SlideShare uma empresa Scribd logo

Mobile Security Assessment: 101

W
wireharbor

BSides Chicago 2013 presentation by Trey Keifer of WireHarbor Security (http://www.wireharbor.com) on Mobile Application Security Assessment

Tecnologia
1 de 38
Intro to Mobile Security Assessment: Tools and Techniques Copyright 2012 WireHarbor Security, Inc.
Who am I? • Founder/President - WireHarbor Security, Inc. • Previously: Led Global Application Security for F500 Insurance co. • Focus on:  Application Security, Mobile Security, Source Code Review • Partnerships:
Agenda • Overview • Attack Vectors • Setup • Basic Techniques • Advanced Tech. • Questions
Objectives - Security Assessment • Determine the correct path to Exploitation. • Many Attacks, Weaknesses and Impacts.
RULE #1: Mobile Security Perform sensitive/confidential/dangerous operations OFF-DEVICE... ...also, we still can’t trust user input.
Mobile Assessment: Key Difference • User-access to runtime environment  DEVS: **New perspective allows us to see everything you are doing** VS...
Jailbreak vs. Rooting • Jailbreak (iOS) - Users can break out of sandbox, but are still limited by the Apple kernel. (Your iPhone is still an iPhone) • Rooting (Android) - Implement a new kernel, turn your phone into ??? I
Attack Vectors • GSM Network • GPS • Applications (Malware) • Application Vuln’s (Objective-C) • Browser Exploits • Web Services • Bluetooth • WIFI (Rogue Access Points) • NFC/RFID
Security Controls • Reduced Attack Surface • Code Signing/App Store Approval Process - iOS  Android is more of a free-for-all • Sandboxing • NX Memory • ASLR/PIE (compiler flag)  Rarely used in 3rd party applications • Certificate Verification • Device Encryption
Mobile Security Assessment • Step #1 : Jailbreak • Step #2 : ??? • Step #3 : PROFIT!!!
Jailbreak in 30 sec • DISCLAIMER: BRICK WARNING!!! • DISCLAIMER: RUNTIME PROTECTIONS BECOME NIL! • DISCLAIMER: APPSTORE DEREGULATION! • Beware of Jailbreak SCAMMERS! • iPhone Dev Team (blog.iphone-dev.org) • evad3rs Team (http://evasi0n.com/) • Android is more complicated. (SuperOneclick)  Hardware/OS/Carrier dependent
Tools • Jailbroken/Rooted Device • Cydia Applications (tcpdump, sqlite, etc...) • Android Debug Bridge (ADB) • GDB (Runtime analysis) • IDA Pro (Binary Reverse-Engineering) • MobileSubstrate/Cycript • BurpSuite (HTTP Analysis) • Xcode/Eclipse (Custom development, binary tools)
Finding Targets PLENTY of them out there… 650,000+ Applications in AppStore* 250,000+ listed for iPad •App Store:  ~/Music/iTunes/iTunes Media/Mobile Applications  .ipa file (zip archive) •On iOS:  /var/mobile/Applications/<UUID>/<AppName>.app/ *Source: Techcrunch, July 2012
Techniques The easy stuff…
Mobile Hacking 101 • Gain Access • Look for interesting data  Log Files  Databases  Crash Dumps  In-Transit • Cause interesting execution  Form Input/Output  Application Redirects
Techniques: Log File Analysis • Applications output/store lots of logging data.  ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE>  /private/var/log/system.log
Techniques: Data Storage • SQLite  “Self-contained, zero-configuration, embeddable DB” • Finding sqlite files… • Automation FTW!  find . –exec file {} ;
Techniques: Data Storage • Pulling out data…  SELECT * FROM <table>
Techniques: SQL Injection • Should look familiar...
Techniques: XSS Injection • XSS is in there too...  Be careful with WebKit. (UIWebView object) “Of the 197 vulnerabilities, 142 are related to WebKit...”, ZDNet review of iOS 6 NSString *js = [[NSString alloc] initWithFormat:@”var v=”%@”;”, user]; [mywebView stringByEvauatingJavaScriptFromString:js];
Techniques: Proxy Intercept • Certificate errors are validated.  Manually install Burpsuite cert.  http://www.tuaw.com/2011/02/21/how-to-inspect-ioss-http-traffic- without-spending-a-dime/
Techniques: Event Handler Abuse • Apps can register their own handlers via plist files. o openURL:[NSURL URLWithString:@"myapp://?foo=urb&blerg=gah"];
Techniques: Event Handler Abuse • Finding interesting handlers…  $> strings <target>.app/<target> | grep "://“ | grep –v “http” <string>googlegmail://</string> <string>googlegmail://</string> <string>mgc://</string> <string>currents://</string> <string>googletranslate://</string> <string>comgoogleshopper://</string> <string>comgoogleearth://</string> <string>googlelatitude://</string> <string>googlebooks://</string> <string>currents://</string>
Advanced Techniques The FUN stuff…
Advanced Techniques: Overview • Binary Decryption  API Tokens  Hard-coded Passwords • Passive/Active Fuzzing • Reverse Engineering  Token Generation Algorithms • Runtime Execution Interception/Manipulation  Interesting “hidden” methods  Web Services API’s
Advanced Techniques: Objective-C (iOS) Primer • Abstraction of Standard C  Based on Smalltalk  Designed to be “Object-oriented easy.”  The good old days: Buffer Overflows, Format Strings, etc... RETURN!!!
Advanced Techniques: iOS Binary Inspection • Object File display tool - otool (Xcode)  Display file headers (Mach-O and Universal)  Display Crypt segment info  Dump machine code  List Shared Libraries • ARM Processors  RISC instruction set  Little-endian representation
Advanced Techniques: iOS Binary Inspection • Universal Binaries  Contain multiple versions o otool –f <file>  May be encrypted o otool –l <file> | grep LC_ENCRYPTION_INFO –B1 –A4
Advanced Techniques: iOS Runtime Inspection • Anti-Debugging (The Anti-BYOD part)  ptrace PT_DENY_ATTACH  sysctl check  Known files  Binary Packing  Code Checksums  Driver Checks  Timing Measurements  Code Obfuscation  Junk Code
Advanced Techniques: iOS Runtime Inspection • GDB  Execute/load binary  Breakpoint on start address 0x2000 (PIE may cause this to move on you) gdb $> dump memory <filename> <start address> <end address>
Advanced Techniques: iOS Binary Inspection, Unencrypted • IDA Pro Binary graphing/analysis…
IDA Pro: What to look for? • Using the Apple DEV reference  File Writes  Network Connections  Keychain Access  UI Form Fields
Advanced Techniques: iOS Runtime Manipulation • Cycript - Javascript/Obj-C Interpreter  Hook active apps via Mobile Substrate  Interact with binaries in runtime using JS http://www.cycript.org/ http://iphonedevwiki.net/index.php/Cycript_Tricks
• Example: cy# [SBAwayController.sharedAwayController isPasswordProtected] 1 cy# [[UIApp.keyWindow recursiveDescription] <KHWindow: 0x1517a0; baseClass = UIWindow; frame = (0 0; 320 480); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x151640>> | <UIView: 0x17a120; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x17a1b0>> | | <UIToolbar: 0x17a3f0; frame = (0 416; 320 44); autoresize = W+TM; layer = <CALayer: 0x17a0d0>> | | | <UIToolbarButton: 0x17d150; frame = (12 0; 26 44); alpha = 0.25; opaque = NO; layer = <CALayer: 0x17d2e0>> | | | | <UISwappableImageView: 0x17d4c0; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d570>> | | | <UIToolbarButton: 0x17d340; frame = (153 0; 26 44); opaque = NO; layer = <CALayer: 0x14a220>> | | | | <UISwappableImageView: 0x17a680; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17a6e0>> | | | <UIToolbarButton: 0x17df40; frame = (222 0; 18 44); opaque = NO; layer = <CALayer: 0x17d2b0>> | | | | <UISwappableImageView: 0x17dbf0; frame = (3 13; 18 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d3f0>> Advanced Techniques: iOS Runtime Manipulation
Advanced Techniques: Fuzzing • Custom scripts… (Python, Ruby, Javascript) • Dumb or Smart  Mutation-Based: Randomly substitute data.  Generation-Based: Substitute based off RFC or Standards. • Classic Targets  Any file types. (PDF, PPT, etc…)  Protocols (HTTP, SMS, Push Notifications, etc...)  Image formats (PNG, TIFF, etc…)
Passive Fuzzing - iOS • Using MobileSubstrate:
• What can we do with this?  Application Tracing/Logging (filesystem, network, etc...)  Turn off Jailbreak detection  Fake GPS data... (think: location-aware security)  The possibilities get scarier as trust grows... Advanced Techniques: iOS Runtime Manipulation
Trey Keifer 847-239-5626 trey.keifer@wireharbor.com Twitter: @wireharbor Facebook: facebook.com/wireharbor http://www.wireharbor.com THANK YOU!!!

Recomendados

YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreakingVarun Luthra
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions
 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
 
Jail breaking
Jail breakingJail breaking
Jail breakingRokkam Reddy
 

Recomendados

YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreakingVarun Luthra
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions
 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
 
Jail breaking
Jail breakingJail breaking
Jail breakingRokkam Reddy
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.DataArt
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesfrom Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesKai Aras
 
iOS Basics
iOS BasicsiOS Basics
iOS BasicsRicha Jain
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelStefan Esser
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.DataArt
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
iOS platform
iOS platformiOS platform
iOS platformmaya_slides
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
Apple iOS
Apple iOSApple iOS
Apple iOSChetan Gowda
 
Session 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDKSession 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDKVu Tran Lam
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSSeguridad Apple
 
ios-mobile-app-development-intro
ios-mobile-app-development-introios-mobile-app-development-intro
ios-mobile-app-development-introRemesh Govind M
 
Layer architecture of ios (1)
Layer architecture of ios (1)Layer architecture of ios (1)
Layer architecture of ios (1)dwipalp
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 

Mais conteúdo relacionado

Mais procurados

Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.DataArt
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesfrom Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesKai Aras
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelStefan Esser
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.DataArt
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
Session 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDKSession 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDKVu Tran Lam
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSSeguridad Apple
 
ios-mobile-app-development-intro
ios-mobile-app-development-introios-mobile-app-development-intro
ios-mobile-app-development-introRemesh Govind M
 
Layer architecture of ios (1)
Layer architecture of ios (1)Layer architecture of ios (1)
Layer architecture of ios (1)dwipalp
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 

Mais procurados (20)

Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesfrom Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slides
 
iOS Basics
iOS BasicsiOS Basics
iOS Basics
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption Systems
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
iOS platform
iOS platformiOS platform
iOS platform
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
 
Apple iOS
Apple iOSApple iOS
Apple iOS
 
Session 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDKSession 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDK
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOS
 
ios-mobile-app-development-intro
ios-mobile-app-development-introios-mobile-app-development-intro
ios-mobile-app-development-intro
 
Layer architecture of ios (1)
Layer architecture of ios (1)Layer architecture of ios (1)
Layer architecture of ios (1)
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 

Semelhante a Mobile Security Assessment: 101

Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhonessaurabhharit
 
Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2FIWARE
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsKoan-Sin Tan
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 
2012 java one-con3648
2012 java one-con36482012 java one-con3648
2012 java one-con3648Eing Ong
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
iOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for JasakomeriOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for JasakomerAndri Yadi
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Android Workshop
Android WorkshopAndroid Workshop
Android WorkshopJunda Ong
 
Crash Course in AngularJS + Ionic (Deep dive)
Crash Course in AngularJS + Ionic (Deep dive)Crash Course in AngularJS + Ionic (Deep dive)
Crash Course in AngularJS + Ionic (Deep dive)ColdFusionConference
 
FI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS BasicsFI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS BasicsPetr Dvorak
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 
MACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
MACTANS: Injecting Malware
into iOS Devices via Malicious ChargersMACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
MACTANS: Injecting Malware
into iOS Devices via Malicious ChargersJoon Young Park
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 

Semelhante a Mobile Security Assessment: 101 (20)

Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
2012 java one-con3648
2012 java one-con36482012 java one-con3648
2012 java one-con3648
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
iOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for JasakomeriOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for Jasakomer
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Android Workshop
Android WorkshopAndroid Workshop
Android Workshop
 
Crash Course in AngularJS + Ionic (Deep dive)
Crash Course in AngularJS + Ionic (Deep dive)Crash Course in AngularJS + Ionic (Deep dive)
Crash Course in AngularJS + Ionic (Deep dive)
 
FI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS BasicsFI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS Basics
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
MACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
MACTANS: Injecting Malware
into iOS Devices via Malicious ChargersMACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
MACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Ios development
Ios developmentIos development
Ios development
 

Último

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 

Último (20)

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 

Mobile Security Assessment: 101

  • 1. Intro to Mobile Security Assessment: Tools and Techniques Copyright 2012 WireHarbor Security, Inc.
  • 2. Who am I? • Founder/President - WireHarbor Security, Inc. • Previously: Led Global Application Security for F500 Insurance co. • Focus on:  Application Security, Mobile Security, Source Code Review • Partnerships:
  • 3. Agenda • Overview • Attack Vectors • Setup • Basic Techniques • Advanced Tech. • Questions
  • 4. Objectives - Security Assessment • Determine the correct path to Exploitation. • Many Attacks, Weaknesses and Impacts.
  • 5. RULE #1: Mobile Security Perform sensitive/confidential/dangerous operations OFF-DEVICE... ...also, we still can’t trust user input.
  • 6. Mobile Assessment: Key Difference • User-access to runtime environment  DEVS: **New perspective allows us to see everything you are doing** VS...
  • 7. Jailbreak vs. Rooting • Jailbreak (iOS) - Users can break out of sandbox, but are still limited by the Apple kernel. (Your iPhone is still an iPhone) • Rooting (Android) - Implement a new kernel, turn your phone into ??? I
  • 8. Attack Vectors • GSM Network • GPS • Applications (Malware) • Application Vuln’s (Objective-C) • Browser Exploits • Web Services • Bluetooth • WIFI (Rogue Access Points) • NFC/RFID
  • 9. Security Controls • Reduced Attack Surface • Code Signing/App Store Approval Process - iOS  Android is more of a free-for-all • Sandboxing • NX Memory • ASLR/PIE (compiler flag)  Rarely used in 3rd party applications • Certificate Verification • Device Encryption
  • 10. Mobile Security Assessment • Step #1 : Jailbreak • Step #2 : ??? • Step #3 : PROFIT!!!
  • 11. Jailbreak in 30 sec • DISCLAIMER: BRICK WARNING!!! • DISCLAIMER: RUNTIME PROTECTIONS BECOME NIL! • DISCLAIMER: APPSTORE DEREGULATION! • Beware of Jailbreak SCAMMERS! • iPhone Dev Team (blog.iphone-dev.org) • evad3rs Team (http://evasi0n.com/) • Android is more complicated. (SuperOneclick)  Hardware/OS/Carrier dependent
  • 12. Tools • Jailbroken/Rooted Device • Cydia Applications (tcpdump, sqlite, etc...) • Android Debug Bridge (ADB) • GDB (Runtime analysis) • IDA Pro (Binary Reverse-Engineering) • MobileSubstrate/Cycript • BurpSuite (HTTP Analysis) • Xcode/Eclipse (Custom development, binary tools)
  • 13. Finding Targets PLENTY of them out there… 650,000+ Applications in AppStore* 250,000+ listed for iPad •App Store:  ~/Music/iTunes/iTunes Media/Mobile Applications  .ipa file (zip archive) •On iOS:  /var/mobile/Applications/<UUID>/<AppName>.app/ *Source: Techcrunch, July 2012
  • 15. Mobile Hacking 101 • Gain Access • Look for interesting data  Log Files  Databases  Crash Dumps  In-Transit • Cause interesting execution  Form Input/Output  Application Redirects
  • 16. Techniques: Log File Analysis • Applications output/store lots of logging data.  ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE>  /private/var/log/system.log
  • 17. Techniques: Data Storage • SQLite  “Self-contained, zero-configuration, embeddable DB” • Finding sqlite files… • Automation FTW!  find . –exec file {} ;
  • 18. Techniques: Data Storage • Pulling out data…  SELECT * FROM <table>
  • 19. Techniques: SQL Injection • Should look familiar...
  • 20. Techniques: XSS Injection • XSS is in there too...  Be careful with WebKit. (UIWebView object) “Of the 197 vulnerabilities, 142 are related to WebKit...”, ZDNet review of iOS 6 NSString *js = [[NSString alloc] initWithFormat:@”var v=”%@”;”, user]; [mywebView stringByEvauatingJavaScriptFromString:js];
  • 21. Techniques: Proxy Intercept • Certificate errors are validated.  Manually install Burpsuite cert.  http://www.tuaw.com/2011/02/21/how-to-inspect-ioss-http-traffic- without-spending-a-dime/
  • 22. Techniques: Event Handler Abuse • Apps can register their own handlers via plist files. o openURL:[NSURL URLWithString:@"myapp://?foo=urb&blerg=gah"];
  • 23. Techniques: Event Handler Abuse • Finding interesting handlers…  $> strings <target>.app/<target> | grep "://“ | grep –v “http” <string>googlegmail://</string> <string>googlegmail://</string> <string>mgc://</string> <string>currents://</string> <string>googletranslate://</string> <string>comgoogleshopper://</string> <string>comgoogleearth://</string> <string>googlelatitude://</string> <string>googlebooks://</string> <string>currents://</string>
  • 25. Advanced Techniques: Overview • Binary Decryption  API Tokens  Hard-coded Passwords • Passive/Active Fuzzing • Reverse Engineering  Token Generation Algorithms • Runtime Execution Interception/Manipulation  Interesting “hidden” methods  Web Services API’s
  • 26. Advanced Techniques: Objective-C (iOS) Primer • Abstraction of Standard C  Based on Smalltalk  Designed to be “Object-oriented easy.”  The good old days: Buffer Overflows, Format Strings, etc... RETURN!!!
  • 27. Advanced Techniques: iOS Binary Inspection • Object File display tool - otool (Xcode)  Display file headers (Mach-O and Universal)  Display Crypt segment info  Dump machine code  List Shared Libraries • ARM Processors  RISC instruction set  Little-endian representation
  • 28. Advanced Techniques: iOS Binary Inspection • Universal Binaries  Contain multiple versions o otool –f <file>  May be encrypted o otool –l <file> | grep LC_ENCRYPTION_INFO –B1 –A4
  • 29. Advanced Techniques: iOS Runtime Inspection • Anti-Debugging (The Anti-BYOD part)  ptrace PT_DENY_ATTACH  sysctl check  Known files  Binary Packing  Code Checksums  Driver Checks  Timing Measurements  Code Obfuscation  Junk Code
  • 30. Advanced Techniques: iOS Runtime Inspection • GDB  Execute/load binary  Breakpoint on start address 0x2000 (PIE may cause this to move on you) gdb $> dump memory <filename> <start address> <end address>
  • 31. Advanced Techniques: iOS Binary Inspection, Unencrypted • IDA Pro Binary graphing/analysis…
  • 32. IDA Pro: What to look for? • Using the Apple DEV reference  File Writes  Network Connections  Keychain Access  UI Form Fields
  • 33. Advanced Techniques: iOS Runtime Manipulation • Cycript - Javascript/Obj-C Interpreter  Hook active apps via Mobile Substrate  Interact with binaries in runtime using JS http://www.cycript.org/ http://iphonedevwiki.net/index.php/Cycript_Tricks
  • 34. • Example: cy# [SBAwayController.sharedAwayController isPasswordProtected] 1 cy# [[UIApp.keyWindow recursiveDescription] <KHWindow: 0x1517a0; baseClass = UIWindow; frame = (0 0; 320 480); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x151640>> | <UIView: 0x17a120; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x17a1b0>> | | <UIToolbar: 0x17a3f0; frame = (0 416; 320 44); autoresize = W+TM; layer = <CALayer: 0x17a0d0>> | | | <UIToolbarButton: 0x17d150; frame = (12 0; 26 44); alpha = 0.25; opaque = NO; layer = <CALayer: 0x17d2e0>> | | | | <UISwappableImageView: 0x17d4c0; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d570>> | | | <UIToolbarButton: 0x17d340; frame = (153 0; 26 44); opaque = NO; layer = <CALayer: 0x14a220>> | | | | <UISwappableImageView: 0x17a680; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17a6e0>> | | | <UIToolbarButton: 0x17df40; frame = (222 0; 18 44); opaque = NO; layer = <CALayer: 0x17d2b0>> | | | | <UISwappableImageView: 0x17dbf0; frame = (3 13; 18 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d3f0>> Advanced Techniques: iOS Runtime Manipulation
  • 35. Advanced Techniques: Fuzzing • Custom scripts… (Python, Ruby, Javascript) • Dumb or Smart  Mutation-Based: Randomly substitute data.  Generation-Based: Substitute based off RFC or Standards. • Classic Targets  Any file types. (PDF, PPT, etc…)  Protocols (HTTP, SMS, Push Notifications, etc...)  Image formats (PNG, TIFF, etc…)
  • 36. Passive Fuzzing - iOS • Using MobileSubstrate:
  • 37. • What can we do with this?  Application Tracing/Logging (filesystem, network, etc...)  Turn off Jailbreak detection  Fake GPS data... (think: location-aware security)  The possibilities get scarier as trust grows... Advanced Techniques: iOS Runtime Manipulation
  • 38. Trey Keifer 847-239-5626 trey.keifer@wireharbor.com Twitter: @wireharbor Facebook: facebook.com/wireharbor http://www.wireharbor.com THANK YOU!!!