iOS security - 101 Daniel RamírezOWASP WROCLAW#2 MEETING04/29/16

Agenda

• Introduction iOS• iOS App Architecture• iOS App Runtime Protection Features• Setting up our Environment• Tools for iOS App Review• iOS Risks Analysis

Introduction iOS

• Apps are among the most critical elements of a modern mobile security architecture.

• While apps provide amazing productivity benefits for users, also have the potential to negatively impact system security, stability, and user data if they’re not handled properly.

Introduction iOS

• Because of this, iOS provides layers of protection– Signed and verified– Sandboxed to protect user data.– …

• These elements provide a stable, secure platform for apps without impacting system integrity.

iOS App Architecture• Typical architecture of an iOS application is shown in the

image below.

iOS App Protection Features• ASLR (Address Space Layout Randomization)

• Non-Executable Memory

• ARC (Automatic Reference Counting)

• Code Signing

• Sandboxing

ASLR

ASLR - Example

example: otool –Vh <binary>

Non-Executable Memory

• Data pages are marked non-executable• iOS enforces W^X page protection policy– Pages that are writeable can not become

executable• Injected machine code cannot be immediately

executed

ARC (Automatic Reference Counting)

ARC

Code Signing• 2 Type of Certificates:• Developer• Submission

Apple Review

Sandboxing

Setting up our environment

Setting up our Environment

• A Jailbroken device• PuTTy – SSH Client• iFunBox(Windows)• WinSCP - SFTP Client

Tools for iOS Apps Review

• Dynamic Analysis tools– Cycript (Runtime)– Idb/iNalyzer

• Dissassemblers tools– Class-dump / Class-dump-z (depends on iOS version)– Otool– Hopper

• Clutch – Decrypt App• Keychain dumper

iOS Risks Analysis

• Insecure Data Storage• Insufficient Transport Layer Protection• Unintended Data Leakage• Poor Authorization & Authentication• Lack of Binary Protection

Insecure Data Storage

• SQLite Databases • NSUserDefaults• Plist Files• Log Files• XML Data Stores• Binary data stores• Cookie stores

Insecure Data Storage

Insufficient Transport Layer Protection

• Are all connections properly encrypted?• Are the SSL certificates up to date and self signed?• Will your application accept user accepted

certificates as authorities?• Is Certificate Pinning present?

Insufficient Transport Layer Protection

• Apply SSL/TLS to transport channels that the mobile app will use to transmit sensitive information

• Use certificates signed by a trusted CA and require SSL chain verification.

• Alert through the UI, if the mobile app detects an invalid cert.

Unintended Data Leakage

• The way that the Application stores data, images, key-presses, logging and buffers.

Storing data securely on a mobile device requires proper technique. Whenever possible, simply do not store/cache data. This is the most sure way to avoid data compromise on the device.

Poor Authorization & Authentication

• Insecure Patterns:– Persistent auth within mobile App should be implemented as

opt-in not by default

– Ensure that all authentication requests are performed server-side.

• Developers should assume all client-side authorization & authentication controls can be bypassed by malicious users.

Poor Authorization & Authentication

• Consider the following scenario:– Only authenticated users will be able to generate a

service request that the mobile app submits to its backend for processing.

– During the processing of the request, the server doesn’t verify that the request is associated with a known user. Then adversaries can submit requests to server anonymously.

Demo Time

Demo Time

Demo Time

• ps aux | grep <app name>• Cycript –p <id>

Demo Time

Lack of Binary Protections iOS

• Can someone decrypt the app?• Can someone use a reverse engineering tool

like Hopper ?• The application must follow secure coding

techniques:– Jailbreak Detection Controls– Certificate Pinning Controls– Debugger Detection Controls

Lack of Binary Protections iOS

• Disabling Code Encryption (ClutchMod)• Jailbreak Detection Evasion (xcon)• Class Dumping (class-dump-z || class-dump)• Runtime Code Injection (cycript)• Runtime Monitoring (Snoop-It)• Runtime Analysis (GDB)• Reverse Engineering (Hopper)

Example Clutch & Class-Dump

Example Clutch & Class-Dump

• Clutch2 –i

• Clutch2 <options> <id>

OUTPUTInstalled Apps:

1: Facebook2: Yahoo Weather

Example Clutch & Class-Dump

Summary

• How is the architecture of an ipa file• iOS protection feature– ASLR– W^X– Code Signing

• Risk Analysis• Cycript|Clutch|Class-dump|keychain_dumper

Questions?

mail: daniel@ramirez.sutwitter: @danielramirezmrtn