2. About me
Security Consultant @ INTEGRITY S.A. - www.integrity.pt
Penetration testing:
Web Apps
Mobile Apps
Infrastructure / Wireless
BSc in Information Systems and Computer Engineering
OSCP, CISSP Associate, ISO27001LA, CCNA
8. Environment Setup
Tools of trade (just to name a few):
*nix tools: tcpdump, ps, file, vim, wget, tar, …
otool, plutil, sqlite3, gdb, installipa, class-
dump-z, cycript, ldid, keychain_dumper,
dumpdecrypted, …
iRET, Snoop-It, Introspy, iNalyzer, …
9. Environment Setup
Tips and Tricks #1:
Use TCP over USB with usbmux
One such client is libusbmuxd from libmobiledevice
with a python based implementation
python tcprelay.py -t 22:2222 8080:8080
ssh root@localhost -p 2222
Its a more stable connection
No need to have a wifi connection at all
13. Binary protections
The bundle of an iOS app is a zip file with the "ipa" extension
Checks:
Is the binary compiled with the PIE flag (Position Independent
Executable aka ASLR) ?
Is the binary compiled with stack smashing protection ?
What about ARC (Automatic Reference Counting) ?
Is the binary encrypted ?
otool can be used to obtain the answers for the above questions.
iRET is a tool that uses otool and presents the info in a web page.
15. Inspecting the binary
When the binary is encrypted, it is decrypted in memory upon
execution.
How can I do that ?
By using gdb to dump the memory after decryption
Dumpdecrypted
Clutch
(put your decryption tool/script here)
16. Inspecting the binary
What can I do after decryption ?
Use class-dump-z to extract the __OBJC segment, that
provides information about internal classes, methods, method
arguments and variables that are used in the app
Use your favourite disassembler, run strings and have fun :)
22. Core Data Services
Where?
<app dir>/Documents/
How ?
Data is currently stored as a sqlite file.
Tables are normally prefixed with a “Z"
Z_METADATA
Z_PRIMARYKEY
Z_…
27. Background screenshot
What ?
Every time an app is put on the
background a screenshot is taken. This
screenshot is used by iOS when the app
returns to foreground
Where ?
<app dir>/Library/Caches/Snapshots/<app id>/
Main/
32. Introspy
Tracer:
Used to hook and log security-sensitive iOS APIs
called by applications running on the device
The calls can also sent to the Console for real-time
analysis
Analyzer:
A tool to turn a database generated by Introspy
into an HTML report
34. Filesystem
While executing an application interacts with
the filesystem, and files are created, deleted,
read, moved, etc
!
Introspy, Snoop-It and fileMon are some of
the applications that allows for file system
monitoring in real time
35. Keychain
While executing an application interacts with
the keychain, and items are created, deleted,
read, updated, etc
!
Introspy and Snoop-It are some of the
applications that allows for keychain
monitoring in real time
36. Methods, variables …
Using Cycript one can interact with this
Objective-C runtime environment and call
methods, change methods implementation,
change variables value, etc
Snoop-It implements part o Cycript
functionality, and it’s simpler to use
38. Network
There are 2 types of apps, from the network
perspective:
Those that respect the HTTP proxy
configuration for network interactions;
Tools: A proxy like Burp Suite or ZAP.
and those that don’t!
Tools: A proxy like Mallory.
41. Tips and Tricks #2:
Instead of exposing your proxy on the network
SSH remote port forwarding
ssh root@localhost -p 2222 -R 8080:localhost:
8080
Configure HTTP proxy to point to localhost:8080
Proxy
43. Network
What to look for:
Does the app use SSL ?
Does the app accept any certificate ?
Remove any root CA installed on the phone
What about certificate pinning?
Install burp root CA before testing
46. Pinning
If an application uses pinning what can you do:
You can use a tool that patches low-level SSL
functions to bypass any certificate validation
based on iOS API’s
48. Backend
Infrastructure and web app backend tests apply
to this component:
Data validation flaws
Business logic flaws
Authentication flaws
Authorisation flaws
…