This document provides an overview and outline for a presentation on advanced iOS hacking and forensic techniques. It introduces the presenters Ömer Coşkun and Mark de Groot and their backgrounds in security. The motivation for the talk is discussed, including analyzing iOS security mechanisms, automating mobile penetration tests, and the increasing focus on mobile device surveillance and security as applications handle more sensitive data. An overview of the iOS security architecture is provided, along with details on application sandboxing, file system encryption, and application reverse engineering techniques. The document outlines topics on iOS application static and dynamic analysis, hunting for private keys, penetration testing iOS apps, intercepting application communications, using Burp Suite to automate testing, and developing iOS rootkits.
1. Author(s): Ömer Coşkun & Mark de Groot
iOS Hacking: Advanced Pentest & Forensic
Techniques
The supreme art of war is to subdue the enemy without fighting. Sun Tzu
2. $ whoami
Ömer Coşkun (@0xM3R)
BEng. Computer Science
Research Assistant in
Quantum Cryptography
& Advanced Topics in AI
2
Industry Experience
KPN – CISO , Ethical
Hacking
Verizon – Threat &
Vulnerability Management
IBM ISS – Threat Intelligence
Interests
Algorithm Design, Programming, Cryptography,
Reverse Engineering, Malware Analysis, OS
Internals, Rootkits
Mark de Groot(@markos1979)
Industry Experience
KPN – CISO , Ethical Hacking
Interests
Programming, Cryptography,
Reverse Engineering,
Software Explotation, CTF,
Rfid, SDR
4. Motivations
4Analyze existing security mechanism on iOS platform
and circumvention techniques
Automate and speed up mobile penetration tests
Surveillance implants shifted focus to mobile devices
Mobile applications are evolving and tied to
monetary: iOS Mobile Payments, Paypal SDK etc.
iOS Rootkits are not only a theory anymore
Reverse Engineering on ARM Environment is Fun!
5. iOS Security Architecture
5
Every app on iOS requires signing information
Signature information within LC_CODE_SIGNATURE
SHA1 signature verification (memory pages)
iOS System Security
Secure BootChain : components signed by Apple
System software authorization: Firmware
downgrade protection
Secure Enclave: Apple A7 processors memory
encryption
TouchID: PassCode Replacement
KeyBags: Used for system,backup, iCloud Backups
10. File Encryption Mechanism
Every file encrypted with a unique key
Data Protection engine creates each time AES CBC 256-bit
key and SHA-1 hash per file
File key stored within the file metadata
Metadata of all files in the file system is encrypted with a
random key (iOS 1st
installation)
Per file key unwrapped from Class Key, then supplied to AES
engine
iOS : File System Encryption
10
11. iOS : File System Encryption (cont’d)
11File API Class
NsFileProtectionNone
NsFileProtectionComplete
NsFileProtectionComplete
UnlessOpen
NsFileProtectionComplete
UntilFirstUserAuthentication
Security Attributes
kSecAttrAccessibleWhenUnlocked
kSecAttrAccessibleAfterFirstUnlock
kSecAttrAccessibleAlways
kSecAttrAccessibleWhenUnlocked
ThisDeviceOnly
kSecAttrAccessibleAfterFirstUnlock
ThisDeviceOnly
kSecAttrAccessibleAlwaysThisDevi
ceOnlyFile Protector with NSData:
File Protector with NSFileManager:
12. iOS : File System Encryption (cont’d)
Escrow KeyBag Location
/private/var/db/lockdown/
iTunes Backup Location
~/Library/Application Support/MobileSync/Backup/
Passcode can be brute-forced
Open Source and Commercial Backup Decryptors
12
16. Getting the Debugger running
16All you need are stored under the Xcode IDE directories
Obtain the debug server binary
$ hdiutil attach
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSu
pport/7.1/DeveloperDiskImage.dmg
17. Create an entity file for debugserver binary signing with following
content
Getting the Debugger running
17
Sign your debugserver binary
and upload it to jailbroken iOS pentest device
18. Attach target binary for remote debugging
Getting the Debugger running
18
Make sure correct SDK path selected and connect to device:
19. Stopped thread list available if debuggger connect is made correctly
Debugging x64 iOS App
19
20. Reversing iOS should be easy in an ideal world :
Malware reversers would know what I mean :)
Reversing iOS Apps
20
21. IDA Pro correctly resolves the function names as well as
the cross references.
Reversing iOS Apps: Sainte Ida de
Louvain
21
Source: https://www.hex-rays.com/products/ida/
22. Check for interesting function calls as all the imports are
correctly resolved.
Reversing iOS Apps: Dealing with
Crpyto
22
23. It seems the application evaluates the certificate here.
Reversing iOS Apps: Dealing with
Crypto
23
https://developer.apple.com/l
ibrary/mac/documentation/S
ecurity/Reference/certifkeytru
stservices/index.html
Check the function prototypes and the definition on Apple Dev.
24. Data content is being encrypted using public key
before sending it to server.
Reversing iOS Apps: Dealing with
Crypto
24
Calling Convention : C++
ObjectPointer->Function(parameters)
Calling Convention : Objective C
[ObjectPointer Function:parameters]
25. Reversing iOS Apps: Hunting for
Public Key
25The following function evaluates the certificate .
Check the function prototypes and the definition on Apple Dev.
https://developer.apple.com/l
ibrary/mac/documentation/S
ecurity/Reference/certifkeytru
stservices/index.html
32. Reversing iOS Apps: Hunting for
Public Key
32Set breakpoint to target function and then run until
private keys are pushed into memory.
Dump the memory to a writable location by LLDB debugger .
Memory dump should contain the data we were looking for.
36. iOS Apps Penetration Testing:
Network Traffic Analysis
36
Cacoa Packet
Analyzer:
www.tastycoco
abytes.com/cp
a/
Appeals to MAC funs; unlike WireShark, it doesn’t require
additional libraries such as XQuartz to be installed.
37. SSL Interception: Function Hooks
37Standard SSLRead function provided by iOS SDK .
iOS Dev Center:
https://develop
er.apple.com/li
brary/mac/doc
umentation/Se
curity/Referenc
e/secureTransp
ortRef/
38. SSL Interception: Function Hooks
38Standard SSLWrite function provided by iOS SDK .
iOS Dev Center:
https://develop
er.apple.com/li
brary/mac/doc
umentation/Se
curity/Referenc
e/secureTransp
ortRef/
39. SSL Interception: Function Hooks
39How does a simple implementation of a function hook
implementation on iOS envrionment looks like ?
MSHookFunction ((void *) SSLWrite, (void *) _
hook_SSLWrite, (void **) & call_to_REAL_SSLWrite);
MSHookFunction ((void *) SSLRead, (void *) _
hook_SSLRead, (void **) & call_to_REAL_SSLRead);
40. SSL Interception: Function Hooks
40Create a hook that will intercept the SSL communication by
hooking application level read/write operation functions .
41. Hardware/Software
Interception: Captain
Hook Style Hacking 41
Captain Hook Style Hacking: Intercepts
every function, keeps a copy of the content for herself,
and then let the function continue as it was supposed to
…
43. SSL Interception: Function Hooks
43What if some people implements hook functions not only to
see SSL traffic , but rather to reach hardware resources?
47. Burp Suite: Atomize Everything
47
Burp Suite: http://portswigger.net/burp/
More than standard application communication interception.
48. Burp Extensions: Installation
Suggested and Most Preferred Way : Burp Suite >Extensions >
BAppStore
Some Extensions require Pro version (not because they
discriminate poor but due to API/functional limitation )
Some Extensions have 3rd
party dependencies or wrapper of 3rd
apllication (e.g. PhantomJS, Radamsa etc)
48
49. How Extensions Work (cont’d)
Class Name Purpose
BurpExtender To write our own extension
BurpExtenderCallBacks To pass to extensions a set of
callback (register actions, mark)
ICookie To retrieve the domain for which
the cookie is in scope
IHTTPRequestResponse To retrieve and update details
about HTTP messages.
IScanIssue To retrieve details of Scanner
issues
IScanQueueItem To retrieve details of items in the
active scan queue.
IScannerInsertionPoint To define an insertion point for
use by active Scanner checks.
IntroderPayloadProcessor To obtain the name of the
payload processor
49
50. Burp Extensions in a NutShell
Extension Name Purpose
.NET Beautifier Makes VIEWState info human readable
ActiveScan++ Extend passive scanning , path injection,
shellshock etc.
Blazer Generate and fuzz custom AMF messages
Bradamsa Generate intruder payload wisely
CO2 Set of useful tools : sqlmapper, user generator,
prettier js, ascii payload processor etc.
Logger++ An extension of history feature in Burp; more
detailed and comprehensive
Session Auth Help to identify privilege escalation vulns
WebInspect Connector Newly built, share results between burp and
webinspect
50
51. Burp Extensions : Additional Scanner Checks
Additional passive Scanner checks: Strict-Transport-
Security, X-Content-Type, X-XSS-Protection. In other
words, checks the modern browser security headers.
51
53. Burp Extensions : CO2
53 Set of useful tools : sqlmapper, user generator, prettier js,
ascii payload processor etc.
54. Fully Automated XSS Verification
xssValidator extension of Burp Suite could be
leveraged to fully automate XSS verification process.
54
55. Fully Automated XSS Verification
55 Before starting the XSS verification process, we need
to install at least one wrapper to support extension .
Enable the payload extension after running wrapper.
56. Fully Automated XSS Verification
56Enable payload processing unit for xssVerifier.
Finally, create a grep-and-match rule for intruder.
• Encryption and data protection: The architecture and design that protects user data if the device is lost or stolen, or if an unauthorized person attempts to use or modify it.
• App security: The systems that enable apps to run securely and without compromising platform integrity.
• Network security: Industry-standard networking protocols that provide secure authentication and encryption of data in transmission.
Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust. The Boot ROM code contains the Apple Root CA public key, which is used to verify that the Low-Level Bootloader (LLB) is signed by Apple before allowing it to load.
On a device with an A7 or later A-series processor, the Secure Enclave is a coprocessor also utilizes System Software Authorization to ensure the integrity of its software and
prevent downgrade installations. (Secure enclave) IT provides all the cryptographic operations for data protection key
The Secure Enclave uses encrypted memory and includes a hardware random number generator Communication between the Secure Enclave and the application processor is isolated to an interrupt-driven mailbox and shared memory data buffers.
The keys for both file and keychain Data Protection classes are collected and managed in keybags
System keybag is where the wrapped class keys used in normal operation of the device are stored.
Backup keybag is created when an encrypted backup is made by iTunes and stored on the computer to which the device is backed up
The MAC Framework defines four interfaces: the KSI (Kernel service entry point) from kernel services to the framework, the API from policy-agnostic user commands to the framework, the KPI between the framework and access control policy modules, and an additional debugging and tracing.
KPI between the framework and access control policy modules, and an additional debugging and tracing interface via DTrace probes not shown in this illustration.
Kernel programming interface (KPI) is called by kernel services, such as the Virtual File System (VFS) and Inter-Process Communication (IPC), to notify the MAC Frame-work of object events such as allocation and destruction, and to perform access control check
KPI between the framework and access control policy modules, and an additional debugging and tracing interface via DTrace probes not shown in this illustration
Sandboxing an application begins with a call to the system function Sandbox_init
.
This function uses the libsandbox.dylib library to turn a human readable policy definition
Mac syscall system call handledby the TrustedBSD subsystem TrustedBSD will pass the sandbox initialization request o the
Sandbox.kext kernel extension for processing. The kernel extension will install the
sandbox profile rules for the current process. Upon completion, a success return value will
be passed back out of the kernel
Once the sandbox is initialized, function calls hooked by the TrustedBSD layer will pass
Through Sandbox.kext for policy enforcement
Thee sandbox is implemented via a policy module for the TrustedBSD MAC framework user space configurable per process profile
even though all 3rd party apps run as the user “mobile” they all have different
sandboxes (but they also run with the same sandbox profile)
components
user space library functions for configuring and starting the sandbox
a kernel extension to enforce individual policies
a kernel support extension (with regular expression support) to evaluate policy
restrictions
a Mach server for handling logging (also holds prebuilt configurations
kSBXProfileNoInternet->TCP/IP networking is prohibited.
kSBXProfileNoNetwork->All sockets-based networking is prohibited.
kSBXProfileNoWrite -> File system writes are prohibited.
kSBXProfileNoWriteExceptTemporary->File system writes are restricted to the temporary folder /var/tmp and the folder specified by the confstr(3) configuration variable _CS_DARWIN_USER_TEMP_DIR.
kSBXProfilePureComputation-> All operating system services are prohibited.
Undocumented:
MobileMail
UNIX sockets cannot be used.
/var/mobile/Applications/* , /var/mobile/Media/* (except DCIM/, com.apple.itdbprep.postprocess.lock and com.apple.itunes.lock_sync) , /var/mobile/Library/Caches/com.apple.mobile.installation.plist , /usr/sbin/fairplayd -> Thesefiles and directories cannot be read
apsd, mDNSResponder -> The filesystem cannot be accessed at all.
The per-file key is unwrapped with the class key, then supplied to the hardware AES engine, which decrypts the file as it is read from flash memory.
Every time a file on the data partition is created, Data Protection creates a new 256-bit key (the “per-file” key) and gives it to the hardware AES engine, which uses the key to
encrypt the file as it is written to flash memory using AES CBC mode. The initialization vector (IV) is calculated with the block offset into the file, encrypted with the SHA-1 hash of the per-file key.
Complete Protection (NSFileProtectionComplete): The class key is protected with a key derived from the user passcode and the device UID. Shortly after the user locks a device (10 seconds, if the Require Password setting is Immediately), the decrypted class key is discarded, rendering all data in this class inaccessible until the user enters the passcode again.
SData constants begin with NSDataWritingFileProtection….
…None — The file is not protected and can be read or written at any time. This is the default value.
…Complete — Any file with this setting is protected ten seconds after the device is locked. This is the highest level of protection. Files with this setting may not be available when your program is running in the background. When the device is unlocked, these files are unprotected.
…CompleteUnlessOpen — Files with this setting are protected ten seconds after the device is locked unless they’re currently open. This allows your program to continue accessing the file while running in the background. When the file is closed, it will be protected if the device is locked.
…CompleteUntilFirstUserAuthentication — Files with this setting are protected only between the time the device boots and the first time the user unlocks the device. The files are unprotected from that point until the device is rebooted. This allows your application to open existing files while running in the background.
NSData and its mutable subclass NSMutableData provide data objects, object-oriented wrappers for byte buffers.
Why use an NSFileManager rather than just using NSData's writeToFile:atomically: method when creating a new file?
The advantage of the NSFileManager method is the attributes field:
A dictionary containing the attributes to associate with the new file. You can use these attributes to set the owner and group numbers, file permissions, and modification date. For a list of keys, see “File Attribute Keys.” If you specify nil for attributes, the file is created with a set of default attributes.
Internal version of mmap. Currently used by mmap, exec, and sys5 * shared memory. Handle is either a vnode pointer or NULL for MAP_ANON.
Virtual memory protection definitions. -> read, write and execute
Entitlements confer specific capabilities or security permissions to your app. These file(s) define properties that provide your application access to iOS features (such as push notifications) and secure data (such as the user’s keychain).
Don’t be intidimitaded by the assembly instructions
STP ->
The aarch64 architecture doesn't have instructions for multiple store and load, i.e. there are no equivalents of stm and ldm from armv7 arch. Instead you must use the stp and ldp instructions for store and loading pairs of registers.
Mark should speak from this slide on
You would wanna do Real time traffic analysis of ios application on a jailbroken device
Pipe in tcpdump running on the jailbroken iOS to my pentest machine
It's run when a shared library is loaded, typically during program startup. he way the constructors and destructors work is that the shared object file contains special sections (.ctors and .dtors on ELF) which contain references to the functions marked with the constructor and destructor attributes, respectively.
Action Message Format (AMF) is a binary format used to serialize object graphs such as ActionScript objects and XML, or send messages between an Adobe Flash client and a remote service, usually a Flash Media Server or third party alternatives
Masher - can be used to guess passwords given a word list and a known password specification.
It simply replaces the session identifiers and compares the results whether it yielded any different.
It comes in handy especially bruteforcing weblogins etc.