.mobileprovision Signing certificate wojciech.regula@securing.pl @_r3ggi wojciech-regula
  40. 40. embedded.mobileprovision
  41. 41. embedded.mobileprovision
  42. 42. Signing certificate
  43. 43. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 1. Setting up the environment wojciech.regula@securing.pl @_r3ggi wojciech-regula
  44. 44. Injecting custom dylib & modification of executable file Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  45. 45. Installing the App in debug mode Link to demo: ➡️ https://vimeo.com/273879188 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
  46. 46. Connecting to Frida dylib Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 • Objection (Leonjza, bernard-wagner) • Needle • Directly using Frida • Passionfruit (ChiChou, oleavr) wojciech.regula@securing.pl @_r3ggi wojciech-regula
  47. 47. Connecting with Passionfruit Link to demo: ➡️ https://vimeo.com/273879557 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
  48. 48. Files saved by application Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
  49. 49. Cookies 🍪 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
  50. 50. User defaults Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
  51. 51. Application cache Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
  52. 52. Accessing Keychain Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
  53. 53. Sometimes it crashes Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
  54. 54. Keychain
  55. 55. Summary Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 1. Jailbreaking needs a lot of effort from us 2. Using ‘dylib injection’ makes it possible to perform pentests of iOS apps 3. This method sometimes causes problems: • SSL Pinning not so obvious like on jailbroken device • How to get the application package (*.ipa)
  56. 56. Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula Try it at home 😎 https://goo.gl/XDD53U
  57. 57. More general mobile sec guide ⬇️ https://www.securing.biz/en/secure-mobile- applications-key-issues/index.html
  58. 58. Question: How do you deal with this problem? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  59. 59. SecuRing Kalwaryjska 65/6 30-504 Kraków, Poland info@securing.pl tel. +48 124252575 http://www.securing.biz/en Contact Wojciech Reguła wojciech.regula@securing.pl @_r3ggi wojciech-regula

×