Embed Size (px)
Citation preview
Practical iOS App Attack and Defense – Seth Law © 2015
Practical iOS App Attack and Defense
CodeMash 2.0.1.5
Introduction• Seth Law
– Director of R&D @ nVisium– Developer/Contributor to Swift.nV, SiRATool,
RAFT, Grails.nV– Hacker, AppSec Architect, Security Consultant– Soccer Hooligan
Abusing Trust
DisclaimerHacking of App Store apps is not condoned or encouraged in any way. What you do on your own time is your responsibility. @sethlaw & nVisium take no responsibility if you use knowledge shared in this presentation for unsavory acts.
Agenda• Tools• Application Anatomy• Data Storage• Network Communications• Client Side Injection• Privacy
Requirements• Xcode (developer.apple.com)
– Command-line tools– Xcode-select --install– iOS Simulators
• Jailbroken iDevice (iPhone/iPad/iPod) *– Cydia Tools
• Vulnerable App– Swift.nV - https://github.com/nVisium/Swift.nV
* Only required to “test” apps from the App Store. **
Tools - Cydia Apps • Cycript• OpenSSH• Erica Utilities• Class Dump• GNU Debugger• network-cmds • BigBoss Recommended Tools
Tools - Swift.nV • INTENTIONALLY VULNERABLE• Training Tool - Not for production use
Agenda• Tools• Application Anatomy• Data Storage• Network Communications• Client Side Injection• Privacy
Application Anatomy
Application Anatomy• .app Directory
–Folder with distributed binary and artifacts–iOS 8
•AppStore Apps - /var/mobile/Containers/Bundle/Application/<APP GUID>/Application.app/
•Pre-installed Apps - /Applications/Application.app/ –iOS 7
•AppStore Apps - /var/mobile/Applications/<APP GUID>/Application.app/
•Pre-installed Apps - /Applications/Application.app/
Application Anatomy• Info.plist
Application Anatomy• Deployed Application Data Directories• iOS 8
• /var/mobile/Containers/Data/Application/<APP_GUID>/• iOS 7
• /var/mobile/Applications/<APP_GUID> Documents/ Library/
Caches/Preferences/...
tmp/
Application Anatomy
Application Anatomy
Application Anatomy
Application Anatomy
Application Anatomy• Library/…
• Other folders may exist for specific purposes• Files not exposed to the user• SyncedPreferences/ - iCloud NSUserDefaults• Cookies/ - Persistent cookie values• Application Support/ - Other App files• FlurryFiles/ - iAd files
• tmp/• Scratch space• Can be cleared by iOS when App not running
Agenda• Tools• Application Anatomy• Data Storage• Network Communications• Client Side Injection• Privacy
Data Storage• M2 in OWASP Mobile Top 10• Anything stored by the App on purpose• Data at rest on a mobile device• Majority of “mobile security” issues in the
news.• Relevant functionality
• Core Data• NSUserDefaults• Keychain• Documents• Cache
Attack!
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Defense
Data Storage - Defense• Databases – Defenses
• Encryption (SQLCipher)• Rewrites crypto into database controller • Don’t store sensitive data on the device.
• Weaknesses• Key Storage
Data Storage - NSUserDefaults• Property Lists - Code
Data Storage - Attack• Property Lists
Data Storage - Attack• Property Lists - idb
Data Storage - Defense• Property List - Countermeasures
– Don’t store sensitive data using NSUserDefaults– When ignoring rule #1, encrypt the data– Use checksums or signatures to validate that
data returned from NSUserDefaults is appropriate– iOS Keychain
– For quick Keychain conversion, use a library– https://github.com/matthewpalmer/Locksmith
Data Storage - Defense• Keychain
– Mac OS X/iOS Password Manager– OS enforces security– CAREFUL
• Keychain can be accessed by apps running on jailbroken devices.
• idb – Don’t assume Keychain is secure.– Know your Keychain Attributes.– Layered Security
• The application will be used under the worst possible conditions, protect for THAT instance.
Data Storage - Defense• Keychain Analysis – know your attributes
Attribute Data is...
kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked.
kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again.
kSecAttrAccessibleAlways Always accessible.
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
Only accessible when device is unlocked. Data is not migrated via backups.
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups.
kSecAttrAccessibleAlwaysThisDeviceOnly
Always accessible. Data is not migrated via backups.
Data Storage - Defense• Keychain Analysis – know your attributes
Attribute Data is...
kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked.
kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again.
kSecAttrAccessibleAlways Always accessible.
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
Only accessible when device is unlocked. Data is not migrated via backups.
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups.
kSecAttrAccessibleAlwaysThisDeviceOnly
Always accessible. Data is not migrated via backups.
Agenda• Tools• Application Anatomy• Data Storage• Network Communications• Client Side Injection• Privacy
Network Communications• M3 - Insufficient Transport Layer
Protection• Are network communications
secure?• Encryption (or not)• Key Handling• Ciphers• Proxy Communication
CodeMash Scanner?
Become a Sponsor!
Network Communications• LIVE DEMO
• Device: Jailbroken iPod Touch• Proxy: Burp Suite Pro • App: CodeMash Scanner
Volunteers?
Whoops
Network Communications• Issues Exploited during demo• Proxied Communications
• Do NOT require Jailbreak• Corporations implement proxies all the time• Accepting a proxy’s CA cert == full access to traffic
• Certificate Pinning• App doesn’t insure traffic isn’t being messed with.• Can be defeated with jailbroken device
• Web Service Vulnerabilities• Missing Function Level Access Control• Insecure Direct Object Reference
Network Communications
Network Communications• Defense
– Good: Use an Internal Certificate Authority and create certificates for all environments.
– Better: Buy actual certificates for all environments– Best: Pin the Certificate within the application to
public certificate or CA.continueWithoutCredentialForAuthenticationChallenge == BAD
Agenda• Tools• Application Anatomy• Data Storage• Network Communications• Client Side Injection• Privacy
Client Side Injection• M7 - Client Side Injection• Fuzzing all application inputs
• Text Fields• URLSchemes• Stored Data (DBs, PLists, etc)
• Multiple Types• XSS/HTML • XML/JSON • ...
Injection• Text Field Injection
–Manually intensive
Client Side Injection• URLScheme Injection
• Safari FTW!• Still manual• location bar• Fuzz URL values• Info.plist
Client Side Injection
Client Side Injection
Client Side Injection• Demo - Injection with Swift.nV
Client Side Injection• Defense
• Input Validation• Don’t trust the user• Input Validation• Output Encoding• Input Validation
Client Side Injection
Agenda• Tools• Application Anatomy• Data Storage• Network Communications• Client Side Injection• Privacy
Privacy• Revealing of PII• Location Information• Shoulder surfing• Physical Access
• Background screenshots• Borrowed Phone attacks
• Backups/Logs
FRIENDS DON’T LET FRIENDS LEAVE THEIR PHONE BEHIND
Background Screenshots
Logs
Logs
iOS Backup Analyzer
iOS Backup Analyzer
Privacy - Defense• Mask mask mask• No NSLog in production apps• What is stored on the device is
also stored in the backup
Agenda• Tools• Application Anatomy• Data Storage• Network Communications• Client Side Injection• Privacy
Other Mobile Concerns• Authentication• Authorization• Binary Protections• Cryptography• Unintended Functionality• Untrusted Input
Conclusion
Security is hard.
Try harder.
