iOS Application Penetation Test

iOS Application

Penetration Testing

Attack & Defense

Author:

JongWon Kim

[email protected]

Angenda

• What’s the iOS App?

• Monoculture – Code Signing

– Sandboxing

– Encryption

• The Perspective of Pen Tester – Compile Option

– URLScheme

– Insecure Database

– Runtime Analysis

– Transport Security

What’s the iOS App?

• Development in Xcode – You don’t have to buy a Mac since this is for

BlackBox Assessment

• Applications written primarily in Objective-C Compiled(ARM) Executable – Need to background about the structure of Objective-C

• Encrypted Executable

• Installed by “mobile” user – Compared to each Android apps which use

different UID/GID

Angenda



– Sandboxing

– Encryption


– URLScheme




Monoculture – Code Signing

•Code Signing

–Provisioning Profiles

–Signed Applications

–Entitlements


• Provisioning Profile

– Asymmetric cryptography

– UDIDS(prevents running of restricted

devices)

– Certificate(with trust based on the

signing by a developer)

– App ID in the info.plist


• Developer Certificates

Developer Program

Device

Testing Ad Hoc App Store In-House

Apple Developer No No No No

University Program Yes No No No

Standard Program Yes Yes Yes No

Enterprise Program Yes Yes No Yes


• Provisioning Profile


• Signed Applications

– All iOS executable binaries and applications

must be signed by a trusted certificate

[Ad-hoc code signed executable]


• Signed Applications

– All iOS executable binaries and applications

must be signed by a trusted certificate

[Normal code signed executable]


•Entitlements

–Application-Identifier

–Get-task-allow(Debug)

–Keychain-access-groups


Monoculture – SandBoxing

• Sandboxing – Third party apps assigned “container” seatbelt

profile

– Function calls hooked by the TrustedBSD

layer will pass through Sandbox.kext for

policy enforcement

Compared to

Andorid

UID/GID

Monoculture - Encryption

• Nand Solite State – Boot: Low Level Bootloader

– Plog: Effaceable area(BAGI, Dkey, EMF!)

– Nvm: Environments variables

– Firm: iBoot, device tree and boot logos

– Fsys: OS, DATA

– Rsrv: Filesystem partition

boot block 0

plog block 1

nvm blocks 2-7

firm blocks 8-15

fsys blocks 16-4084

rsrv blocks 4085-

4100


• EMF! – Used to encrypt the filesystem

• Dkey – Used to encrypt the master key of the

protection class "NSFileProtectionNone" (the majority of files)

• BAGI – Used to produce the encryption keys for the

other master keys


• Data Protection

Level Description

No Protection The file is not encrypted on the file-system

Complete

Protection

The file is encrypted on the file-system and

inaccessible when the device is locked

Complete

Unless Open

The file is encrypted on the file-system and inaccessible

while closed. When a device is unlocked an app can

maintain an open handle to the file even after it is

subsequently locked, however during this time the file will

not be encrypted

Complete Until

First User

Authentication

The file is encrypted on the file-system and inaccessible

until the device is unlocked for the first time. This helps

offer some protection against attacks the require a

device reboot

Dkey

on Plog


• File System Encryption – Every File is encrypted with unique key "cprotect"

key

– File key is stored in the file metadata

– Metadata is encrypted with EMF Key

– Content is grouped into protection class

– Each protection class assigned a master encryption key

– Master keys are protected by device key and passcode

– Protected master keys form system keybag






Monoculture – Old Things

• PIE(Positon Independent Executable) – Exploit mitigation security feature that allows an application to

take full advantage of ASLR

• Stack-Smashing Protection – “Canary” is placed on the stack directly before the local variables

to protect the saved base pointer

• Automatic Reference Counting – Introduced in iOS SDK version 5.0 to move the responsibility of

memory management from the developer to the compiler

– Offers some security benefits as it reduces the likelihood of developers introducing memory corruption(specifically object use-after-free and double free vulnerabilities)

Angenda



– Sandboxing

– Encryption


– URLScheme




Compile Option Check

• PIE(Positon Independent Executable)

• Stack-Smashing Protection

• Automatic Reference Counting


• Where is the Excutable File? – Smart

– Brute


• PIE(Positon Independent Executable) – GmailHybrid

– FaceBook


• Stack-Smashing Protection – GmailHybrid

– FaceBook


• Automatic Reference Counting – GmailHybrid

– FaceBook

Angenda



– Sandboxing

– Encryption


– URLScheme




URLSchema - Overview

• No real Inter-Process Communication

• Apps prohibited from sharing because of

sandbox

• Apps sometimes need to share data

• Apps can register a custom protocol

handler

URLSchema - Overview

• Two methods for implementing protocol

handlers

• handleOpenURL

– Now deprecated

• openURL

– Provides bundle identifier

– Allows developer to validate source app

URLSchema - Attack

• Skype registers the “skype://” protocol

handler

• Malicious web site could make calls

• Skype app did not prompt or validate

before call

– Allows developer to validate source app

• Play the Video

Angenda



– Sandboxing

– Encryption


– URLScheme




Insecure Data Storage

• Databases

• Plists

• Keyboard Cache

• Image Cache

• Keychain

• Cookie Binary

• Error Logs

• Hidden Files(ex. Citi Mobile app)

– Samples: Password_Keeper, Pic Lock, iPassword

Databases - Overview

• Data stored in the Sqlite in un-

encrypted

• SQLite files are stored un-encrypted

in the iOS backups

• Delete files can be recovered by

carving the HFS Journal

• Not deleted completely

Databases - Attack

• Password_Keeper – Interfaces

– FaceBook

Databases - Attack

• Password_Keeper – Save ID/Password

Databases - Attack

• Password_Keeper – Clear Text in the Sqlite

Database - Defense

• Do not store sensitive data in clear text • Use custom encryption

• Protect Sqlite files with data protection API

• Implement classes for secure file wipe

• Purge the data upon deletion with VACUUM SQL command – VACUUM rebuild the databases

– Doing it for every delete consume time

• Before deleting the SQL record, replace the data with junk values – Data and Junk value length has to be same

Database - Defense

– Step 1: Create the Table

Database - Defense

– Step 2: Check out Strings in the Sqlite

Database - Defense

– Step 3: Delete one row and Check out deleted

Completely

Database - Defense

– Step 4: Delete it completely


• Databases(SQLite, coreData)

• Plists

• Keyboard Cache

• Image Cache

• Keychain

• Cookie Binary

• Error Logs


Plists - Overview

• Property list files - Key value pairs stored in binary

• Identified by a file header – bplist

• Designed to store user's properties and configuration information

• Not protected by Data protection

• But Apps store credentials such as username, password, and session information

Plists - Attack

• Pic Lock

– FaceBook

Plists - Attack

• Pic Lock

Plists – Defense

• Do not store sensitive data in Plist files

• If required, use custom encryption

• Create plist files Library/Caches folder

– iTunes does not backup caches directory

• For better security, Implement classes for

secure file wipe

– Before deleting the file overwrite the file bytes with

junk values



• Plists

• Keyboard Cache

• Image Cache

• Keychain

• Cookie Binary

• Error Logs


Keyboard Cache - Overview

• Designed to auto complete the

predictive common words

• Secure fields are not stored – passwords are safe

• String with all digits are not stored – Pins and credit card number are safe

• Data typed into text fields are cached

Keyboard Cache - Attack

• iPassword

Keyboard Cache - Attack

• Keyboard Cache – iPassword

– What if it is banking information?

Keyboard Cache - Defense

• Keyboard Cache – Disable auto correction

• Mark it as a secure field – mytextField.secureTextEntry = YES

• Copy&Paste



• Plists

• Keyboard Cache

• Image Cache

• Keychain

• Cookie Binary

• Error Logs


Image Cache - Overview

• Takes screen shots of the application

to trick you

• Sensitive data may get cached – App directory/Library/Caches/Snapshots

Image Cache - Attack

• Image Cache – Mail App

Press Home Button

Two Times

Image Cache - Attack

• Image Cache – Mail App

IPod

My Local

Machine

Defense – Image Cache

• Remove sensitive data or change the screen before the applicationDidEnterBackground() function returns

• Instead of hiding or removing sensitive data you can also prevent back-grounding altogerher by setting the "Application does not run in background" property in the application's Info.plist file

Databases - Attack

• Databases – Mail App

Databases - Attack

• Databases – Mail App(Subject)

Databases - Attack

• Databases – Mail App(Body)



• Plists

• Keyboard Cache

• Image Cache

• Keychain

• Cookie Binary

• Error Logs


Keychain - Overview

• Keychain encryption is tied to the device

– Protected entries are tied to the user's passcode

• Keychain file is accessible to all the

application

• Application can only acess it's own key

chain items

– Based on app keychain access group

Keychain - Overview

Attribute Description

kSecAttrAccessibleAlways The keychain item is always accessible

kSecAttrAccessibleWhenUnlocked The keychain item is only accessible

when the device is unlocked.

kSecAttrAccessibleAfterFirstUnlock

They keychain item is only accessible after

the first unlock from boot. This helps offer

some protection against attacks that require

a device reboot

kSecAttrAccessibleAlwaysThisDevice

Only

The keychain item is always accessible but

cannot be migrated to other devices

kSecAttrAccessibleWhenUnlockedThi

sDeviceOnly

The keychain item is only accessible when

the device is unlocked and may not be

migrated to other devices

kSecAttrAccessibleAfterFirstUnlock

ThisDeviceOnly

The keychain item is accessible after the

first unlock from boot and may not be

migrated to other devices

Keychain - Attack

• Keychain_Dumper

Keychain - Defense

• Do not store sensitive data in clear text

• Encrypt the data using custom

encryption

• Use data protection API while storing

data in keychain

• By default entries are created with

kSecAttrAccessibleWhenUnlocked data

protection



• Plists

• Keyboard Cache

• Image Cache

• Keychain

• Cookie Binary

• Error Logs


Coockies Binary

• Binary file to store the cookies

• Persistent cookies are stored along

with the flags(Secure, HTTPOnly)

• Most iOS apps not prompt the user

for login every time and creates

persistent cookies

Cookie Binary

Login

Sucess

IPod

My Local

Machine



• Plists

• Keyboard Cache

• Image Cache

• Keychain

• Cookie Binary

• Error Logs


Error Logs

• Apps may write sensitive data in logs – Debugging(NSLog calls)

– Trouble shooting

– Request & Response

• Located at - /private/var/log/syslog

• Syslog is out of sandbox - Any app can access it

• Do not write sensitive data in the syslog file



• Plists

• Keyboard Cache

• Image Cache

• Keychain

• Cookie Binary

• Error Logs

• Hidden Files(ex. Citi Mobile app[Fixed])

Angenda



– Sandboxing

– Encryption


– URLScheme




Runtime Analysis - Overview

• Developed in Objective – Superset of C

– Exiting methods can be overwritten easily

• Self distributed Apps are not encrypted

• AppStore binaries are encrypted

• Decrypts the apps when loaded into memory

Runtime Analysis - Tools

• Clutch – Decrypt the binary

• Class-Dump-Z – Extract the class information and identify

interesting class

• Cycript – Combination of JavaScript and Objective-C

interpreter

– Gives access to all classes and instance variables within the app

• GDB & IDA Pro Samples: Coupang, Password_Keeper, piracydemo2

Runtime Analysis –

Decrypt Manually

ARM v6

ARM v7

Encryped

Binary


Decrypt Manually

(gdb) set sharedlibrary load-rules ".*" ".*" none (gdb) set inferior-auto-start-dyld off (gdb) set sharedlibrary preload-libraries off (gdb) rb doModInitFunctions Breakpoint 1 at 0x2fe0d526 <function, no debug info> __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERKN11Image (gdb) r Starting program: /private/var/mobile/Applications/3DC4CAC7-A429-449E-BB6C-A985E3A644 Program received signal SIGABRT, Aborted. 0x3a5b7350 in ?? () (gdb) dump memory coupang.bin 12288 950272 (gdb) kill Kill the program being debugged? (y or n) y (gdb) q


Decrypt Manually

• Success, but it consumes time!!!

Runtime Analysis

• Authentication bypass

• Breaking simple locks

• Bypassing restriction that stops apps

from running on Jailbroken device

• Extract hardcode encryption keys

• Extract app passcodes

• Malicious code injection

Runtime Analysis - Attack

• Bypassing Lock Screen – Password_Keeper

– FaceBook

Runtime Analysis

• Encryption


Decrypt Automatically

• Clutch

Runtime Analysis - ClassDump

• ClassDump

No More

Obfuscation


• ClassDump

Runtime Analysis - Cycript

• Cycript


• Cycript


• Cycript


• Cycript

Step(1/3)

Enter the Code


• Cycript

Step(2/3)


• Cycript

Step(3/3)

Get rid of

Lock Screen

Runtime Analysis

• Authentication bypass

• Breaking simple locks

• Bypassing restriction that stops apps

from running on Jailbroken device

• Extract hardcode encryption keys

• Extract app passcodes

• Malicious code injection


• Bypassing JailBreak Detection – Demo_App


• Figure out Attractive Instance





Runtime Analysis - GDB

• GDB – Set the BreakPoint


• GDB - Continue

Continue on GDB and Hit the

“Am I Jailbroken?”


• GDB – Set the breakpoints at

“objc_msgSend”


• GDB – Check Out Breakpoints


• GDB – That’s not what we want






• GDB – That’s exactly what we want


• GDB – Manipulate the r0


• GDB


• GDB - Sueccess

Runtime Analysis - Defense

• Detection JailBreak(1) – Sandbox


• Detection JailBreak(2) – Filesystem

1. /Library/MobileSubstrate/MobileSubstrate.dylib

2. /Application/Cydia.app

3. /var/cache/apt

4. /var/lib/apt

5. /var/lib/cydia

6. /var/log/syslog

7. /var/tmp/cydia.log

8. /bin/bash, /bin/sh

9. /usr/sbin/sshd

10. /usr/libexec/ssh-keysign

11. /etc/ssh/sshd_config

12. /etc/apt


• Detection JailBreak(3) – Symbolic Link

1. /Library/Ringtones

2. /Library/Wallpaper

3. /Library/arm-apple-darwin9

4. /usr/include

5. /usr/libexec

6. /usr/share


• Protect Runtime – OZ option: Inline compile

– Strip: Get rid of unnessesary symbol table

– Debugging Flag: P_Traced

– dladdr: Checking address space

Angenda



– Sandboxing

– Encryption


– URLScheme




Transport Security - Overview

•UDID

•GeoLocation

•SSL

•Mac Address

Transport Security - UDID

• Much like the Pentium 3 CPU, each

Apple iPhone is equipped with a unique,

application-visible serial number(40-

characcter) called a Unique Device ID

(UDID).

• According to Apple, the use of UDIDs

allows businesses to ensure that devices

continue to comply with required policies.

• Not Any more!!!




•UDID

•GeoLocation

•SSL

•Mac Address

Transport Security - GeoLocation

• Provided by the Core Location framework

• Avoid being “too accurate”

• Can be set by one of the following constants: – kCLLocationAccuracyBestForNavigation;

– kCLLocationAccuracyBest;

– kCLLocationAccuracyNearestTenMeters;

– kCLLocationAccuracyHundredMeters;

– kCLLocationAccuracyKilometer;

– kCLLocationAccuracyThreeKilometers;


• Without Agreement


• Without Agreement


•UDID

•GeoLocation

•SSL

•Mac Address

Transport Security - SSL

• Vunerable to MITM

– ex) Global Banking App(It uses

“allowsAnyHTTPSCertificateForHost” which

overrides self-signed certificate)


• Password Authentication









Transport Security –

SSL(Defense)

• NSURLRequest – Prohibit the use of self-signed

certificates(!allowsAnyHTTPSCertificateForHost)

• NSURLConnection – Ignore cert

usingcontinueWithoutCredentialForAuthenticationChallenge selector

• CFNetwork framework – kCFStreamSSLAllowsExpiredCertificates

– kCFStreamSSLAllowsAnyRoot

– kCFStreamSSLAllowsAnyRoot

– kCFStreamSSLValidatesCertificateChain


•UDID

•GeoLocation

•SSL

•Mac Address

Transport Security - MAC

• Ads


• Ads


• Ads

Reference - 1

• Half of iOS apps 'violate Apple's privacy policy

– http://www.digitalspy.co.uk/tech/news/a493520/half-of-ios-apps-violate-apples-privacy-policy.html

• iOS_Application Insecurity final

– http://www.mdsec.co.uk/research/iOS_Application_Insecurity_final.pdf

• iOS Application Insecurity wp v1.0 final

– http://www.mdsec.co.uk/research/iOS_Application_Insecurity_wp_v1.0_final.pdf

• Introduction to ios platform security

– http://blog.mdsec.co.uk/2012/05/introduction-to-ios-platform-security.html

• Code Signing

– http://installbuilder.bitrock.com/docs/installbuilder-userguide/ar01s16.html

– http://developer.apple.com/library/mac/#technotes/tn2206/_index.html

Reference - 2

• Pentesting iPhone Applications

– http://resources.infosecinstitute.com/pentesting-iphone-applications/

– http://www.securitylearn.net/

• iOS Application Security part4

– http://resources.infosecinstitute.com/ios-application-security-part-4-runtime-analysis-

using-cycript-yahoo-weather-app/

• Cycript_Tricks

– http://iphonedevwiki.net/index.php/Cycript_Tricks

• Keychain Dumper

– https://github.com/ptoomey3/Keychain-Dumper

• Books

– Hacking and Securing iOS Applications

• iOS Secure Development Source Boston 2011

– https://www.isecpartners.com/media/12964/ios_secure_development_source_bosto

n_2011.pdf

• Auditting iPhone and iPad applications by Ilja van Sprundel

• DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP

– http://media.blackhat.com/bh-us-

11/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf

http://resources.infosecinstitute.com/ios-application-security-part-4-runtime-analysis-using-cycript-yahoo-weather-app/

Reference - 3

• Reverse engineering sous Android et iOS

– www.ossir.org/jssi/jssi2013/3A.pdf

• iPhone data protection in depth

– http://conference.hitb.org/hitbsecconf2011ams/materials/D2T2%20-%20Jean-Baptiste%20Be%CC%81drune%20&%20Jean%20Sigwald%20-%20iPhone%20Data%20Protection%20in%20Depth.pdf

• Apple Sandbox

– http://securityevaluators.com/files/papers/apple-sandbox.pdf

• iOS_data_protection

– http://ensiwiki.ensimag.fr/images/7/7f/SecurIMAG-2012-09-27-iOS_data_protection.pdf

• syscan11 breaking ios code signing

– http://reverse.put.as/wp-content/uploads/2011/06/syscan11_breaking_ios_code_signing.pdf

• Syscan-2012-iOS-Applications-and-the-Lion-City-Presso

– http://reverse.put.as/wp-content/uploads/2011/06/Syscan-2012-iOS-Applications-and-the-Lion-City-Presso.pdf

• BlackHat_EU_2011_Dhanjani_Attacks_Against_Apples_iOS-WP

– http://media.blackhat.com/bh-eu-11/Nitesh_Dhanjani/BlackHat_EU_2011_Dhanjani_Attacks_Against_Apples_iOS-WP.pdf

http://reverse.put.as/wp-content/uploads/2011/06/Syscan-2012-iOS-Applications-and-the-Lion-City-Presso.pdf

- Thank you -

Technology

iOS Application Penetation Test