Mobile apps are a fixture in today's digital world. With the release of Apple's new Swift language, the barrier to entry to create iOS apps has been lowered and may increase the number of offerings in the App Store. Learn how to find vulnerabilities in today's apps, attack and manipulate them, and finally fix the issue. Explore common mobile vulnerabilities hands-on (or just follow along) through the new open-source, intentionally vulnerable Swift iOS application, Swift.nV (https://github.com/nVisium/Swift.nV).
Talk given @ CodeMash 2015 by Seth Law
6. Disclaimer
Hacking of App Store apps is not condoned or encouraged in any way. What you do on your own time
is your responsibility. @sethlaw & nVisium take no responsibility if you use knowledge shared in this
presentation for unsavory acts.
24. Application Anatomy
• Library/…
• Other folders may exist for specific purposes
• Files not exposed to the user
• SyncedPreferences/ - iCloud NSUserDefaults
• Cookies/ - Persistent cookie values
• Application Support/ - Other App files
• FlurryFiles/ - iAd files
• tmp/
• Scratch space
• Can be cleared by iOS when App not running
27. Data Storage
• M2 in OWASP Mobile Top 10
• Anything stored by the App on purpose
• Data at rest on a mobile device
• Majority of “mobile security” issues in the
news.
• Relevant functionality
• Core Data
• NSUserDefaults
• Keychain
• Documents
• Cache
43. Data Storage - Defense
• Property List - Countermeasures
– Don’t store sensitive data using NSUserDefaults
– When ignoring rule #1, encrypt the data
– Use checksums or signatures to validate that
data returned from NSUserDefaults is appropriate
– iOS Keychain
– For quick Keychain conversion, use a library
– https://github.com/matthewpalmer/Locksmith
44. Data Storage - Defense
• Keychain
– Mac OS X/iOS Password Manager
– OS enforces security
– CAREFUL
• Keychain can be accessed by apps running on
jailbroken devices.
• idb
– Don’t assume Keychain is secure.
– Know your Keychain Attributes.
– Layered Security
• The application will be used under the worst possible
conditions, protect for THAT instance.
45. Data Storage - Defense
• Keychain Analysis – know your attributes
Attribute Data is...
kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked.
kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must
first be unlocked for data to be accessible again.
kSecAttrAccessibleAlways Always accessible.
kSecAttrAccessibleWhenUnlockedThis
DeviceOnly
Only accessible when device is unlocked. Data is not
migrated via backups.
kSecAttrAccessibleAfterFirstUnlockThis
DeviceOnly
Accessible while locked. But if the device is restarted it must
first be unlocked for data to be accessible again. Data is not
migrated via backups.
kSecAttrAccessibleAlwaysThisDeviceO
nly
Always accessible. Data is not migrated via backups.
46. Data Storage - Defense
• Keychain Analysis – know your attributes
Attribute Data is...
kSecAttrAccessibleWhenUnlocked Only accessible when device is unlocked.
kSecAttrAccessibleAfterFirstUnlock Accessible while locked. But if the device is restarted it must
first be unlocked for data to be accessible again.
kSecAttrAccessibleAlways Always accessible.
kSecAttrAccessibleWhenUnlockedThis
DeviceOnly
Only accessible when device is unlocked. Data is not
migrated via backups.
kSecAttrAccessibleAfterFirstUnlockThis
DeviceOnly
Accessible while locked. But if the device is restarted it must
first be unlocked for data to be accessible again. Data is not
migrated via backups.
kSecAttrAccessibleAlwaysThisDeviceO
nly
Always accessible. Data is not migrated via backups.
56. Network Communications
• Issues Exploited during demo
• Proxied Communications
• Do NOT require Jailbreak
• Corporations implement proxies all the time
• Accepting a proxy’s CA cert == full access to traffic
• Certificate Pinning
• App doesn’t insure traffic isn’t being messed with.
• Can be defeated with jailbroken device
• Web Service Vulnerabilities
• Missing Function Level Access Control
• Insecure Direct Object Reference
59. Network Communications
• Defense
– Good: Use an Internal Certificate Authority and
create certificates for all environments.
– Better: Buy actual certificates for all environments
– Best: Pin the Certificate within the application to
public certificate or CA.
continueWithoutCredentialForAuthenticatio
nChallenge == BAD