Recommended
More Related Content
What's hot
What's hot (20)
Similar to Pentesting iOS Apps
Similar to Pentesting iOS Apps (20)
Recently uploaded
Recently uploaded (7)
Pentesting iOS Apps
- 1. Pentesting iOS Apps Herman Duarte <hd@integrity.pt>
- 2. About me Security Consultant @ INTEGRITY S.A. - www.integrity.pt Penetration testing: Web Apps Mobile Apps Infrastructure / Wireless BSc in Information Systems and Computer Engineering OSCP, CISSP Associate, ISO27001LA, CCNA
- 3. Roadmap Environment setup Client component Static Analysis Dynamic Analysis Network component Backend component
- 6. Environment Setup Install OpenSSH Change default password for users: root mobile
- 7. Environment Setup Advanced Packaging Tool: apt-get install apt-get update apt-get upgrade apt-cache search
- 8. Environment Setup Tools of trade (just to name a few): *nix tools: tcpdump, ps, file, vim, wget, tar, … otool, plutil, sqlite3, gdb, installipa, class- dump-z, cycript, ldid, keychain_dumper, dumpdecrypted, … iRET, Snoop-It, Introspy, iNalyzer, …
- 9. Environment Setup Tips and Tricks #1: Use TCP over USB with usbmux One such client is libusbmuxd from libmobiledevice with a python based implementation python tcprelay.py -t 22:2222 8080:8080 ssh root@localhost -p 2222 Its a more stable connection No need to have a wifi connection at all
- 11. Client component Static analysis Runtime/Dynamic analysis
- 12. Static Analysis Binary protections Inspecting the binary Local data storage Caches
- 13. Binary protections The bundle of an iOS app is a zip file with the "ipa" extension Checks: Is the binary compiled with the PIE flag (Position Independent Executable aka ASLR) ? Is the binary compiled with stack smashing protection ? What about ARC (Automatic Reference Counting) ? Is the binary encrypted ? otool can be used to obtain the answers for the above questions. iRET is a tool that uses otool and presents the info in a web page.
- 15. Inspecting the binary When the binary is encrypted, it is decrypted in memory upon execution. How can I do that ? By using gdb to dump the memory after decryption Dumpdecrypted Clutch (put your decryption tool/script here)
- 16. Inspecting the binary What can I do after decryption ? Use class-dump-z to extract the __OBJC segment, that provides information about internal classes, methods, method arguments and variables that are used in the app Use your favourite disassembler, run strings and have fun :)
- 17. Inspecting the binary Demo Video http://youtu.be/XUgebKj6vA0
- 18. Local Data Storage NSUserDefaults Plist (xml/binary) Core Data Services SQLite Keychain
- 19. NSUserDefaults Where? <app dir>/Library/Preferences/ How ? Data is normally stored as a plist file, but it can be stored as a sqlite file as well.
- 21. NSUserDefaults Recommendation: Don’t use NSUserDefaults to store sensitive data; Use the keychain instead.
- 22. Core Data Services Where? <app dir>/Documents/ How ? Data is currently stored as a sqlite file. Tables are normally prefixed with a “Z" Z_METADATA Z_PRIMARYKEY Z_…
- 23. Core Data Services Demo Video http://youtu.be/p-nbb6PeD-c
- 24. Core Data Services Recommendation: Stop saving sensitive data using the core data services framework; Use the keychain instead.
- 25. Keychain Keychain services provides secure storage of passwords, keys, certificates, and notes, etc kSecAttrAccessible constants: kSecAttrAccessibleAlways kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlock kSecAttrAccessibleAlwaysThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
- 27. Background screenshot What ? Every time an app is put on the background a screenshot is taken. This screenshot is used by iOS when the app returns to foreground Where ? <app dir>/Library/Caches/Snapshots/<app id>/ Main/
- 29. Background screenshot Recommendation: Change the screen content as soon as the app is about to lose focus, with a generic image;
- 30. Dynamic Analysis API calls Filesystem Keychain Methods, variables …
- 32. Introspy Tracer: Used to hook and log security-sensitive iOS APIs called by applications running on the device The calls can also sent to the Console for real-time analysis Analyzer: A tool to turn a database generated by Introspy into an HTML report
- 34. Filesystem While executing an application interacts with the filesystem, and files are created, deleted, read, moved, etc ! Introspy, Snoop-It and fileMon are some of the applications that allows for file system monitoring in real time
- 35. Keychain While executing an application interacts with the keychain, and items are created, deleted, read, updated, etc ! Introspy and Snoop-It are some of the applications that allows for keychain monitoring in real time
- 36. Methods, variables … Using Cycript one can interact with this Objective-C runtime environment and call methods, change methods implementation, change variables value, etc Snoop-It implements part o Cycript functionality, and it’s simpler to use
- 38. Network There are 2 types of apps, from the network perspective: Those that respect the HTTP proxy configuration for network interactions; Tools: A proxy like Burp Suite or ZAP. and those that don’t! Tools: A proxy like Mallory.
- 39. Proxy
- 41. Tips and Tricks #2: Instead of exposing your proxy on the network SSH remote port forwarding ssh root@localhost -p 2222 -R 8080:localhost: 8080 Configure HTTP proxy to point to localhost:8080 Proxy
- 42. Proxy (Remote Port Fwd)
- 43. Network What to look for: Does the app use SSL ? Does the app accept any certificate ? Remove any root CA installed on the phone What about certificate pinning? Install burp root CA before testing
- 45. What if the app uses Pinning ?
- 46. Pinning If an application uses pinning what can you do: You can use a tool that patches low-level SSL functions to bypass any certificate validation based on iOS API’s
- 48. Backend Infrastructure and web app backend tests apply to this component: Data validation flaws Business logic flaws Authentication flaws Authorisation flaws …