iOS (Vulner)ability

Embed Size (px)


iOS security architecture.

Text of iOS (Vulner)ability

  • 1.iOS (Vulner)ability Subho Halder Co Founder AppKnox

2. ./WhoAmI Co Founder of AppKnox ( XYSec Labs ) Python Lover Sole Creator and Developer of Android Framework for Exploitation (AFE) Found Security Bugs in Apple, Google, Skype, Webkit, Facebook, Microsoft, .. 3. Security is 4. NSLog [@Agenda]; Quick overview of iPhone iOS Platform. iOS Security Structure What is a Jailbreak? iOS App (IN)Securities 5. Peek into a state-of-art Prison 6. iOS Hardware Architecture Application Processor Baseband iOS User interactionApplications... NucleusOS Radio communication 7. iOS Hardware Architecture Application Processor Baseband Processor audio display power managment camera WIFI BT GSM UART I2S GPIO DMA controls sim/net-lock ! 8. Phew, Security Architecture 9. ***[Sandboxing]*** NAND Flash FTL: converts logical partition to NAND ash architecture looks like BLOCK device System Partition / (Read Only) User Partition /private/var NAND FTL Block Device / (RO) (System Partition) /private/var (RW) (User Partition) 10. ***[Sandboxing]*** 3rd Party lives only on User Partition Apps run as mobile user Kernel Signature checks executables in system-call execve() %{ How did you Jailbreak it? }% NAND FTL Block Device / (RO) (System Partition) /private/var (RW) (User Partition) 11. **Memory Protection W^X Policy Non Executable Stack or Heap ASLR (Address Space Layout Randomisation) %{ Did you forget about Return-Oriented-Program }% 12. Code Signing Implemented inside Kernel Kernel signature checks executables in systemcall execve() Kernel stored on System Partition (kernelcache) Kernel is signature checked before being loaded. %{ Can still be by-passed :/ }% 13. Encryption @#%$#^% ! Everythong is encrypted Hardware AES Engine Keys derived from hardware keys GID-key UID-key %{Possible to use Jailbreak tools e.g. Syringe to use the hardware engine}% 14. What is J@!lbr3@k ? 15. How your iPhone boots up? signature check signature check signature check signature check Bootrom LLB(Low Level Bootloader) iBoot Kernel Application NOR NOR NAND NAND 16. Recovery Mode? Bootrom LLB(Low Level Bootloader) iBoot signature check signature check Kernel Kernel Ramdisk 17. DFU Mode ! Bootrom iBSS iBEC Kernel Ramdisk Bootrom LLB(Low Level Bootloader) iBoot Kernel Application minimal iBoot 18. Attacking the chain of trust! signature check Bootrom LLB(Low Level Bootloader) iBoot Kernel Application signature check signature check signature check signature check attack here(cannot be xed) attack here attack here attack hereSystem Software 19. Where do we go wrong? 20. Plists Used by iPhone to store saved properties and data XML Binary (compressed XML) (depreciated) The binary plists need converting, you can use: plutil to convert to XML Property List Editor (in XCode) plists contain all kinds of juicy information. Check for: Cookies, emails, usernames, passwords, sensitive application data, client side role identiers, protocol handlers, etc. 21. B00M! :O 22. INSERT into `SQLite` A lot of iOS applications sensitive data in SQLite3 databases on the device. Sqlite3 does not have built-in support for encryption. There are extensions (CEROD is one, sqlcipher is another) that support encryption, but the code is not publicly available, you need to license it. Apple has not, so the included version of sqlite3 does not support encrypted databases. Still dangerous to store stuff client side. To bypass: Cerod is as simple as looking for cerod:passwd or break pointing and pulling out of memory: sqlite3_open(":cerod:passwd:lename.db", &db); 23. )()()( Keychains )()()( Keychain = Encrypted container for storing sensitive information Smarter devs store passwords and sensitive data using the keychain. Unfortunately with access to a phone and jailbreaking we can decrypt the keychain and dump the contents. 24. tail -f /var/logs/ iOS Logs lots of data, NSLog especially, They can be viewed after the fact in: ~/Library/Logs/CrashReporter/MobileDevice//private/var/ log/system.log Can be viewed in you mac console app under utilities 25. File Caching m/m/ If the application uses PDF, Excel, or other les it may be possible that these les may have been cached on the device. These can be found at: ~/Library/Application Support/iPhone simulator/x.x.x/ Applications//Documents/temp.pdf 26. $(`Keyboard Caching`) Keystrokes for predictive spellcheck are stored in: ~/Library/Application Support/iPhone Simulator/x.x.x/Library/Keyboard/ dynamic-text.dat This issue is similar to autocomplete for web browsers. Already disabled for password elds Should be disabled for any potentially sensitive elds (account numbers, SSN, etc, etc) Set UITextField property autocorrectionType = UITextAutocorrectionNo for mitigation. 27. Snapshot Caching When in an application and the home button is pushed, the application stores a snapshot (screenshot) in the apps snapshot folder ~/Library/Application Support/iPhone Simulator/x.x.x/Applications/ /Library/Caches/Snapshots/ These persist until reboot. Hopefully you werent on a screen with any sensitive data! 28. Snapshot Caching 29. SQL Injection Client-Side SQL injection is a problem on the client side too! BAD: NSString *sql = [NSString stringWithFormat:@"SELECT name FROM products WHERE id = '%@'", id]; const char *query = [sql UTF8String]; GOOD: const char *sql = "SELECT name FROM products WHERE id = ?"; sqlite3_prepare_v2(database, sql, -1, &sql_statement, NULL); sqlite3_bind_text(&sql_statement, 1, id, -1, SQLITE_TRANSIENT); 30. XSS Client-Side Can occur whenever user controlled Objective C variables populated in to WebView stringByEvaluatingJavaScriptFromString NSString *javascript = [[NSString alloc] initWithFormat:@"var myvar="%@";", username]; [mywebView stringByEvaluatingJavaScriptFromString:javascript]; 31. Vulnerable Obj-C Methods NSLog() [NSString stringWithFormat:] [NSString initWithFormat:] [NSMutableString appendFormat:] [NSAlert informativeTextWithFormat:] [NSPredicate predicateWithFormat:] [NSException format:] NSRunAlertPanel 32. How can you get started? 33. AppKnox - Cloud Based Security Automation Tool 34. Available for Android Coming soon for iOS 35. Cicero There is no castle so strong that it cannot be overthrown 36. Thank You @sunnyrockzzs