SlideShare a Scribd company logo

CodeMash 2.0.1.5 - Practical iOS App Attack & Defense

Seth Law
Seth Law

Mobile apps are a fixture in today's digital world. With the release of Apple's new Swift language, the barrier to entry to create iOS apps has been lowered and may increase the number of offerings in the App Store. Learn how to find vulnerabilities in today's apps, attack and manipulate them, and finally fix the issue. Explore common mobile vulnerabilities hands-on (or just follow along) through the new open-source, intentionally vulnerable Swift iOS application, Swift.nV (https://github.com/nVisium/Swift.nV). Talk given @ CodeMash 2015 by Seth Law

Technology
1 of 90
Download to read offline
Practical iOS App Attack and Defense – Seth Law © 2015 Practical iOS App Attack and Defense CodeMash 2.0.1.5
Introduction • Seth Law – Director of R&D @ nVisium – Developer/Contributor to Swift.nV, SiRATool, RAFT, Grails.nV – Hacker, AppSec Architect, Security Consultant – Soccer Hooligan
Abusing Trust
Disclaimer Hacking of App Store apps is not condoned or encouraged in any way. What you do on your own time is your responsibility. @sethlaw & nVisium take no responsibility if you use knowledge shared in this presentation for unsavory acts.
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Requirements • Xcode (developer.apple.com) – Command-line tools – Xcode-select --install – iOS Simulators • Jailbroken iDevice (iPhone/iPad/iPod) * – Cydia Tools • Vulnerable App – Swift.nV - https://github.com/nVisium/Swift.nV * Only required to “test” apps from the App Store. **
Tools - idb • idb - https://github.com/dmayer/idb
Tools - idb • idb - https://github.com/dmayer/idb
Tools - iFunBox • https://www.i-funbox.com/ifunboxmac
Tools - Cydia Apps • Cycript • OpenSSH • Erica Utilities • Class Dump • GNU Debugger • network-cmds • BigBoss Recommended Tools
Tools - Swift.nV • INTENTIONALLY VULNERABLE • Training Tool - Not for production use
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Application Anatomy
Application Anatomy • .app Directory –Folder with distributed binary and artifacts –iOS 8 •AppStore Apps - /var/mobile/Containers/Bundle/ Application/<APP GUID>/Application.app/ •Pre-installed Apps - /Applications/Application.app/ –iOS 7 •AppStore Apps - /var/mobile/Applications/<APP GUID>/Application.app/ •Pre-installed Apps - /Applications/Application.app/
Application Anatomy • Info.plist
Application Anatomy • Deployed Application Data Directories • iOS 8 • /var/mobile/Containers/Data/Application/<APP_GUID>/ • iOS 7 • /var/mobile/Applications/<APP_GUID> Documents/ Library/ Caches/ Preferences/ ... tmp/
Application Anatomy
Application Anatomy
Application Anatomy
Application Anatomy
Application Anatomy • Library/… • Other folders may exist for specific purposes • Files not exposed to the user • SyncedPreferences/ - iCloud NSUserDefaults • Cookies/ - Persistent cookie values • Application Support/ - Other App files • FlurryFiles/ - iAd files • tmp/ • Scratch space • Can be cleared by iOS when App not running
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Data Storage • M2 in OWASP Mobile Top 10 • Anything stored by the App on purpose • Data at rest on a mobile device • Majority of “mobile security” issues in the news. • Relevant functionality • Core Data • NSUserDefaults • Keychain • Documents • Cache
Attack!
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Attack
Data Storage - Defense
Data Storage - Defense • Databases – Defenses • Encryption (SQLCipher) • Rewrites crypto into database controller • Don’t store sensitive data on the device. • Weaknesses • Key Storage
Data Storage - NSUserDefaults • Property Lists - Code
Data Storage - Attack • Property Lists
Data Storage - Attack • Property Lists - idb
Data Storage - Defense • Property List - Countermeasures – Don’t store sensitive data using NSUserDefaults – When ignoring rule #1, encrypt the data – Use checksums or signatures to validate that data returned from NSUserDefaults is appropriate – iOS Keychain – For quick Keychain conversion, use a library – https://github.com/matthewpalmer/Locksmith
Data Storage - Defense • Keychain – Mac OS X/iOS Password Manager – OS enforces security – CAREFUL • Keychain can be accessed by apps running on jailbroken devices. • idb – Don’t assume Keychain is secure. – Know your Keychain Attributes. – Layered Security • The application will be used under the worst possible conditions, protect for THAT instance.
Data Storage - Defense • Keychain Analysis – know your attributes Attribute Data is... kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked. kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. kSecAttrAccessibleAlways Always accessible. kSecAttrAccessibleWhenUnlockedThis DeviceOnly Only accessible when device is unlocked. Data is not migrated via backups. kSecAttrAccessibleAfterFirstUnlockThis DeviceOnly Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups. kSecAttrAccessibleAlwaysThisDeviceO nly Always accessible. Data is not migrated via backups.
Data Storage - Defense • Keychain Analysis – know your attributes Attribute Data is... kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked. kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. kSecAttrAccessibleAlways Always accessible. kSecAttrAccessibleWhenUnlockedThis DeviceOnly Only accessible when device is unlocked. Data is not migrated via backups. kSecAttrAccessibleAfterFirstUnlockThis DeviceOnly Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups. kSecAttrAccessibleAlwaysThisDeviceO nly Always accessible. Data is not migrated via backups.
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Network Communications • M3 - Insufficient Transport Layer Protection • Are network communications secure? • Encryption (or not) • Key Handling • Ciphers • Proxy Communication
CodeMash Scanner?
Become a Sponsor!
Network Communications • LIVE DEMO • Device: Jailbroken iPod Touch • Proxy: Burp Suite Pro • App: CodeMash Scanner
Volunteers?
Whoops
Network Communications • Issues Exploited during demo • Proxied Communications • Do NOT require Jailbreak • Corporations implement proxies all the time • Accepting a proxy’s CA cert == full access to traffic • Certificate Pinning • App doesn’t insure traffic isn’t being messed with. • Can be defeated with jailbroken device • Web Service Vulnerabilities • Missing Function Level Access Control • Insecure Direct Object Reference
Network Communications
Network Communications • Defense – Good: Use an Internal Certificate Authority and create certificates for all environments. – Better: Buy actual certificates for all environments – Best: Pin the Certificate within the application to public certificate or CA. continueWithoutCredentialForAuthenticatio nChallenge == BAD
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Client Side Injection • M7 - Client Side Injection • Fuzzing all application inputs • Text Fields • URLSchemes • Stored Data (DBs, PLists, etc) • Multiple Types • XSS/HTML • XML/JSON • ...
Injection • Text Field Injection –Manually intensive
Client Side Injection • URLScheme Injection • Safari FTW! • Still manual • location bar • Fuzz URL values • Info.plist
Client Side Injection
Client Side Injection
Client Side Injection • Demo - Injection with Swift.nV
Client Side Injection • Defense • Input Validation • Don’t trust the user • Input Validation • Output Encoding • Input Validation
Client Side Injection
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Privacy • Revealing of PII • Location Information • Shoulder surfing • Physical Access • Background screenshots • Borrowed Phone attacks • Backups/Logs
FRIENDS DON’T LET FRIENDS LEAVE THEIR PHONE BEHIND
Background Screenshots
Logs
Logs
iOS Backup Analyzer
iOS Backup Analyzer
Privacy - Defense • Mask mask mask • No NSLog in production apps • What is stored on the device is also stored in the backup
Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
Other Mobile Concerns • Authentication • Authorization • Binary Protections • Cryptography • Unintended Functionality • Untrusted Input
Conclusion Security is hard. Try harder.
Thanks • Questions? • Contact: • Seth Law • Email: seth@nvisium.com • Twitter: @sethlaw

Recommended

CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
Seth Law
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
Rafał Hryniewski
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
jstnkndy
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
Security Innovation
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 

Recommended

CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
Seth Law
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
Rafał Hryniewski
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
jstnkndy
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
Security Innovation
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)
Sandeep Jayashankar
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
karthz
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
Andy Hoernecke
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
Gareth Davies
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
💻 Javier Garza
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
Karl Ots
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Michael Coates
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
OWASP Delhi
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
Rob Daigneau
 
Vulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.comVulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.com
Igor Bulatenko
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
42Crunch
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 

More Related Content

What's hot

Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)
Sandeep Jayashankar
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
Karl Ots
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
Rob Daigneau
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 

What's hot (20)

AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
 
Vulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.comVulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.com
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 

Similar to CodeMash 2.0.1.5 - Practical iOS App Attack & Defense

Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 

Similar to CodeMash 2.0.1.5 - Practical iOS App Attack & Defense (20)

Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
Are Your Mobile Apps Secure? (Part I)
Are Your Mobile Apps Secure? (Part I)Are Your Mobile Apps Secure? (Part I)
Are Your Mobile Apps Secure? (Part I)
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
CocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesCocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best Practices
 
Dos and Don'ts of Android Application Security (Security Professional Perspec...
Dos and Don'ts of Android Application Security (Security Professional Perspec...Dos and Don'ts of Android Application Security (Security Professional Perspec...
Dos and Don'ts of Android Application Security (Security Professional Perspec...
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 

CodeMash 2.0.1.5 - Practical iOS App Attack & Defense

  • 1. Practical iOS App Attack and Defense – Seth Law © 2015 Practical iOS App Attack and Defense CodeMash 2.0.1.5
  • 2. Introduction • Seth Law – Director of R&D @ nVisium – Developer/Contributor to Swift.nV, SiRATool, RAFT, Grails.nV – Hacker, AppSec Architect, Security Consultant – Soccer Hooligan
  • 4.
  • 5.
  • 6. Disclaimer Hacking of App Store apps is not condoned or encouraged in any way. What you do on your own time is your responsibility. @sethlaw & nVisium take no responsibility if you use knowledge shared in this presentation for unsavory acts.
  • 7. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 8. Requirements • Xcode (developer.apple.com) – Command-line tools – Xcode-select --install – iOS Simulators • Jailbroken iDevice (iPhone/iPad/iPod) * – Cydia Tools • Vulnerable App – Swift.nV - https://github.com/nVisium/Swift.nV * Only required to “test” apps from the App Store. **
  • 9. Tools - idb • idb - https://github.com/dmayer/idb
  • 10. Tools - idb • idb - https://github.com/dmayer/idb
  • 11. Tools - iFunBox • https://www.i-funbox.com/ifunboxmac
  • 12. Tools - Cydia Apps • Cycript • OpenSSH • Erica Utilities • Class Dump • GNU Debugger • network-cmds • BigBoss Recommended Tools
  • 13. Tools - Swift.nV • INTENTIONALLY VULNERABLE • Training Tool - Not for production use
  • 14. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 15.
  • 17. Application Anatomy • .app Directory –Folder with distributed binary and artifacts –iOS 8 •AppStore Apps - /var/mobile/Containers/Bundle/ Application/<APP GUID>/Application.app/ •Pre-installed Apps - /Applications/Application.app/ –iOS 7 •AppStore Apps - /var/mobile/Applications/<APP GUID>/Application.app/ •Pre-installed Apps - /Applications/Application.app/
  • 19. Application Anatomy • Deployed Application Data Directories • iOS 8 • /var/mobile/Containers/Data/Application/<APP_GUID>/ • iOS 7 • /var/mobile/Applications/<APP_GUID> Documents/ Library/ Caches/ Preferences/ ... tmp/
  • 24. Application Anatomy • Library/… • Other folders may exist for specific purposes • Files not exposed to the user • SyncedPreferences/ - iCloud NSUserDefaults • Cookies/ - Persistent cookie values • Application Support/ - Other App files • FlurryFiles/ - iAd files • tmp/ • Scratch space • Can be cleared by iOS when App not running
  • 25. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 26.
  • 27. Data Storage • M2 in OWASP Mobile Top 10 • Anything stored by the App on purpose • Data at rest on a mobile device • Majority of “mobile security” issues in the news. • Relevant functionality • Core Data • NSUserDefaults • Keychain • Documents • Cache
  • 29. Data Storage - Attack
  • 30. Data Storage - Attack
  • 31. Data Storage - Attack
  • 32. Data Storage - Attack
  • 33. Data Storage - Attack
  • 34.
  • 35. Data Storage - Defense
  • 36. Data Storage - Defense • Databases – Defenses • Encryption (SQLCipher) • Rewrites crypto into database controller • Don’t store sensitive data on the device. • Weaknesses • Key Storage
  • 37. Data Storage - NSUserDefaults • Property Lists - Code
  • 38. Data Storage - Attack • Property Lists
  • 39. Data Storage - Attack • Property Lists - idb
  • 40.
  • 41.
  • 42.
  • 43. Data Storage - Defense • Property List - Countermeasures – Don’t store sensitive data using NSUserDefaults – When ignoring rule #1, encrypt the data – Use checksums or signatures to validate that data returned from NSUserDefaults is appropriate – iOS Keychain – For quick Keychain conversion, use a library – https://github.com/matthewpalmer/Locksmith
  • 44. Data Storage - Defense • Keychain – Mac OS X/iOS Password Manager – OS enforces security – CAREFUL • Keychain can be accessed by apps running on jailbroken devices. • idb – Don’t assume Keychain is secure. – Know your Keychain Attributes. – Layered Security • The application will be used under the worst possible conditions, protect for THAT instance.
  • 45. Data Storage - Defense • Keychain Analysis – know your attributes Attribute Data is... kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked. kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. kSecAttrAccessibleAlways Always accessible. kSecAttrAccessibleWhenUnlockedThis DeviceOnly Only accessible when device is unlocked. Data is not migrated via backups. kSecAttrAccessibleAfterFirstUnlockThis DeviceOnly Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups. kSecAttrAccessibleAlwaysThisDeviceO nly Always accessible. Data is not migrated via backups.
  • 46. Data Storage - Defense • Keychain Analysis – know your attributes Attribute Data is... kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked. kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. kSecAttrAccessibleAlways Always accessible. kSecAttrAccessibleWhenUnlockedThis DeviceOnly Only accessible when device is unlocked. Data is not migrated via backups. kSecAttrAccessibleAfterFirstUnlockThis DeviceOnly Accessible while locked. But if the device is restarted it must first be unlocked for data to be accessible again. Data is not migrated via backups. kSecAttrAccessibleAlwaysThisDeviceO nly Always accessible. Data is not migrated via backups.
  • 47. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 48. Network Communications • M3 - Insufficient Transport Layer Protection • Are network communications secure? • Encryption (or not) • Key Handling • Ciphers • Proxy Communication
  • 49.
  • 50.
  • 53. Network Communications • LIVE DEMO • Device: Jailbroken iPod Touch • Proxy: Burp Suite Pro • App: CodeMash Scanner
  • 56. Network Communications • Issues Exploited during demo • Proxied Communications • Do NOT require Jailbreak • Corporations implement proxies all the time • Accepting a proxy’s CA cert == full access to traffic • Certificate Pinning • App doesn’t insure traffic isn’t being messed with. • Can be defeated with jailbroken device • Web Service Vulnerabilities • Missing Function Level Access Control • Insecure Direct Object Reference
  • 58.
  • 59. Network Communications • Defense – Good: Use an Internal Certificate Authority and create certificates for all environments. – Better: Buy actual certificates for all environments – Best: Pin the Certificate within the application to public certificate or CA. continueWithoutCredentialForAuthenticatio nChallenge == BAD
  • 60. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 61.
  • 62. Client Side Injection • M7 - Client Side Injection • Fuzzing all application inputs • Text Fields • URLSchemes • Stored Data (DBs, PLists, etc) • Multiple Types • XSS/HTML • XML/JSON • ...
  • 63. Injection • Text Field Injection –Manually intensive
  • 64. Client Side Injection • URLScheme Injection • Safari FTW! • Still manual • location bar • Fuzz URL values • Info.plist
  • 67. Client Side Injection • Demo - Injection with Swift.nV
  • 68.
  • 69. Client Side Injection • Defense • Input Validation • Don’t trust the user • Input Validation • Output Encoding • Input Validation
  • 71. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 72.
  • 73.
  • 74. Privacy • Revealing of PII • Location Information • Shoulder surfing • Physical Access • Background screenshots • Borrowed Phone attacks • Backups/Logs
  • 75. FRIENDS DON’T LET FRIENDS LEAVE THEIR PHONE BEHIND
  • 76.
  • 77.
  • 79.
  • 80. Logs
  • 81. Logs
  • 84.
  • 85. Privacy - Defense • Mask mask mask • No NSLog in production apps • What is stored on the device is also stored in the backup
  • 86.
  • 87. Agenda • Tools • Application Anatomy • Data Storage • Network Communications • Client Side Injection • Privacy
  • 88. Other Mobile Concerns • Authentication • Authorization • Binary Protections • Cryptography • Unintended Functionality • Untrusted Input
  • 90. Thanks • Questions? • Contact: • Seth Law • Email: seth@nvisium.com • Twitter: @sethlaw