Upload
jongwon-kim
View
6.870
Download
7
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Angenda
• What’s the iOS App?
• Monoculture – Code Signing
– Sandboxing
– Encryption
• The Perspective of Pen Tester – Compile Option
– URLScheme
– Insecure Database
– Runtime Analysis
– Transport Security
What’s the iOS App?
• Development in Xcode – You don’t have to buy a Mac since this is for
BlackBox Assessment
• Applications written primarily in Objective-C Compiled(ARM) Executable – Need to background about the structure of Objective-C
• Encrypted Executable
• Installed by “mobile” user – Compared to each Android apps which use
different UID/GID
Angenda
• What’s the iOS App?
• Monoculture – Code Signing
– Sandboxing
– Encryption
• The Perspective of Pen Tester – Compile Option
– URLScheme
– Insecure Database
– Runtime Analysis
– Transport Security
Monoculture – Code Signing
•Code Signing
–Provisioning Profiles
–Signed Applications
–Entitlements
Monoculture – Code Signing
• Provisioning Profile
– Asymmetric cryptography
– UDIDS(prevents running of restricted
devices)
– Certificate(with trust based on the
signing by a developer)
– App ID in the info.plist
Monoculture – Code Signing
• Developer Certificates
Developer Program
Device
Testing Ad Hoc App Store In-House
Apple Developer No No No No
University Program Yes No No No
Standard Program Yes Yes Yes No
Enterprise Program Yes Yes No Yes
Monoculture – Code Signing
• Provisioning Profile
Monoculture – Code Signing
• Signed Applications
– All iOS executable binaries and applications
must be signed by a trusted certificate
[Ad-hoc code signed executable]
Monoculture – Code Signing
• Signed Applications
– All iOS executable binaries and applications
must be signed by a trusted certificate
[Normal code signed executable]
Monoculture – Code Signing
•Entitlements
–Application-Identifier
–Get-task-allow(Debug)
–Keychain-access-groups
Monoculture – Code Signing
Monoculture – SandBoxing
• Sandboxing – Third party apps assigned “container” seatbelt
profile
– Function calls hooked by the TrustedBSD
layer will pass through Sandbox.kext for
policy enforcement
Compared to
Andorid
UID/GID
Monoculture - Encryption
• Nand Solite State – Boot: Low Level Bootloader
– Plog: Effaceable area(BAGI, Dkey, EMF!)
– Nvm: Environments variables
– Firm: iBoot, device tree and boot logos
– Fsys: OS, DATA
– Rsrv: Filesystem partition
boot block 0
plog block 1
nvm blocks 2-7
firm blocks 8-15
fsys blocks 16-4084
rsrv blocks 4085-
4100
Monoculture - Encryption
• EMF! – Used to encrypt the filesystem
• Dkey – Used to encrypt the master key of the
protection class "NSFileProtectionNone" (the majority of files)
• BAGI – Used to produce the encryption keys for the
other master keys
Monoculture - Encryption
• Data Protection
Level Description
No Protection The file is not encrypted on the file-system
Complete
Protection
The file is encrypted on the file-system and
inaccessible when the device is locked
Complete
Unless Open
The file is encrypted on the file-system and inaccessible
while closed. When a device is unlocked an app can
maintain an open handle to the file even after it is
subsequently locked, however during this time the file will
not be encrypted
Complete Until
First User
Authentication
The file is encrypted on the file-system and inaccessible
until the device is unlocked for the first time. This helps
offer some protection against attacks the require a
device reboot
Dkey
on Plog
Monoculture - Encryption
• File System Encryption – Every File is encrypted with unique key "cprotect"
key
– File key is stored in the file metadata
– Metadata is encrypted with EMF Key
– Content is grouped into protection class
– Each protection class assigned a master encryption key
– Master keys are protected by device key and passcode
– Protected master keys form system keybag
Monoculture - Encryption
Monoculture - Encryption
Monoculture - Encryption
Monoculture - Encryption
Monoculture - Encryption
Monoculture – Old Things
• PIE(Positon Independent Executable) – Exploit mitigation security feature that allows an application to
take full advantage of ASLR
• Stack-Smashing Protection – “Canary” is placed on the stack directly before the local variables
to protect the saved base pointer
• Automatic Reference Counting – Introduced in iOS SDK version 5.0 to move the responsibility of
memory management from the developer to the compiler
– Offers some security benefits as it reduces the likelihood of developers introducing memory corruption(specifically object use-after-free and double free vulnerabilities)
Angenda
• What’s the iOS App?
• Monoculture – Code Signing
– Sandboxing
– Encryption
• The Perspective of Pen Tester – Compile Option
– URLScheme
– Insecure Database
– Runtime Analysis
– Transport Security
Compile Option Check
• PIE(Positon Independent Executable)
• Stack-Smashing Protection
• Automatic Reference Counting
Compile Option Check
• Where is the Excutable File? – Smart
– Brute
Compile Option Check
• PIE(Positon Independent Executable) – GmailHybrid
Compile Option Check
• Stack-Smashing Protection – GmailHybrid
Compile Option Check
• Automatic Reference Counting – GmailHybrid
Angenda
• What’s the iOS App?
• Monoculture – Code Signing
– Sandboxing
– Encryption
• The Perspective of Pen Tester – Compile Option
– URLScheme
– Insecure Database
– Runtime Analysis
– Transport Security
URLSchema - Overview
• No real Inter-Process Communication
• Apps prohibited from sharing because of
sandbox
• Apps sometimes need to share data
• Apps can register a custom protocol
handler
URLSchema - Overview
• Two methods for implementing protocol
handlers
• handleOpenURL
– Now deprecated
• openURL
– Provides bundle identifier
– Allows developer to validate source app
URLSchema - Attack
• Skype registers the “skype://” protocol
handler
• Malicious web site could make calls
• Skype app did not prompt or validate
before call
– Allows developer to validate source app
• Play the Video
Angenda
• What’s the iOS App?
• Monoculture – Code Signing
– Sandboxing
– Encryption
• The Perspective of Pen Tester – Compile Option
– URLScheme
– Insecure Database
– Runtime Analysis
– Transport Security
Insecure Data Storage
• Databases
• Plists
• Keyboard Cache
• Image Cache
• Keychain
• Cookie Binary
• Error Logs
• Hidden Files(ex. Citi Mobile app)
– Samples: Password_Keeper, Pic Lock, iPassword
Databases - Overview
• Data stored in the Sqlite in un-
encrypted
• SQLite files are stored un-encrypted
in the iOS backups
• Delete files can be recovered by
carving the HFS Journal
• Not deleted completely
Databases - Attack
• Password_Keeper – Interfaces
Databases - Attack
• Password_Keeper – Save ID/Password
Databases - Attack
• Password_Keeper – Clear Text in the Sqlite
Database - Defense
• Do not store sensitive data in clear text • Use custom encryption
• Protect Sqlite files with data protection API
• Implement classes for secure file wipe
• Purge the data upon deletion with VACUUM SQL command – VACUUM rebuild the databases
– Doing it for every delete consume time
• Before deleting the SQL record, replace the data with junk values – Data and Junk value length has to be same
Database - Defense
– Step 1: Create the Table
Database - Defense
– Step 2: Check out Strings in the Sqlite
Database - Defense
– Step 3: Delete one row and Check out deleted
Completely
Database - Defense
– Step 4: Delete it completely
Insecure Data Storage
• Databases(SQLite, coreData)
• Plists
• Keyboard Cache
• Image Cache
• Keychain
• Cookie Binary
• Error Logs
• Hidden Files(ex. Citi Mobile app)
Plists - Overview
• Property list files - Key value pairs stored in binary
• Identified by a file header – bplist
• Designed to store user's properties and configuration information
• Not protected by Data protection
• But Apps store credentials such as username, password, and session information
Plists - Attack
• Pic Lock
Plists - Attack
• Pic Lock
Plists – Defense
• Do not store sensitive data in Plist files
• If required, use custom encryption
• Create plist files Library/Caches folder
– iTunes does not backup caches directory
• For better security, Implement classes for
secure file wipe
– Before deleting the file overwrite the file bytes with
junk values
Insecure Data Storage
• Databases(SQLite, coreData)
• Plists
• Keyboard Cache
• Image Cache
• Keychain
• Cookie Binary
• Error Logs
• Hidden Files(ex. Citi Mobile app)
Keyboard Cache - Overview
• Designed to auto complete the
predictive common words
• Secure fields are not stored – passwords are safe
• String with all digits are not stored – Pins and credit card number are safe
• Data typed into text fields are cached
Keyboard Cache - Attack
• iPassword
Keyboard Cache - Attack
• Keyboard Cache – iPassword
– What if it is banking information?
Keyboard Cache - Defense
• Keyboard Cache – Disable auto correction
• Mark it as a secure field – mytextField.secureTextEntry = YES
• Copy&Paste
Insecure Data Storage
• Databases(SQLite, coreData)
• Plists
• Keyboard Cache
• Image Cache
• Keychain
• Cookie Binary
• Error Logs
• Hidden Files(ex. Citi Mobile app)
Image Cache - Overview
• Takes screen shots of the application
to trick you
• Sensitive data may get cached – App directory/Library/Caches/Snapshots
Image Cache - Attack
• Image Cache – Mail App
Press Home Button
Two Times
Image Cache - Attack
• Image Cache – Mail App
IPod
My Local
Machine
Defense – Image Cache
• Remove sensitive data or change the screen before the applicationDidEnterBackground() function returns
• Instead of hiding or removing sensitive data you can also prevent back-grounding altogerher by setting the "Application does not run in background" property in the application's Info.plist file
Databases - Attack
• Databases – Mail App
Databases - Attack
• Databases – Mail App(Subject)
Databases - Attack
• Databases – Mail App(Body)
Insecure Data Storage
• Databases(SQLite, coreData)
• Plists
• Keyboard Cache
• Image Cache
• Keychain
• Cookie Binary
• Error Logs
• Hidden Files(ex. Citi Mobile app)
Keychain - Overview
• Keychain encryption is tied to the device
– Protected entries are tied to the user's passcode
• Keychain file is accessible to all the
application
• Application can only acess it's own key
chain items
– Based on app keychain access group
Keychain - Overview
Attribute Description
kSecAttrAccessibleAlways The keychain item is always accessible
kSecAttrAccessibleWhenUnlocked The keychain item is only accessible
when the device is unlocked.
kSecAttrAccessibleAfterFirstUnlock
They keychain item is only accessible after
the first unlock from boot. This helps offer
some protection against attacks that require
a device reboot
kSecAttrAccessibleAlwaysThisDevice
Only
The keychain item is always accessible but
cannot be migrated to other devices
kSecAttrAccessibleWhenUnlockedThi
sDeviceOnly
The keychain item is only accessible when
the device is unlocked and may not be
migrated to other devices
kSecAttrAccessibleAfterFirstUnlock
ThisDeviceOnly
The keychain item is accessible after the
first unlock from boot and may not be
migrated to other devices
Keychain - Attack
• Keychain_Dumper
Keychain - Defense
• Do not store sensitive data in clear text
• Encrypt the data using custom
encryption
• Use data protection API while storing
data in keychain
• By default entries are created with
kSecAttrAccessibleWhenUnlocked data
protection
Insecure Data Storage
• Databases(SQLite, coreData)
• Plists
• Keyboard Cache
• Image Cache
• Keychain
• Cookie Binary
• Error Logs
• Hidden Files(ex. Citi Mobile app)
Coockies Binary
• Binary file to store the cookies
• Persistent cookies are stored along
with the flags(Secure, HTTPOnly)
• Most iOS apps not prompt the user
for login every time and creates
persistent cookies
Cookie Binary
Login
Sucess
IPod
My Local
Machine
Insecure Data Storage
• Databases(SQLite, coreData)
• Plists
• Keyboard Cache
• Image Cache
• Keychain
• Cookie Binary
• Error Logs
• Hidden Files(ex. Citi Mobile app)
Error Logs
• Apps may write sensitive data in logs – Debugging(NSLog calls)
– Trouble shooting
– Request & Response
• Located at - /private/var/log/syslog
• Syslog is out of sandbox - Any app can access it
• Do not write sensitive data in the syslog file
Insecure Data Storage
• Databases(SQLite, coreData)
• Plists
• Keyboard Cache
• Image Cache
• Keychain
• Cookie Binary
• Error Logs
• Hidden Files(ex. Citi Mobile app[Fixed])
Angenda
• What’s the iOS App?
• Monoculture – Code Signing
– Sandboxing
– Encryption
• The Perspective of Pen Tester – Compile Option
– URLScheme
– Insecure Database
– Runtime Analysis
– Transport Security
Runtime Analysis - Overview
• Developed in Objective – Superset of C
– Exiting methods can be overwritten easily
• Self distributed Apps are not encrypted
• AppStore binaries are encrypted
• Decrypts the apps when loaded into memory
Runtime Analysis - Tools
• Clutch – Decrypt the binary
• Class-Dump-Z – Extract the class information and identify
interesting class
• Cycript – Combination of JavaScript and Objective-C
interpreter
– Gives access to all classes and instance variables within the app
• GDB & IDA Pro Samples: Coupang, Password_Keeper, piracydemo2
Runtime Analysis –
Decrypt Manually
ARM v6
ARM v7
Encryped
Binary
Runtime Analysis –
Decrypt Manually
(gdb) set sharedlibrary load-rules ".*" ".*" none (gdb) set inferior-auto-start-dyld off (gdb) set sharedlibrary preload-libraries off (gdb) rb doModInitFunctions Breakpoint 1 at 0x2fe0d526 <function, no debug info> __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERKN11Image (gdb) r Starting program: /private/var/mobile/Applications/3DC4CAC7-A429-449E-BB6C-A985E3A644 Program received signal SIGABRT, Aborted. 0x3a5b7350 in ?? () (gdb) dump memory coupang.bin 12288 950272 (gdb) kill Kill the program being debugged? (y or n) y (gdb) q
Runtime Analysis –
Decrypt Manually
• Success, but it consumes time!!!
Runtime Analysis
• Authentication bypass
• Breaking simple locks
• Bypassing restriction that stops apps
from running on Jailbroken device
• Extract hardcode encryption keys
• Extract app passcodes
• Malicious code injection
Runtime Analysis - Attack
• Bypassing Lock Screen – Password_Keeper
Runtime Analysis
• Encryption
Runtime Analysis –
Decrypt Automatically
• Clutch
Runtime Analysis - ClassDump
• ClassDump
No More
Obfuscation
Runtime Analysis - ClassDump
• ClassDump
Runtime Analysis - Cycript
• Cycript
Runtime Analysis - ClassDump
• Cycript
Runtime Analysis - Cycript
• Cycript
Runtime Analysis - Cycript
• Cycript
Step(1/3)
Enter the Code
Runtime Analysis - Cycript
• Cycript
Step(2/3)
Runtime Analysis - Cycript
• Cycript
Step(3/3)
Get rid of
Lock Screen
Runtime Analysis
• Authentication bypass
• Breaking simple locks
• Bypassing restriction that stops apps
from running on Jailbroken device
• Extract hardcode encryption keys
• Extract app passcodes
• Malicious code injection
Runtime Analysis - Attack
• Bypassing JailBreak Detection – Demo_App
Runtime Analysis - Attack
• Figure out Attractive Instance
Runtime Analysis - Attack
• Figure out Attractive Instance
Runtime Analysis - Attack
• Figure out Attractive Instance
Runtime Analysis - GDB
• GDB – Set the BreakPoint
Runtime Analysis - GDB
• GDB - Continue
Continue on GDB and Hit the
“Am I Jailbroken?”
Runtime Analysis - GDB
• GDB – Set the breakpoints at
“objc_msgSend”
Runtime Analysis - GDB
• GDB – Check Out Breakpoints
Runtime Analysis - GDB
• GDB – That’s not what we want
Runtime Analysis - GDB
• GDB – That’s not what we want
Runtime Analysis - GDB
• GDB – That’s not what we want
Runtime Analysis - GDB
• GDB – That’s exactly what we want
Runtime Analysis - GDB
• GDB – Manipulate the r0
Runtime Analysis - GDB
• GDB
Runtime Analysis - GDB
• GDB - Sueccess
Runtime Analysis - Defense
• Detection JailBreak(1) – Sandbox
Runtime Analysis - Defense
• Detection JailBreak(2) – Filesystem
1. /Library/MobileSubstrate/MobileSubstrate.dylib
2. /Application/Cydia.app
3. /var/cache/apt
4. /var/lib/apt
5. /var/lib/cydia
6. /var/log/syslog
7. /var/tmp/cydia.log
8. /bin/bash, /bin/sh
9. /usr/sbin/sshd
10. /usr/libexec/ssh-keysign
11. /etc/ssh/sshd_config
12. /etc/apt
Runtime Analysis - Defense
• Detection JailBreak(3) – Symbolic Link
1. /Library/Ringtones
2. /Library/Wallpaper
3. /Library/arm-apple-darwin9
4. /usr/include
5. /usr/libexec
6. /usr/share
Runtime Analysis - Defense
• Protect Runtime – OZ option: Inline compile
– Strip: Get rid of unnessesary symbol table
– Debugging Flag: P_Traced
– dladdr: Checking address space
Angenda
• What’s the iOS App?
• Monoculture – Code Signing
– Sandboxing
– Encryption
• The Perspective of Pen Tester – Compile Option
– URLScheme
– Insecure Database
– Runtime Analysis
– Transport Security
Transport Security - Overview
•UDID
•GeoLocation
•SSL
•Mac Address
Transport Security - UDID
• Much like the Pentium 3 CPU, each
Apple iPhone is equipped with a unique,
application-visible serial number(40-
characcter) called a Unique Device ID
(UDID).
• According to Apple, the use of UDIDs
allows businesses to ensure that devices
continue to comply with required policies.
• Not Any more!!!
Transport Security - UDID
Transport Security - UDID
Transport Security - Overview
•UDID
•GeoLocation
•SSL
•Mac Address
Transport Security - GeoLocation
• Provided by the Core Location framework
• Avoid being “too accurate”
• Can be set by one of the following constants: – kCLLocationAccuracyBestForNavigation;
– kCLLocationAccuracyBest;
– kCLLocationAccuracyNearestTenMeters;
– kCLLocationAccuracyHundredMeters;
– kCLLocationAccuracyKilometer;
– kCLLocationAccuracyThreeKilometers;
Transport Security - GeoLocation
• Without Agreement
Transport Security - GeoLocation
• Without Agreement
Transport Security - Overview
•UDID
•GeoLocation
•SSL
•Mac Address
Transport Security - SSL
• Vunerable to MITM
– ex) Global Banking App(It uses
“allowsAnyHTTPSCertificateForHost” which
overrides self-signed certificate)
Transport Security - SSL
• Password Authentication
Transport Security - SSL
• Password Authentication
Transport Security - SSL
• Password Authentication
Transport Security - SSL
• Password Authentication
Transport Security - SSL
• Password Authentication
Transport Security –
SSL(Defense)
• NSURLRequest – Prohibit the use of self-signed
certificates(!allowsAnyHTTPSCertificateForHost)
• NSURLConnection – Ignore cert
usingcontinueWithoutCredentialForAuthenticationChallenge selector
• CFNetwork framework – kCFStreamSSLAllowsExpiredCertificates
– kCFStreamSSLAllowsAnyRoot
– kCFStreamSSLAllowsAnyRoot
– kCFStreamSSLValidatesCertificateChain
Transport Security - Overview
•UDID
•GeoLocation
•SSL
•Mac Address
Transport Security - MAC
• Ads
Transport Security - MAC
• Ads
Transport Security - MAC
• Ads
Reference - 1
• Half of iOS apps 'violate Apple's privacy policy
– http://www.digitalspy.co.uk/tech/news/a493520/half-of-ios-apps-violate-apples-privacy-policy.html
• iOS_Application Insecurity final
– http://www.mdsec.co.uk/research/iOS_Application_Insecurity_final.pdf
• iOS Application Insecurity wp v1.0 final
– http://www.mdsec.co.uk/research/iOS_Application_Insecurity_wp_v1.0_final.pdf
• Introduction to ios platform security
– http://blog.mdsec.co.uk/2012/05/introduction-to-ios-platform-security.html
• Code Signing
– http://installbuilder.bitrock.com/docs/installbuilder-userguide/ar01s16.html
– http://developer.apple.com/library/mac/#technotes/tn2206/_index.html
Reference - 2
• Pentesting iPhone Applications
– http://resources.infosecinstitute.com/pentesting-iphone-applications/
– http://www.securitylearn.net/
• iOS Application Security part4
– http://resources.infosecinstitute.com/ios-application-security-part-4-runtime-analysis-
using-cycript-yahoo-weather-app/
• Cycript_Tricks
– http://iphonedevwiki.net/index.php/Cycript_Tricks
• Keychain Dumper
– https://github.com/ptoomey3/Keychain-Dumper
• Books
– Hacking and Securing iOS Applications
• iOS Secure Development Source Boston 2011
– https://www.isecpartners.com/media/12964/ios_secure_development_source_bosto
n_2011.pdf
• Auditting iPhone and iPad applications by Ilja van Sprundel
• DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP
– http://media.blackhat.com/bh-us-
11/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf
Reference - 3
• Reverse engineering sous Android et iOS
– www.ossir.org/jssi/jssi2013/3A.pdf
• iPhone data protection in depth
– http://conference.hitb.org/hitbsecconf2011ams/materials/D2T2%20-%20Jean-Baptiste%20Be%CC%81drune%20&%20Jean%20Sigwald%20-%20iPhone%20Data%20Protection%20in%20Depth.pdf
• Apple Sandbox
– http://securityevaluators.com/files/papers/apple-sandbox.pdf
• iOS_data_protection
– http://ensiwiki.ensimag.fr/images/7/7f/SecurIMAG-2012-09-27-iOS_data_protection.pdf
• syscan11 breaking ios code signing
– http://reverse.put.as/wp-content/uploads/2011/06/syscan11_breaking_ios_code_signing.pdf
• Syscan-2012-iOS-Applications-and-the-Lion-City-Presso
– http://reverse.put.as/wp-content/uploads/2011/06/Syscan-2012-iOS-Applications-and-the-Lion-City-Presso.pdf
• BlackHat_EU_2011_Dhanjani_Attacks_Against_Apples_iOS-WP
– http://media.blackhat.com/bh-eu-11/Nitesh_Dhanjani/BlackHat_EU_2011_Dhanjani_Attacks_Against_Apples_iOS-WP.pdf
- Thank you -