SlideShare uma empresa Scribd logo

Pentesting iOS Applications

Transferir como PPTX, PDF
jasonhaddix
jasonhaddix

A brief overview of iOS application hacking techniques.

Tecnologia
1 de 78
Penetration Testing For iOS Applications
NSLog (@”Hello, OWASP!”); • About me! • Jason Haddix – Director of Penetration Testing HP Fortify • Former Netpen guy • Current Mobile and Webpen guy • ShadowLabs Guy
• Fortify on Demand does dynamic testing for web apps, mobile, special projects, bakeoffs, etc… • That’s us
Rough Agenda (we will digress) • Quick Overview of the iPhone Platform • Threat Modeling 3rd party applications • Environment Setup • Whitebox Assessments • Blackbox Assessments
Tech Stack 800 MHz dual-core ARM Objective-C Language Processor Core Services + Cocoa (Media & UI APIs) iOS (fork of Darwin Operating (fork of BSD)) System ARM Executables
What does an iOS Application Look Like? • iOS Applications: – In Development with Apple SDK Xcode: • Distributed as XCode Project Folders – Compiled and deployed through the app store: • Compiled as ARM • Distributed as “.ipa” files • zip files containing app resources and ARM executable • Deployed as “.app” directories • Executable code is: – encrypted with FairPlay DRM (AES) – signed with Apple’s signature
What does an iOS Application Look Like? Deployed to Compiled to Packaged as Objective - C phone file ARM and IPA file with (in Xcode) system as .app encrypted resources directory
Types of iOS Applications • Web Applications: – HTML + CSS + JavaScript – Run inside Safari/Webkit • Native Applications: – Written in Objective-C (+ C/C++) – Compiled into ARM for actual devices, x86 for iOS Simulator
Objective-C Objective-C is a superset of C, this means all C code still applies. [self doSomethingWithVar:var1];
How do we Test?  Two different approaches to testing:  Whitebox testing  Full information and source code provided  Blackbox testing  No code or information provided  Working only with downloadable app  Three areas to focus on:  Attack the network communication  Attack the server component  Attack the client component
Methodology Breakdown
Threat Modeling 3rd Party Apps  Identify business objectives  Identify user roles that will interact with the application  Track higher and lower roles functions  Identify the data the application will manipulate  PII vs Non-PII  Credentials & access  Where is it stored?  What happens if the user loses his Phone? Or it’s stolen?  Individual applications data lost, how bad is it?  What happens if there’s an OS/Kernel exploit? (silent jailbreak)  Mass user data loss, always bad
Reminders  Many apps will encode sensitive data, not encrypt. Look for:  Base64  cGFzc3dvcmQ=  Hex  70617373776f7264  Decimal  112 97 115 115 119 111 114 100  Md5  5f4dcc3b5aa765d61d8327deb882cf99  SHA1  5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
Reminders PII for a mobile app can be different that what you expect. Look for:  Updates to Social media  Usernames  Chat logs  Passwords  cookies  UDID  Geolocation/address/zip  DOB  Device Name  Network Connection Name  Application Data
Hardware Encryption and MDM Will Save Us!  Hardware encryption in iOS only applies where specifically called and to mail and SMS  Key to unencrypt the data is stored in effaceable storage.  Hardware encryption without MDM is susceptible to brute force attacks  24 min to break a 4 digit PIN  Hardware encryption with MDM, with remote wipe enabled, and long PIN  Best option http://goo.gl/HcHXN
The big takeaway with iOS Encryption?  Physical access wins!  Plus you can always pulls some super cool spy http://goo.gl/UWtg moves!
Whitebox Testing
WhiteBox Environment Setup Tool List:  SQLite Manger  Your Mac:  FuzzDB  Xcode (newest)  Command Line Knowledge  Build/analyze/clang  Property List Editor  Plutil  otool  Instruments  Wireshark/Tshark/…  netcat  Nmap  Burp Suite  Flawfinder http://goo.gl/kX6PA
Anatomy of an Application in iOS Sim  Show all files: defaults write com.apple.Finder AppleShowAllFiles YES  Users/$username/Library/Application Support/iPhone Simulator/Applications/$appID  ./Documents = properties, logs  ./Library/Caches = cachey things  ./Library/Caches/Snapshots = screenshots of your app  ./Library/Cookies = cookie plists  ./Library/Preferences = various preference plists  ./Library/WebKit = WebKit local storage  ./Appname.app = app resources: binary, graphics, nibs, Info.plist  ./tmp = tmp and logs sometimes *David Thiel, Secure iOS Development, iSec Partners
Whitebox – Client-Side Testing  Analyze/SCA Tools  Identify HTTP(S) and web service URLs  Parse Web Service Functions  Identify Filesystem Interaction & Data Storage  Manual Source code Inspection
Analyzing & SCA Tools  Build and Analyze  Funnily enough Xcode has a built in source code scanner formerly known as CLANG.  http://clang-analyzer.llvm.org/available_checks.html  Use it to find:  memory leaks  accessing uninitialized variables  dereferencing null pointers
Analyzing Preferences -> show line numbers
SCA  Fortify already supports C libraries.  Fortify Objective-C  Flawfinder  http://www.dwheeler.com/flawfinder/  http://msdn.microsoft.com/en- us/library/bb288454.aspx
Identifying HTTP(S) and WS Calls  Parse source code path for all URLs and Web Services the app is calling:  Command (dirty):  grep -r -a "://" $project_path | awk -F "http" '{print $2}' |sort –u  :// represents standard http  s:// is https call  Or in X-Code search for ://  Since we’re in source this will give us URLs in comments as well
Identifying HTTP(S) and WS Calls  Output:
Parsing WS/API Functions  Follow up on interesting links by tracking down the file it appeared in:  grep -r -F “://interestingURL”  Hopefully doing this you will find NSUrl / constant definitions or variable names.
Parsing WS/API Functions
Parsing WS/API Functions
Parsing WS/API Functions  Now we can track down associated GETS and POSTS with Parameters, searching for the constant/variable names:  Now we have a better mapping of the WS and its calls  Avoid the .svn directories  | Grep –v .svn
Identifying File System and Data Storage  iOS apps use a variety of methods for storage… almost all of them suck. Basically any credential or PII stored on the client side is 80% of the time a vulnerability.
Identifying File System and Data Storage  Bundled with X-code in Lion is Instruments which we can use to monitor the iOS simulator and what our target application does. You can compare it to several SysInternals tools. The type of data it can capture includes:  File Activity monitoring  Memory Monitoring  Process Monitoring – similar to procmon  Network Monitoring – similar to netmon  The tool can be launched from the Xcode Menu -> Open Developer Tool-> Instruments
Identifying File System and Data Storage instruments-the-mac, http://goo.gl/mKoiQ
Identifying File System and Data Storage  Areas of interest:  Plists  SQLite3 Databases  Keychain  Temp Files
Plists  Used by iPhone to store saved properties and data  XML  Binary (compressed XML) (depreciated)  The binary plists need converting, you can use:  plutil to convert to XML  Property List Editor (in XCode)  plists contain all kinds of juicy information. Check for:  Cookies, emails, usernames, passwords, sensitive application data, client side role identifiers, protocol handlers, etc.
Plists  Run app in simulator, provide credentials to everything you can, use the app thoroughly.  App creds  Twitter  Facebook
Plists Frank Kim, SANS Appsec Blog, http://goo.gl/f0HsM
Plists  A bit about URLSchemes:  Locate Info.plist file. Open with “Property List Editor” or  convert to XML: plutil -convert xml1 Info.plist  The info.plist will define any custom protocol handlers
Plists Plutil: Foundstone Pentesting iPhone , http://goo.gl/g79pY
SQLite  A lot of iOS applications sensitive data in SQLite3 databases on the device.  Sqlite3 does not have built-in support for encryption.
SQLite  There are extensions (CEROD is one, sqlcipher is another) that support encryption, but the code is not publicly available, you need to license it. Apple has not, so the included version of sqlite3 does not support encrypted databases.  Still dangerous to store stuff client side. Even with extensions you can reverse out encryption keys () from the memory of a jailbroken phone and decrypt the database.or breakpoint after decryption) to bypass:  Cerod is as simple as looking for “cerod:passwd” or break pointing and pulling out of memory:  sqlite3_open(":cerod:passwd:filename.db", &db);  http://www.hwaci.com/sw/sqlite/cerod.html
KeyChain  Keychain = Encrypted container for storing sensitive information  Smarter devs store passwords and sensitive data using the keychain. Unfortunately with access to a phone and jailbreaking we can unencrypt the keychain and dump the contents.  See what you app is using the KC for:  grep -r -F “kSecAttr" $project_path/ | grep -v .svn  Or “SFHFKeychainUtils”  Threat Model this data… We will go over blackbox methods for dumping the KC later.
Side Channel Data Leakage  iOS apps have a number of “features” that can be security vulnerabilities.  Logging Files  Caching  File Caching  Keyboard Caching  Snapshot Caching  Clipboard Caching
Logging  iOS Logs lots of data, NSLog especially, They can be viewed after the fact in:  ~/Library/Logs/CrashReporter/MobileDevice/<Device name>/private/var/log/system.log  Custom Logging:  NSLog:  grep -r -F “NSLog" $project_path/ | grep -v .svn  Can be viewed in you mac “console” app under utilities
File Caching  If the application uses PDF, Excel, or other files it may be possible that these files may have been cached on the device. These can be found at:  ~/Library/Application Support/iPhone simulator/x.x.x/Applications/<application folder>/Documents/temp.pdf
Keyboard Caching  Keystrokes for predictive spellcheck are stored in:  ~/Library/Application Support/iPhone Simulator/x.x.x/Library/Keyboard/dynamic-text.dat  This issue is similar to autocomplete for web browsers.  Already disabled for password fields  Should be disabled for any potentially sensitive fields (account numbers, SSN, etc, etc…)  Set UITextField property autocorrectionType = UITextAutocorrectionNo for mitigation.
Snapshot Caching  When in an application and the home button is pushed, the application stores a snapshot (screenshot) in the apps snapshot folder:  ~/Library/Application Support/iPhone Simulator/x.x.x/Applications/<application folder>/Library/Caches/Snapshots/  These persist until reboot.  Hopefully you weren’t on a screen with any sensitive data!
Snapshot Caching Frank Sims, SANS, http://goo.gl/aFQrx
Manual Source Review  Just some pointers, not full blown manual sca:  Insufficient transport – identify bad SSL  Injection  SQL  XSS  Format String  LFI
SQL Injection Client-Side SQL injection is a problem on the client side too! BAD: NSString *sql = [NSString stringWithFormat:@"SELECT name FROM products WHERE id = '%@'", id]; const char *query = [sql UTF8String]; GOOD: const char *sql = "SELECT name FROM products WHERE id = ?"; sqlite3_prepare_v2(database, sql, -1, &sql_statement, NULL); sqlite3_bind_text(&sql_statement, 1, id, -1, SQLITE_TRANSIENT); Ilja van Sprundel; IOActiveAuditting iPhone and iPad applications
XSS Client-Side UIwebView • Renders web content inside an application with webkit: • Javascript • HTML • PDF • Office Documents (XLS, PPT, DOC) • iWork Documents (Pages, Numbers, Keynote) •If the webView is based off of user input XSS can be triggered
XSS Client-Side Can occur whenever user controlled Objective C variables populated in to WebView stringByEvaluatingJavaScriptFromString NSString *javascript = [[NSString alloc] initWithFormat:@"var myvar="%@";", username]; [mywebView stringByEvaluatingJavaScriptFromString:javascript]; Ilja van Sprundel; IOActiveAuditting iPhone and iPad applications
Other Injection Attacks LFI’s : User controlled input to NSFileManager can lead to LFI’s (../../../../) Format String attacks…
Format String Attacks vulnerable obj-c methods: • NSLog() • *NSString stringWithFormat:] • *NSString initWithFormat:] • *NSMutableString appendFormat:] • *NSAlert informativeTextWithFormat:] • *NSPredicate predicateWithFormat:] • *NSException format:] • NSRunAlertPanel
Whitebox – Network & Server Testing  Insufficient Transport  Proxy Simulator  SSL Checking  Pulling items out of streams  Web Service Testing
Proxying The Simulator  Network -> Advanced -> Proxies ->
Proxying The Simulator  Network -> Advanced -> Proxies -> Web Proxy & Secure Web Proxy
Proxying The Simulator  SSL Sucks =(  Get Burp cert  iOS simulator needs the cert stored in the ~/Library/Application Support/iPhone Simulator/<SDK version>/Library/Keychains/ directory on your Mac  Use python script by Gotham Digital Science to add the cert to the db:  https://github.com/GDSSecurity/Add-Trusted-Certificate-to-iOS- Simulator  python add_ca_to_iossim.py PortSwiggerCA.cer
Blackbox Testing
Blackbox– Client-Side Testing  Jealbreak and install Cydia Package manager  Identify application directories  Obtain app  Parse out some server information  Install proxy certificate on phone  Proxy phone  Additional tools
Blackbox Environment Setup Tool List:  SQLite Manager  Your Phone:  FuzzDB  Jailbreak  IDA Pro  Ios_analyze.pl  Mac-robber and log2timeline  Command Line Knowledge  Crackulous, appcrack  Appswitch  Cycript  Your PC:  Nmap  Netcat  Burp
Jailbreaking a Device Jailbreaking is the act of using an exploit (or a combination of exploits) on the idevice to break out of the ios jail and allow for custom access to the phones OS. Malware can do this silently… Back to FreeBSD!
Jailbreaking a Device Consumer level jailbreaks automagically set up SSH Username: root Password: alpine Find your phones IP from the Settings -> Wifi -> more options menu
SSH Access
Installing Cert on Device • Export burp .cer file • Email to yourself access using safari • Accept certificate
Obtain App BlackBox:  Get from app store or customer ad-hoc distribution:  App Store binaries are encrypted  Manual decryption  Use debugger, breakpoint EP, let loader decrypt, dump decrypted image  http://dvlabs.tippingpoint.com/blog/2009/03/06/reverse-engineering-iphone- appstore-binaries  http://pauldotcom.com/wiki/index.php/Episode226  Automated  Crackulous or AppCrack  Automate removing DRM  Can be transferred between devices  Then IDA w/ARM can then disassemble
Identify App Directories  3rd party Applications are stored in:  /private/var/mobile/Applications/$appId/
Parsing Out Server Calls  Strings and grep!  unzip .ipa files  Finds all the strings in the app binary:  looks for URLs, hostnames, URL parts and function names  Not exhaustive, whitebox methods give you more.
Monitoring the File System  So what if a file is created for temporary storage and then deleted?  Mac-robber “mac-robber is a digital investigation tool that collects data from allocated files in a mounted file system. This is useful during incident response when analyzing a live system or when analyzing a dead system in a lab. The data can be used by the mactime tool in The Sleuth Kit to make a timeline of file activity. Themac-robber tool is based on the grave-robber tool from TCT and is written in C instead of Perl.
Log Monitoring  You can compile custom C code to interface with apples syslogd (ASL) or…  You can use a $1 app called appswitch http://goo.gl/XaRQQ
Side Channel Data leakage  All the tests are the same except they now move onto the filesystem of your phone
Mentioning Advanced Testing Techniques  Remote Memory Dumping  IDA Pro Remote Debugging with GDB  Dumping the iOS Keychain  Mapping Hooking the Objective-C Runtime to bypass security controls  Class-dump-z  Cycript  Solving SSL Proxy Issues  SSL Strip in Burp  Mallory  DNS Black holing
Memory Dumping  IDA Supports remote debugging, in options you can setup a remote GDB server  Start GDB on the iphone:  /Developer/usr/bin ./debugserver $IP:port $app  Open in IDA
Keychain Dumper  Dumping the KC:  https://github.com/ptoomey3/Keychain-Dumper  Compile  Push keychain_dumper to iOS device  Use keychain_dumper to export all the required entitlements  Use ldid to sign these entitlements into keychain_dumper  Rerun keychain_dumper to dump all accessible keychain items http://labs.neohapsis.com/2012/01/25/keychain-dumper-updated-for-ios-5/
Cycript  Cycript is an implementation of JavaScript that can interact with Objective-C classes and objects. One of the most useful functions of Cycript is its ability to attach directly to a process, much like gdb, and alter the state of the running application. With Cycript, you can manipulate existing objects already in your application’s memory, or instantiate new objects, such as new view controller classes or windows.  Cycript can access and change instance variables directly, send and intercept messages, access the run loop, override methods, and walk through an object’s internal methods, properties, and instance variables. Cycript can be used to easily hijack and manipulate poorly written applications to bypass authentication screens, circumvent sanity checks, and perform a number of other hacking activities to make an application malfunction Source: Hacking and Securing iOS Application 2012, Zardinsky
Proxy Issues  We all love Burp BUT you will run into problems sometimes.  Strict enforcing of SSL  Crazy iOS and Simulator problems  Downgrade HTTPS to HTTP in burp Checkbox under proxy  DNS BlackHoling  What about non HTTP and HTTPS protocols that applications might use?  Mallory TCP Interception proxy  http://intrepidusgroup.com/insight/mallory/
Server Side Issues  Server Side:  Web test / web service test  We know the web functions  Try to find the definitions for unpublished ones  Injections  Logic Tests
How can you get started?  Most of the simple vulns we have discussed today can be done as examples in OWASPs iGoat Application:  We have added 3 new exercises:  Format string injection  Plist data disclosure  XSS  Code not in trunk yet =( Will be there soon!  https://www.owasp.org/index.php/OWASP_iGoat_Project
All done! Contact me! Jason.haddix@hp.com

Recomendados

iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 

Recomendados

iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testingn|u - The Open Security Community
 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to FridaAbhishekJaiswal270
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Android Binder: Deep Dive
Android Binder: Deep DiveAndroid Binder: Deep Dive
Android Binder: Deep DiveZafar Shahid, PhD
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applicationsn|u - The Open Security Community
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Vulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptxVulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptxSuman Astani
 
Low Level View of Android System Architecture
Low Level View of Android System ArchitectureLow Level View of Android System Architecture
Low Level View of Android System ArchitectureNational Cheng Kung University
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Chandrapal Badshah
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 

Mais conteúdo relacionado

Mais procurados

iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Vulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptxVulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptxSuman Astani
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Chandrapal Badshah
 

Mais procurados (20)

iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to Frida
 
Android security
Android securityAndroid security
Android security
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
Android Binder: Deep Dive
Android Binder: Deep DiveAndroid Binder: Deep Dive
Android Binder: Deep Dive
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applications
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Vulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptxVulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptx
 
Low Level View of Android System Architecture
Low Level View of Android System ArchitectureLow Level View of Android System Architecture
Low Level View of Android System Architecture
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Android Security
Android SecurityAndroid Security
Android Security
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
 

Destaque

OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
iOS App Reverse Engineering
iOS App Reverse EngineeringiOS App Reverse Engineering
iOS App Reverse EngineeringZishe Sha
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Mongokit presentation mongofr-2010
Mongokit presentation mongofr-2010Mongokit presentation mongofr-2010
Mongokit presentation mongofr-2010namlook
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)lpilorz
 
iOS app security
iOS app security iOS app security
iOS app security Hokila Jan
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
 
CodeFest 2012 - Пентест на стероидах
CodeFest 2012 - Пентест на стероидахCodeFest 2012 - Пентест на стероидах
CodeFest 2012 - Пентест на стероидахSergey Belov
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009ClubHack
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...Hackito Ergo Sum
 
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014viaForensics
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 

Destaque (20)

OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
 
iOS App Reverse Engineering
iOS App Reverse EngineeringiOS App Reverse Engineering
iOS App Reverse Engineering
 
Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycript
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Mongokit presentation mongofr-2010
Mongokit presentation mongofr-2010Mongokit presentation mongofr-2010
Mongokit presentation mongofr-2010
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
 
iOS app security
iOS app security iOS app security
iOS app security
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
 
CodeFest 2012 - Пентест на стероидах
CodeFest 2012 - Пентест на стероидахCodeFest 2012 - Пентест на стероидах
CodeFest 2012 - Пентест на стероидах
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
 
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 

Semelhante a Pentesting iOS Applications

iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side AnalysisAadarsh N
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)abilitySubho Halder
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraOWASP Delhi
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...PROIDEA
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
DreamFactory Essentials Webinar
DreamFactory Essentials WebinarDreamFactory Essentials Webinar
DreamFactory Essentials WebinarDreamFactory
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhonessaurabhharit
 
Pwning Windows Mobile applications by Ankit Giri
Pwning Windows Mobile applications by Ankit GiriPwning Windows Mobile applications by Ankit Giri
Pwning Windows Mobile applications by Ankit GiriOWASP Delhi
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 

Semelhante a Pentesting iOS Applications (20)

iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side Analysis
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh Mishra
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
OWASP for iOS
OWASP for iOSOWASP for iOS
OWASP for iOS
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
DreamFactory Essentials Webinar
DreamFactory Essentials WebinarDreamFactory Essentials Webinar
DreamFactory Essentials Webinar
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Mobile security
Mobile securityMobile security
Mobile security
 
iOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdfiOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdf
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Pwning Windows Mobile applications by Ankit Giri
Pwning Windows Mobile applications by Ankit GiriPwning Windows Mobile applications by Ankit Giri
Pwning Windows Mobile applications by Ankit Giri
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 

Último

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Pentesting iOS Applications

  • 2. NSLog (@”Hello, OWASP!”); • About me! • Jason Haddix – Director of Penetration Testing HP Fortify • Former Netpen guy • Current Mobile and Webpen guy • ShadowLabs Guy
  • 3. • Fortify on Demand does dynamic testing for web apps, mobile, special projects, bakeoffs, etc… • That’s us
  • 4. Rough Agenda (we will digress) • Quick Overview of the iPhone Platform • Threat Modeling 3rd party applications • Environment Setup • Whitebox Assessments • Blackbox Assessments
  • 5. Tech Stack 800 MHz dual-core ARM Objective-C Language Processor Core Services + Cocoa (Media & UI APIs) iOS (fork of Darwin Operating (fork of BSD)) System ARM Executables
  • 6. What does an iOS Application Look Like? • iOS Applications: – In Development with Apple SDK Xcode: • Distributed as XCode Project Folders – Compiled and deployed through the app store: • Compiled as ARM • Distributed as “.ipa” files • zip files containing app resources and ARM executable • Deployed as “.app” directories • Executable code is: – encrypted with FairPlay DRM (AES) – signed with Apple’s signature
  • 7. What does an iOS Application Look Like? Deployed to Compiled to Packaged as Objective - C phone file ARM and IPA file with (in Xcode) system as .app encrypted resources directory
  • 8. Types of iOS Applications • Web Applications: – HTML + CSS + JavaScript – Run inside Safari/Webkit • Native Applications: – Written in Objective-C (+ C/C++) – Compiled into ARM for actual devices, x86 for iOS Simulator
  • 9. Objective-C Objective-C is a superset of C, this means all C code still applies. [self doSomethingWithVar:var1];
  • 10. How do we Test?  Two different approaches to testing:  Whitebox testing  Full information and source code provided  Blackbox testing  No code or information provided  Working only with downloadable app  Three areas to focus on:  Attack the network communication  Attack the server component  Attack the client component
  • 12. Threat Modeling 3rd Party Apps  Identify business objectives  Identify user roles that will interact with the application  Track higher and lower roles functions  Identify the data the application will manipulate  PII vs Non-PII  Credentials & access  Where is it stored?  What happens if the user loses his Phone? Or it’s stolen?  Individual applications data lost, how bad is it?  What happens if there’s an OS/Kernel exploit? (silent jailbreak)  Mass user data loss, always bad
  • 13. Reminders  Many apps will encode sensitive data, not encrypt. Look for:  Base64  cGFzc3dvcmQ=  Hex  70617373776f7264  Decimal  112 97 115 115 119 111 114 100  Md5  5f4dcc3b5aa765d61d8327deb882cf99  SHA1  5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
  • 14. Reminders PII for a mobile app can be different that what you expect. Look for:  Updates to Social media  Usernames  Chat logs  Passwords  cookies  UDID  Geolocation/address/zip  DOB  Device Name  Network Connection Name  Application Data
  • 15. Hardware Encryption and MDM Will Save Us!  Hardware encryption in iOS only applies where specifically called and to mail and SMS  Key to unencrypt the data is stored in effaceable storage.  Hardware encryption without MDM is susceptible to brute force attacks  24 min to break a 4 digit PIN  Hardware encryption with MDM, with remote wipe enabled, and long PIN  Best option http://goo.gl/HcHXN
  • 16. The big takeaway with iOS Encryption?  Physical access wins!  Plus you can always pulls some super cool spy http://goo.gl/UWtg moves!
  • 18. WhiteBox Environment Setup Tool List:  SQLite Manger  Your Mac:  FuzzDB  Xcode (newest)  Command Line Knowledge  Build/analyze/clang  Property List Editor  Plutil  otool  Instruments  Wireshark/Tshark/…  netcat  Nmap  Burp Suite  Flawfinder http://goo.gl/kX6PA
  • 19. Anatomy of an Application in iOS Sim  Show all files: defaults write com.apple.Finder AppleShowAllFiles YES  Users/$username/Library/Application Support/iPhone Simulator/Applications/$appID  ./Documents = properties, logs  ./Library/Caches = cachey things  ./Library/Caches/Snapshots = screenshots of your app  ./Library/Cookies = cookie plists  ./Library/Preferences = various preference plists  ./Library/WebKit = WebKit local storage  ./Appname.app = app resources: binary, graphics, nibs, Info.plist  ./tmp = tmp and logs sometimes *David Thiel, Secure iOS Development, iSec Partners
  • 20. Whitebox – Client-Side Testing  Analyze/SCA Tools  Identify HTTP(S) and web service URLs  Parse Web Service Functions  Identify Filesystem Interaction & Data Storage  Manual Source code Inspection
  • 21. Analyzing & SCA Tools  Build and Analyze  Funnily enough Xcode has a built in source code scanner formerly known as CLANG.  http://clang-analyzer.llvm.org/available_checks.html  Use it to find:  memory leaks  accessing uninitialized variables  dereferencing null pointers
  • 23. SCA  Fortify already supports C libraries.  Fortify Objective-C  Flawfinder  http://www.dwheeler.com/flawfinder/  http://msdn.microsoft.com/en- us/library/bb288454.aspx
  • 24. Identifying HTTP(S) and WS Calls  Parse source code path for all URLs and Web Services the app is calling:  Command (dirty):  grep -r -a "://" $project_path | awk -F "http" '{print $2}' |sort –u  :// represents standard http  s:// is https call  Or in X-Code search for ://  Since we’re in source this will give us URLs in comments as well
  • 25. Identifying HTTP(S) and WS Calls  Output:
  • 26. Parsing WS/API Functions  Follow up on interesting links by tracking down the file it appeared in:  grep -r -F “://interestingURL”  Hopefully doing this you will find NSUrl / constant definitions or variable names.
  • 29. Parsing WS/API Functions  Now we can track down associated GETS and POSTS with Parameters, searching for the constant/variable names:  Now we have a better mapping of the WS and its calls  Avoid the .svn directories  | Grep –v .svn
  • 30. Identifying File System and Data Storage  iOS apps use a variety of methods for storage… almost all of them suck. Basically any credential or PII stored on the client side is 80% of the time a vulnerability.
  • 31. Identifying File System and Data Storage  Bundled with X-code in Lion is Instruments which we can use to monitor the iOS simulator and what our target application does. You can compare it to several SysInternals tools. The type of data it can capture includes:  File Activity monitoring  Memory Monitoring  Process Monitoring – similar to procmon  Network Monitoring – similar to netmon  The tool can be launched from the Xcode Menu -> Open Developer Tool-> Instruments
  • 32. Identifying File System and Data Storage instruments-the-mac, http://goo.gl/mKoiQ
  • 33. Identifying File System and Data Storage  Areas of interest:  Plists  SQLite3 Databases  Keychain  Temp Files
  • 34. Plists  Used by iPhone to store saved properties and data  XML  Binary (compressed XML) (depreciated)  The binary plists need converting, you can use:  plutil to convert to XML  Property List Editor (in XCode)  plists contain all kinds of juicy information. Check for:  Cookies, emails, usernames, passwords, sensitive application data, client side role identifiers, protocol handlers, etc.
  • 35. Plists  Run app in simulator, provide credentials to everything you can, use the app thoroughly.  App creds  Twitter  Facebook
  • 36. Plists Frank Kim, SANS Appsec Blog, http://goo.gl/f0HsM
  • 37. Plists  A bit about URLSchemes:  Locate Info.plist file. Open with “Property List Editor” or  convert to XML: plutil -convert xml1 Info.plist  The info.plist will define any custom protocol handlers
  • 38. Plists Plutil: Foundstone Pentesting iPhone , http://goo.gl/g79pY
  • 39. SQLite  A lot of iOS applications sensitive data in SQLite3 databases on the device.  Sqlite3 does not have built-in support for encryption.
  • 40. SQLite  There are extensions (CEROD is one, sqlcipher is another) that support encryption, but the code is not publicly available, you need to license it. Apple has not, so the included version of sqlite3 does not support encrypted databases.  Still dangerous to store stuff client side. Even with extensions you can reverse out encryption keys () from the memory of a jailbroken phone and decrypt the database.or breakpoint after decryption) to bypass:  Cerod is as simple as looking for “cerod:passwd” or break pointing and pulling out of memory:  sqlite3_open(":cerod:passwd:filename.db", &db);  http://www.hwaci.com/sw/sqlite/cerod.html
  • 41. KeyChain  Keychain = Encrypted container for storing sensitive information  Smarter devs store passwords and sensitive data using the keychain. Unfortunately with access to a phone and jailbreaking we can unencrypt the keychain and dump the contents.  See what you app is using the KC for:  grep -r -F “kSecAttr" $project_path/ | grep -v .svn  Or “SFHFKeychainUtils”  Threat Model this data… We will go over blackbox methods for dumping the KC later.
  • 42. Side Channel Data Leakage  iOS apps have a number of “features” that can be security vulnerabilities.  Logging Files  Caching  File Caching  Keyboard Caching  Snapshot Caching  Clipboard Caching
  • 43. Logging  iOS Logs lots of data, NSLog especially, They can be viewed after the fact in:  ~/Library/Logs/CrashReporter/MobileDevice/<Device name>/private/var/log/system.log  Custom Logging:  NSLog:  grep -r -F “NSLog" $project_path/ | grep -v .svn  Can be viewed in you mac “console” app under utilities
  • 44. File Caching  If the application uses PDF, Excel, or other files it may be possible that these files may have been cached on the device. These can be found at:  ~/Library/Application Support/iPhone simulator/x.x.x/Applications/<application folder>/Documents/temp.pdf
  • 45. Keyboard Caching  Keystrokes for predictive spellcheck are stored in:  ~/Library/Application Support/iPhone Simulator/x.x.x/Library/Keyboard/dynamic-text.dat  This issue is similar to autocomplete for web browsers.  Already disabled for password fields  Should be disabled for any potentially sensitive fields (account numbers, SSN, etc, etc…)  Set UITextField property autocorrectionType = UITextAutocorrectionNo for mitigation.
  • 46. Snapshot Caching  When in an application and the home button is pushed, the application stores a snapshot (screenshot) in the apps snapshot folder:  ~/Library/Application Support/iPhone Simulator/x.x.x/Applications/<application folder>/Library/Caches/Snapshots/  These persist until reboot.  Hopefully you weren’t on a screen with any sensitive data!
  • 47. Snapshot Caching Frank Sims, SANS, http://goo.gl/aFQrx
  • 48. Manual Source Review  Just some pointers, not full blown manual sca:  Insufficient transport – identify bad SSL  Injection  SQL  XSS  Format String  LFI
  • 49. SQL Injection Client-Side SQL injection is a problem on the client side too! BAD: NSString *sql = [NSString stringWithFormat:@"SELECT name FROM products WHERE id = '%@'", id]; const char *query = [sql UTF8String]; GOOD: const char *sql = "SELECT name FROM products WHERE id = ?"; sqlite3_prepare_v2(database, sql, -1, &sql_statement, NULL); sqlite3_bind_text(&sql_statement, 1, id, -1, SQLITE_TRANSIENT); Ilja van Sprundel; IOActiveAuditting iPhone and iPad applications
  • 50. XSS Client-Side UIwebView • Renders web content inside an application with webkit: • Javascript • HTML • PDF • Office Documents (XLS, PPT, DOC) • iWork Documents (Pages, Numbers, Keynote) •If the webView is based off of user input XSS can be triggered
  • 51. XSS Client-Side Can occur whenever user controlled Objective C variables populated in to WebView stringByEvaluatingJavaScriptFromString NSString *javascript = [[NSString alloc] initWithFormat:@"var myvar="%@";", username]; [mywebView stringByEvaluatingJavaScriptFromString:javascript]; Ilja van Sprundel; IOActiveAuditting iPhone and iPad applications
  • 52. Other Injection Attacks LFI’s : User controlled input to NSFileManager can lead to LFI’s (../../../../) Format String attacks…
  • 53. Format String Attacks vulnerable obj-c methods: • NSLog() • *NSString stringWithFormat:] • *NSString initWithFormat:] • *NSMutableString appendFormat:] • *NSAlert informativeTextWithFormat:] • *NSPredicate predicateWithFormat:] • *NSException format:] • NSRunAlertPanel
  • 54. Whitebox – Network & Server Testing  Insufficient Transport  Proxy Simulator  SSL Checking  Pulling items out of streams  Web Service Testing
  • 55. Proxying The Simulator  Network -> Advanced -> Proxies ->
  • 56. Proxying The Simulator  Network -> Advanced -> Proxies -> Web Proxy & Secure Web Proxy
  • 57. Proxying The Simulator  SSL Sucks =(  Get Burp cert  iOS simulator needs the cert stored in the ~/Library/Application Support/iPhone Simulator/<SDK version>/Library/Keychains/ directory on your Mac  Use python script by Gotham Digital Science to add the cert to the db:  https://github.com/GDSSecurity/Add-Trusted-Certificate-to-iOS- Simulator  python add_ca_to_iossim.py PortSwiggerCA.cer
  • 59. Blackbox– Client-Side Testing  Jealbreak and install Cydia Package manager  Identify application directories  Obtain app  Parse out some server information  Install proxy certificate on phone  Proxy phone  Additional tools
  • 60. Blackbox Environment Setup Tool List:  SQLite Manager  Your Phone:  FuzzDB  Jailbreak  IDA Pro  Ios_analyze.pl  Mac-robber and log2timeline  Command Line Knowledge  Crackulous, appcrack  Appswitch  Cycript  Your PC:  Nmap  Netcat  Burp
  • 61. Jailbreaking a Device Jailbreaking is the act of using an exploit (or a combination of exploits) on the idevice to break out of the ios jail and allow for custom access to the phones OS. Malware can do this silently… Back to FreeBSD!
  • 62. Jailbreaking a Device Consumer level jailbreaks automagically set up SSH Username: root Password: alpine Find your phones IP from the Settings -> Wifi -> more options menu
  • 64. Installing Cert on Device • Export burp .cer file • Email to yourself access using safari • Accept certificate
  • 65. Obtain App BlackBox:  Get from app store or customer ad-hoc distribution:  App Store binaries are encrypted  Manual decryption  Use debugger, breakpoint EP, let loader decrypt, dump decrypted image  http://dvlabs.tippingpoint.com/blog/2009/03/06/reverse-engineering-iphone- appstore-binaries  http://pauldotcom.com/wiki/index.php/Episode226  Automated  Crackulous or AppCrack  Automate removing DRM  Can be transferred between devices  Then IDA w/ARM can then disassemble
  • 66. Identify App Directories  3rd party Applications are stored in:  /private/var/mobile/Applications/$appId/
  • 67. Parsing Out Server Calls  Strings and grep!  unzip .ipa files  Finds all the strings in the app binary:  looks for URLs, hostnames, URL parts and function names  Not exhaustive, whitebox methods give you more.
  • 68. Monitoring the File System  So what if a file is created for temporary storage and then deleted?  Mac-robber “mac-robber is a digital investigation tool that collects data from allocated files in a mounted file system. This is useful during incident response when analyzing a live system or when analyzing a dead system in a lab. The data can be used by the mactime tool in The Sleuth Kit to make a timeline of file activity. Themac-robber tool is based on the grave-robber tool from TCT and is written in C instead of Perl.
  • 69. Log Monitoring  You can compile custom C code to interface with apples syslogd (ASL) or…  You can use a $1 app called appswitch http://goo.gl/XaRQQ
  • 70. Side Channel Data leakage  All the tests are the same except they now move onto the filesystem of your phone
  • 71. Mentioning Advanced Testing Techniques  Remote Memory Dumping  IDA Pro Remote Debugging with GDB  Dumping the iOS Keychain  Mapping Hooking the Objective-C Runtime to bypass security controls  Class-dump-z  Cycript  Solving SSL Proxy Issues  SSL Strip in Burp  Mallory  DNS Black holing
  • 72. Memory Dumping  IDA Supports remote debugging, in options you can setup a remote GDB server  Start GDB on the iphone:  /Developer/usr/bin ./debugserver $IP:port $app  Open in IDA
  • 73. Keychain Dumper  Dumping the KC:  https://github.com/ptoomey3/Keychain-Dumper  Compile  Push keychain_dumper to iOS device  Use keychain_dumper to export all the required entitlements  Use ldid to sign these entitlements into keychain_dumper  Rerun keychain_dumper to dump all accessible keychain items http://labs.neohapsis.com/2012/01/25/keychain-dumper-updated-for-ios-5/
  • 74. Cycript  Cycript is an implementation of JavaScript that can interact with Objective-C classes and objects. One of the most useful functions of Cycript is its ability to attach directly to a process, much like gdb, and alter the state of the running application. With Cycript, you can manipulate existing objects already in your application’s memory, or instantiate new objects, such as new view controller classes or windows.  Cycript can access and change instance variables directly, send and intercept messages, access the run loop, override methods, and walk through an object’s internal methods, properties, and instance variables. Cycript can be used to easily hijack and manipulate poorly written applications to bypass authentication screens, circumvent sanity checks, and perform a number of other hacking activities to make an application malfunction Source: Hacking and Securing iOS Application 2012, Zardinsky
  • 75. Proxy Issues  We all love Burp BUT you will run into problems sometimes.  Strict enforcing of SSL  Crazy iOS and Simulator problems  Downgrade HTTPS to HTTP in burp Checkbox under proxy  DNS BlackHoling  What about non HTTP and HTTPS protocols that applications might use?  Mallory TCP Interception proxy  http://intrepidusgroup.com/insight/mallory/
  • 76. Server Side Issues  Server Side:  Web test / web service test  We know the web functions  Try to find the definitions for unpublished ones  Injections  Logic Tests
  • 77. How can you get started?  Most of the simple vulns we have discussed today can be done as examples in OWASPs iGoat Application:  We have added 3 new exercises:  Format string injection  Plist data disclosure  XSS  Code not in trunk yet =( Will be there soon!  https://www.owasp.org/index.php/OWASP_iGoat_Project
  • 78. All done! Contact me! Jason.haddix@hp.com