Download - iOS Application Security Testing
© Blueinfy Solutions
iOS Attacks
© Blueinfy Solutions
Insecure Data Storage
© Blueinfy Solutions
Insecure Storage
• Why application needs to store data– Ease of use for the user– Popularity– Competition– Activity with single click– Decrease Transaction time– Post/Get information to/from Social Sites
• 9 out of 10 applications have this vulnerability
© Blueinfy Solutions
Insecure Storage
• How attacker can gain access– Wifi – Default password after jail breaking (alpine)– Physical Theft– Temporary access to device
© Blueinfy Solutions
Insecure Storage• What information we usually find
– Authentication Credentials– Authorization tokens– Financial Statements– Credit card numbers– Owner’s Information – Physical Address, Name, Phone
number– Social Engineering Sites profile/habbits– SQL Queries
© Blueinfy Solutions
System InformationDetail LocationApplications /var/stash/ApplicationsEtc /private/etcVar /private/varUser /var/mobileProvisioning Profile /var/mobileDevice/ProvisioningProfilesLogs /var/log,
/var/logs/var/mobile/Library/Logs
Network Settings /var/preferences/SystemConfiguration/com.apple.network.identification.plist
Wifi Settings /var/preferences/SystemConfiguration/com.apple.wifi.plist/var/preferences/SystemConfiguration/preferences.plist
Apple ID, Owner information and Firmware Information
/root/Library/Lockdown/data_ark.plist
Keychain /var/KeychainsKeyBoard Cache /User/Library/Keyboard/dynamic-text.datTmp /private/var/tmp
© Blueinfy Solutions
Application InformationDetail LocationAddress Book /var/mobile/Library/AddressBook/AddressBook.sqlitedb
/var/mobile/Library/AddressBook/AddressBookImages.sqlitedb
Last searched Google maps /var/mobile/Library/Caches/MapTiles/MapTiles.sqlitedb
Google Map History Information /var/mobile/Library/Maps/History.plist/var/mobile/Library/Maps/Directions.plist
Calendar /var/mobile/Library/Calendar/Calendar.sqlitedbData under notes application /var/mobile/Library/Notes/notes.sqlite
Configuration file for Applications
/var/mobile/Library/Preferences
Photos /var/mobile/Media/DCIM/Application Pictures when HOME button is pressed (Each application has its own directory - Default applications)
/User/Library/Caches/Snapshots
© Blueinfy Solutions
Default Services InformationDetail LocationCall History (Odd number is for Outgoing calls, Even number is for Incoming calls)
/var/mobile/Library/Callhistory/call_history.db
SMS (Odd number is for Outgoing calls, Even number is for Incoming calls)
/var/mobile/Library/SMS/sms.db
Voicemail /var/mobile/Library/Voicemail/voicemail.dbVoice mail recording /var/mobile/Library/Voicemail/
System provided applications, ringtons and wallpapers
/var/stash
Call History /var/wireless/Library/CallHistoryCall Log /var/wireless/Library/logsCall Preferences /var/wireless/Library/Preferences
© Blueinfy Solutions
User Installed ApplicationDetail LocationInstalled Applications /User/Applications or /private/var/mobile/Applications
Application Directory (Binary, supporting files
/User/Applications/<app GUID>/<appname.app> or /private/var/mobile/Applications/<app GUID>/<appname.app>
Applications documents i.e. images, PDF, text files
/User/Applications/<app GUID>/Documents
Application cookies /User/Applications/<app GUID>/Library/Cookies/Cookies.binarycookies
Application Preferences (plist files)
/User/Applications/<app GUID>/Library/Preferences
Application temporary storage
/User/Applications/<app GUID>/tmp
Application crash report /User/Library/Logs/CrashReporter
Application Screens when pressed HOME button
/User/Applications/<app GUID>/Library/Caches/Snapshots
© Blueinfy Solutions
Browser informationDetail Location
Browser Cookie /var/mobile/Library/Cookies/Cookies.binarycookies
Browser favorites (Book marks)
/var/mobile/Library/Safari/Bookmarks.db
Browser History /var/mobile/Library/Safari/History.plist
Browser Settings /var/mobile/Library/Preferences/com.apple.mobilesafari.plist
Browser Cache /User/Library/Caches/com.apple.WebAppCache/ApplicationCache.db
© Blueinfy Solutions
Insecure Data Storage
• Access file system – CyberDuck• Plist files – xCode/plist Editor• Keychain file (hardware bound ency) –
KeyChain Dumper• Information in Db files – SQLite Browser• Logs with queries – SQLite Browser
Hands On – Look for Sensitive information in DVDs4Less Application
© Blueinfy Solutions
Implementation
© Blueinfy Solutions
Local file access
© Blueinfy Solutions
Insufficient Transport Layer Protection
© Blueinfy Solutions
Insecure Network Channel
• Important to encrypt data in the transmission• Easy to perform MiM attacks as Mobile devices
uses untrusted network i.e open/Public WiFi, HotSpot, Carrier’s Network
• Application deals with sensitive data i.e. – Authentication credentials– Authorization token– PII Information (Privacy Violation) (Owner Name,
Phone number, UDID
© Blueinfy Solutions
Insecure Network Channel
• Can sniff the traffic to get an access to sensitive data
• SSL is the best way to secure communication channel
• Common Issues– Does not deprecate HTTP requests– Allowing invalid certificates– Sensitive information in GET requests
© Blueinfy Solutions
UI Impersonation/Spoofing
© Blueinfy Solutions
Activity Monitoring
© Blueinfy Solutions
Monitoring
• Default OS behavior after iOS 4.0 to cache all the URLS (Request/Response) in the local storage in file named cache.db file
• Request/Response includes the login request with username and password
• Cache.db file is not encrypted
Hands On – Locate cache.db file in DVDs4less application and see request/response
© Blueinfy Solutions
Malicious Monitoring
• Few services are shared between all the applications
• A malicious user can write application to monitor these services – including clipboard monitor
© Blueinfy Solutions
Sensitive Data Retrieval
© Blueinfy Solutions
PII Information Leakage
• Application usually have access to user’s private information i.e. Owner Name, Location, Physical Address, AppID, Phone Number
• This information needs to be handled very carefully as per the law in some countries
• Storing this information in plain text is not allowed in some countries
© Blueinfy Solutions
Client Side Injection
© Blueinfy Solutions
SQL Injection in Local database
• Most Mobile platforms uses SQLite as database to store information on the device
• Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information
• In case application is not filtering input, SQL Injection on local database is possible
© Blueinfy Solutions
Poor Authorization and Authentication
© Blueinfy Solutions
Authorization & Authentication
• No password complexity specially on mobile • Hidden/No Logout button• Long session time out• No account lock out• Authorization flags or based on the local
storage
© Blueinfy Solutions
Improper Session Handling
© Blueinfy Solutions
Improper Session
• Session is key for any application for authorization
• Application is sending sensitive information in GET request (Be it on HTTP or HTTPS)
• GET requests are logged at multiple places• Ends us giving away session to the privilege
user with malicious intent
© Blueinfy Solutions
Session Cookie
• HTTP is state-less protocol• Application leverages session cookie to
maintain state for the user• Session cookies are stored in binary format in
iOS • File structure is public information • A python script has been written to uncover
cookies (http://securitylearn.net/wp-content/uploads/tools/iOS/BinaryCookieReader.py)
© Blueinfy Solutions
Security Decisions Via Untrusted Inputs
© Blueinfy Solutions
Untrusted Source
• Any input from client side which can be modified • Mainly authentication and authorization
decisions based on the untrusted input• Easiest way for developer to solve complex
issues/functionality • Attacker can get this information by either
reverse engineering application or by checking local storage
© Blueinfy Solutions
KeyChain Dumper (Old Way)
• Upload Keychain Dumper in "/private/var“• Dump all of the entitlements necessary to
access the entries in your target's keychain.• ./keychain_dumper -e > /var/tmp/entitlements.xml
• Sign the obtained entitlements into keychain_dumper.
• ldid -S/var/tmp/entitlements.xml keychain_dumper
• Get all the keys• ./keychain_dumper
© Blueinfy Solutions
KeyChain Dumper – DON’T
• Do not change Path (Tool just does not do a job well)
• Set proper permissions – Keychain_dumper – Executable permission– keychain-2.db – Read permission
• Files needs to be deleted before running it again
© Blueinfy Solutions
KeyChain Dumper – Easy Way
• Shell Script
• Shell Script to clean
chmod +x /private/var/keychain_dumperchmod +r /private/var/Keychains/keychain-2.db./keychain_dumper -e > /var/tmp/entitlements.xmlldid -S/var/tmp/entitlements.xml keychain_dumper./keychain_dumper > /tmp/keys.txt
rm -f /private/var/keychain_dumper rm -f /var/tmp/entitlements.xml
© Blueinfy Solutions
KeyChain Dumper (After 5.0)
• Upload Keychain Dumper in "/private/var“• Dump all of the entitlements necessary to
access the entries in your target's keychain.• ./keychain_dumper -e > /var/tmp/entitlements.xml
• To sign keychain_dumper file, transfer keychain_dumper and entitlements.xml file to any MAC machine
• Install Keychain Access on MAC
© Blueinfy Solutions
KeyChain Dumper (Cont…)
• Open keychain_access by opening binary at (/Applications/Utilties/Keychain Access.app/Contents/MacOS/Keychain Access)
• Create a “code signing “ “self signed certificate”– Select Type as “Self Signed Root”– Select “Code Signing”
© Blueinfy Solutions
KeyChain Dumper (Cont…)
• Sign keychain_dumper file using codesign command # codesign -fs "Test" --entitlements
entitlements.xml keychain_dumper• Upload keychain_dumper to iOS device• Get all the keys
• ./keychain_dumper
© Blueinfy Solutions
KeyChain Dumper – New Version
• Easy as running a command• Upload on to server in /var directory• Give execute permission
– Chmod +x /var/keychain_dumper• Get all the keys
• ./keychain_dumper
© Blueinfy Solutions
Side Channel Data Leakage
© Blueinfy Solutions
Data Leakage to third party
• Applications gather Private information and sends to advertisement servers
• Advertisement companies pay per the application (This is how the free apps make money) instance
© Blueinfy Solutions
Weak Server Side Controls
© Blueinfy Solutions
Server Side Issues
• Most Application makes server side calls to either web services or some other component. Security of server side component is equally important as client side
• Controls to be tested on the server side – Security Control Categories for Server Side Application– Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage,
© Blueinfy Solutions
Server Side Issues
Error handling, Session management, Protocol abuse, Input validations, XSS, CSRF, Logic bypass, Insecure crypto, DoS, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, BruteForce, Buffer Overflow, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
© Blueinfy Solutions
Broken Cryptography
© Blueinfy Solutions
Cryptography
• Broken implementation• Hash/Encoding used in place of encryption• Client side script in place of SSL
© Blueinfy Solutions
Hooking debugger in iOS Applications
© Blueinfy Solutions
Binary Auditing• AppStore Binary => .ipa file
– It is a ZIP files with executables and resources (images, package info, config files...)
• Simulator Binaries are x86 not ARM• Setup environment
– Jailbreak first– SSH– Gdb/iphonedbg– otool/classdump
© Blueinfy Solutions
Binary Auditing• Install app on iOS devices
– /var/mobile/Applications/<UUID>/<AppName>.app/
Or– /User/Applications/<UUID>/<AppName>.app/
© Blueinfy Solutions
Binary Auditing• Look at the directory
© Blueinfy Solutions
Binary Auditing• Look at the directory
© Blueinfy Solutions
Binary Auditing• Look at the directory
© Blueinfy Solutions
Binary Auditing• Decrypt the binary file
– Each executable page is encrypted with AES and a MD5 checksum is computed
• How to know if a binary is encrypted ?– LC_ENCRYPTION_INFO
• cryptid : 1 if the binary is encrypted• cryptoffset : offset of the encrypted data• cryptsize : size of the encrypted data
© Blueinfy Solutions
Binary Auditing• How to get LC_ENCRYPTION_INFO• otool – tool available in cydia
otool –l <APPNAME>| grep LC_ENCRYPTION_INFO –B1 –A4
Load command 10 cmd LC_ENCRYPTION_INFO
cryptoff 4096cryptsize 36864cryptid 0
© Blueinfy Solutions
Binary Auditing• Unpack binary
– Use a script that automates the process• Crackulous: tool from Cydia• Just select application, that’s it.
© Blueinfy Solutions
Binary Auditing• Manual method
– Launch GDB– Set a breakpoint– Run the application– Extract the unencrypted executable code– Patch the architecture specific binary
© Blueinfy Solutions
Binary Auditing• Look at the binary, open in IDAPro and resolve
obj_msgSend calls• Backtrace calls to objc_msgSend
– By hand– Using Zynamics IDAPython scripts (objc_helper.py)
© Blueinfy Solutions
Interesting Items to look for• Locate the main class
– UIApplicationDelegate– applicationDidFinishLaunching– ApplicationDidFinishLaunchingWithOptions
• Views– UI*ViewController– viewDidLoad
© Blueinfy Solutions
Using GDB
© Blueinfy Solutions
Interesting Items to look for• HTTP(S)• NSURL• Sockets
– CFSocketCreate• UIPasteBoard• Location based API• KeyChain API• ..
© Blueinfy Solutions
Interesting Items to look for• Some protocol handlers like,
© Blueinfy Solutions
Interesting Items to look for
© Blueinfy Solutions
Interesting Items to look for
© Blueinfy Solutions
Automation in Application Reviews
© Blueinfy Solutions
Snoop-it
• The only tool today to automate iOS application reviews
• Very handy and gives perfect pointer where to look for
• A long way to go for automation like web • Demo
– https://code.google.com/p/snoop-it/
© Blueinfy Solutions
Conclusion