SlideShare uma empresa Scribd logo

CactusCon - Practical iOS App Attack and Defense

Seth Law
Seth Law

Presentation given by Seth Law at CactusCon 2015. How to attack and defend mobile applications using known security weaknesses.

Tecnologia
1 de 93
Baixar para ler offline
Practical iOS App Attack and Defense – Seth Law © 2015 Practical iOS App Attack and Defense CactusCon
Introduction • Seth Law – Director of R&D @ nVisium – Developer/Contributor to Swift.nV, SiRATool, RAFT, Grails.nV – Hacker, AppSec Architect, Security Consultant – Soccer Hooligan
Abusing Trust
Your  App
Hopefully,  not  your  App
Disclaimer Hacking of App Store apps is not condoned or encouraged in any way. What you do on your own time is your responsibility. @sethlaw & nVisium take no responsibility if you use knowledge shared in this presentation for unsavory acts.
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Requirements • Xcode (developer.apple.com) – Command-line tools – Xcode-select --install – iOS Simulators • Jailbroken iDevice (iPhone/iPad/iPod) * – Cydia Tools • Vulnerable App – Swift.nV - https://github.com/nVisium/Swift.nV * Only required to “test” apps from the App Store. **
Tools - idb • idb - https://github.com/dmayer/idb
Tools - idb • idb - https://github.com/dmayer/idb
Tools - iFunBox • https://www.i-funbox.com/ifunboxmac
Tools - Cydia Apps • Cycript • OpenSSH • Erica Utilities • Class Dump • GNU Debugger • network-cmds • BigBoss Recommended Tools
Tools - Swift.nV • INTENTIONALLY VULNERABLE • Training Tool - Not for production use
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Application Anatomy
Application Anatomy • .app Directory –Folder with distributed binary and artifacts –iOS 8 •AppStore Apps - /var/mobile/Containers/Bundle/ Application/<APP GUID>/Application.app/ •Pre-installed Apps - /Applications/Application.app/ –iOS 7 •AppStore Apps - /var/mobile/Applications/<APP GUID>/Application.app/ •Pre-installed Apps - /Applications/Application.app/
Application Anatomy • Info.plist
Application Anatomy • Deployed Application Data Directories • iOS 8 • /var/mobile/Containers/Data/Application/<APP_GUID>/ • iOS 7 • /var/mobile/Applications/<APP_GUID> Documents/ Library/ Caches/ Preferences/ ... tmp/
Application Anatomy
Application Anatomy
Application Anatomy
Application Anatomy
Application Anatomy • Library/… • Other folders may exist for specific purposes • Files not exposed to the user • SyncedPreferences/ - iCloud NSUserDefaults • Cookies/ - Persistent cookie values • Application Support/ - Other App files • FlurryFiles/ - iAd files • tmp/ • Scratch space • Can be cleared by iOS when App not running
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Data Storage • M2 in OWASP Mobile Top 10 • Anything stored by the App on purpose • Data at rest on a mobile device • Majority of “mobile security” issues in the news. • Relevant functionality • Core Data • NSUserDefaults • Keychain • Documents • Cache
Attack!
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Demo
Data Storage - Defense
Data Storage - Defense • Databases – Defenses • Encryption (SQLCipher) • Rewrites crypto into database controller • Don’t store sensitive data on the device. • Weaknesses • Key Storage
Data Storage - NSUserDefaults • Property Lists - Code
Data Storage - Attack • Property Lists
Data Storage - Attack • Property Lists - idb
Data Storage - Defense • Property List - Countermeasures – Don’t store sensitive data using NSUserDefaults – When ignoring rule #1, encrypt the data – Use checksums or signatures to validate that data returned from NSUserDefaults is appropriate – iOS Keychain – For quick Keychain conversion, use a library – https://github.com/matthewpalmer/Locksmith
Data Storage - Defense • Keychain – Mac OS X/iOS Password Manager – OS enforces security – CAREFUL • Keychain can be accessed by apps running on jailbroken devices. • idb – Don’t assume Keychain is secure. – Know your Keychain Attributes. – Layered Security • The application will be used under the worst possible conditions, protect for THAT instance.
Data Storage - Defense • Keychain Analysis – know your attributes Attribute Data is... kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked. kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. kSecAttrAccessibleAlways Always accessible. kSecAttrAccessibleWhenUnlockedThis DeviceOnly Only accessible when device is unlocked. Data is not migrated via backups. kSecAttrAccessibleAfterFirstUnlockThis DeviceOnly Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups. kSecAttrAccessibleAlwaysThisDeviceO nly Always accessible. Data is not migrated via backups.
Data Storage - Defense • Keychain Analysis – know your attributes Attribute Data is... kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked. kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. kSecAttrAccessibleAlways Always accessible. kSecAttrAccessibleWhenUnlockedThis DeviceOnly Only accessible when device is unlocked. Data is not migrated via backups. kSecAttrAccessibleAfterFirstUnlockThis DeviceOnly Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups. kSecAttrAccessibleAlwaysThisDeviceO nly Always accessible. Data is not migrated via backups.
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Network Communications • M3 - Insufficient Transport Layer Protection • Are network communications secure? • Encryption (or not) • Key Handling • Ciphers • Proxy Communication
CodeMash Scanner?
Become a Sponsor!
Volunteers?
Whoops
Network Communications • DEMO • Device: Jailbroken iPod Touch • Proxy: Burp Suite Pro • App: Casino
Exploited Issues • Proxied Communications •Certificate Pinning •Web Service Vulnerabilities
Network Communications
Network Communications • Defense – Good: Internal Certificate Authority – Better: External CA – Best: Certificate Pinning continueWithoutCredentialForAuthenticatio nChallenge == BAD
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Client Side Injection • M7 - Client Side Injection • Fuzzing all application inputs • Text Fields • URLSchemes • Stored Data (DBs, PLists, etc) • Multiple Types • XSS/HTML • XML/JSON • ...
Injection • Text Field Injection –Manually intensive
Client Side Injection • URLScheme Injection • Safari FTW! • Still manual • location bar • Fuzz URL values • Info.plist
Client Side Injection
Client Side Injection
Client Side Injection • Demo - Injection with Swift.nV
Client Side Injection • Defense • Input Validation • Don’t trust the user • Input Validation • Output Encoding • Input Validation
Client Side Injection
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Privacy • Revealing of PII • Location Information • Shoulder surfing • Physical Access • Background screenshots • Borrowed Phone attacks • Backups/Logs
FRIENDS DON’T LET FRIENDS LEAVE THEIR PHONE BEHIND
Background Screenshots
Information Overload
Logs
Logs
iOS Backup Analyzer
iOS Backup Analyzer
Privacy - Defense • Mask mask mask • No NSLog in production apps • What is stored on the device is also stored in the backup
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Other Mobile Concerns • Authentication • Authorization • Binary Protections • Cryptography • Unintended Functionality • Untrusted Input
Conclusion Security is hard. Try harder.
Thanks • Questions? • nVisibility Tape • Contact: • Seth Law • Email: seth@nvisium.com • Twitter: @sethlaw

Recomendados

CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & DefenseCodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & DefenseSeth Law
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...Imperva Incapsula
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureDevSecCon
 

Recomendados

CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & DefenseCodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & DefenseSeth Law
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...Imperva Incapsula
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureDevSecCon
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proKarl Ots
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Sandeep Jayashankar
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
Pwn phone2014 jrs
Pwn phone2014 jrsPwn phone2014 jrs
Pwn phone2014 jrsSecurity Weekly
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)Greg Patton
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs42Crunch
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 

Mais conteúdo relacionado

Mais procurados

Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proKarl Ots
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Sandeep Jayashankar
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)Greg Patton
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs42Crunch
 

Mais procurados (20)

Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Pwn phone2014 jrs
Pwn phone2014 jrsPwn phone2014 jrs
Pwn phone2014 jrs
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
 

Semelhante a CactusCon - Practical iOS App Attack and Defense

Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration TestingSurabaya Blackhat
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
CocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesCocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesMutual Mobile
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 

Semelhante a CactusCon - Practical iOS App Attack and Defense (20)

Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
CocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesCocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best Practices
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 

Último

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Último (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

CactusCon - Practical iOS App Attack and Defense

  • 1. Practical iOS App Attack and Defense – Seth Law © 2015 Practical iOS App Attack and Defense CactusCon
  • 2. Introduction • Seth Law – Director of R&D @ nVisium – Developer/Contributor to Swift.nV, SiRATool, RAFT, Grails.nV – Hacker, AppSec Architect, Security Consultant – Soccer Hooligan
  • 6. Disclaimer Hacking of App Store apps is not condoned or encouraged in any way. What you do on your own time is your responsibility. @sethlaw & nVisium take no responsibility if you use knowledge shared in this presentation for unsavory acts.
  • 7. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 8. Requirements • Xcode (developer.apple.com) – Command-line tools – Xcode-select --install – iOS Simulators • Jailbroken iDevice (iPhone/iPad/iPod) * – Cydia Tools • Vulnerable App – Swift.nV - https://github.com/nVisium/Swift.nV * Only required to “test” apps from the App Store. **
  • 9. Tools - idb • idb - https://github.com/dmayer/idb
  • 10. Tools - idb • idb - https://github.com/dmayer/idb
  • 11. Tools - iFunBox • https://www.i-funbox.com/ifunboxmac
  • 12. Tools - Cydia Apps • Cycript • OpenSSH • Erica Utilities • Class Dump • GNU Debugger • network-cmds • BigBoss Recommended Tools
  • 13. Tools - Swift.nV • INTENTIONALLY VULNERABLE • Training Tool - Not for production use
  • 14. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 15.
  • 17. Application Anatomy • .app Directory –Folder with distributed binary and artifacts –iOS 8 •AppStore Apps - /var/mobile/Containers/Bundle/ Application/<APP GUID>/Application.app/ •Pre-installed Apps - /Applications/Application.app/ –iOS 7 •AppStore Apps - /var/mobile/Applications/<APP GUID>/Application.app/ •Pre-installed Apps - /Applications/Application.app/
  • 19. Application Anatomy • Deployed Application Data Directories • iOS 8 • /var/mobile/Containers/Data/Application/<APP_GUID>/ • iOS 7 • /var/mobile/Applications/<APP_GUID> Documents/ Library/ Caches/ Preferences/ ... tmp/
  • 24. Application Anatomy • Library/… • Other folders may exist for specific purposes • Files not exposed to the user • SyncedPreferences/ - iCloud NSUserDefaults • Cookies/ - Persistent cookie values • Application Support/ - Other App files • FlurryFiles/ - iAd files • tmp/ • Scratch space • Can be cleared by iOS when App not running
  • 25. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 26.
  • 27. Data Storage • M2 in OWASP Mobile Top 10 • Anything stored by the App on purpose • Data at rest on a mobile device • Majority of “mobile security” issues in the news. • Relevant functionality • Core Data • NSUserDefaults • Keychain • Documents • Cache
  • 29. Data Storage - Attack
  • 30. Data Storage - Attack
  • 31. Data Storage - Attack
  • 32. Data Storage - Attack
  • 33. Data Storage - Attack
  • 34.
  • 36. Data Storage - Defense
  • 37. Data Storage - Defense • Databases – Defenses • Encryption (SQLCipher) • Rewrites crypto into database controller • Don’t store sensitive data on the device. • Weaknesses • Key Storage
  • 38. Data Storage - NSUserDefaults • Property Lists - Code
  • 39. Data Storage - Attack • Property Lists
  • 40. Data Storage - Attack • Property Lists - idb
  • 41.
  • 42.
  • 43.
  • 44. Data Storage - Defense • Property List - Countermeasures – Don’t store sensitive data using NSUserDefaults – When ignoring rule #1, encrypt the data – Use checksums or signatures to validate that data returned from NSUserDefaults is appropriate – iOS Keychain – For quick Keychain conversion, use a library – https://github.com/matthewpalmer/Locksmith
  • 45. Data Storage - Defense • Keychain – Mac OS X/iOS Password Manager – OS enforces security – CAREFUL • Keychain can be accessed by apps running on jailbroken devices. • idb – Don’t assume Keychain is secure. – Know your Keychain Attributes. – Layered Security • The application will be used under the worst possible conditions, protect for THAT instance.
  • 46. Data Storage - Defense • Keychain Analysis – know your attributes Attribute Data is... kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked. kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. kSecAttrAccessibleAlways Always accessible. kSecAttrAccessibleWhenUnlockedThis DeviceOnly Only accessible when device is unlocked. Data is not migrated via backups. kSecAttrAccessibleAfterFirstUnlockThis DeviceOnly Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups. kSecAttrAccessibleAlwaysThisDeviceO nly Always accessible. Data is not migrated via backups.
  • 47. Data Storage - Defense • Keychain Analysis – know your attributes Attribute Data is... kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked. kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. kSecAttrAccessibleAlways Always accessible. kSecAttrAccessibleWhenUnlockedThis DeviceOnly Only accessible when device is unlocked. Data is not migrated via backups. kSecAttrAccessibleAfterFirstUnlockThis DeviceOnly Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups. kSecAttrAccessibleAlwaysThisDeviceO nly Always accessible. Data is not migrated via backups.
  • 48. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 49. Network Communications • M3 - Insufficient Transport Layer Protection • Are network communications secure? • Encryption (or not) • Key Handling • Ciphers • Proxy Communication
  • 50.
  • 51.
  • 56. Network Communications • DEMO • Device: Jailbroken iPod Touch • Proxy: Burp Suite Pro • App: Casino
  • 57. Exploited Issues • Proxied Communications •Certificate Pinning •Web Service Vulnerabilities
  • 59.
  • 60. Network Communications • Defense – Good: Internal Certificate Authority – Better: External CA – Best: Certificate Pinning continueWithoutCredentialForAuthenticatio nChallenge == BAD
  • 61. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 62.
  • 63. Client Side Injection • M7 - Client Side Injection • Fuzzing all application inputs • Text Fields • URLSchemes • Stored Data (DBs, PLists, etc) • Multiple Types • XSS/HTML • XML/JSON • ...
  • 64. Injection • Text Field Injection –Manually intensive
  • 65. Client Side Injection • URLScheme Injection • Safari FTW! • Still manual • location bar • Fuzz URL values • Info.plist
  • 68. Client Side Injection • Demo - Injection with Swift.nV
  • 69.
  • 70. Client Side Injection • Defense • Input Validation • Don’t trust the user • Input Validation • Output Encoding • Input Validation
  • 72. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 73.
  • 74.
  • 75. Privacy • Revealing of PII • Location Information • Shoulder surfing • Physical Access • Background screenshots • Borrowed Phone attacks • Backups/Logs
  • 76. FRIENDS DON’T LET FRIENDS LEAVE THEIR PHONE BEHIND
  • 77.
  • 78.
  • 81.
  • 82.
  • 83. Logs
  • 84. Logs
  • 87.
  • 88. Privacy - Defense • Mask mask mask • No NSLog in production apps • What is stored on the device is also stored in the backup
  • 89.
  • 90. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 91. Other Mobile Concerns • Authentication • Authorization • Binary Protections • Cryptography • Unintended Functionality • Untrusted Input
  • 93. Thanks • Questions? • nVisibility Tape • Contact: • Seth Law • Email: seth@nvisium.com • Twitter: @sethlaw