iNalyzer – No More iOS Blackbox Assessments!

!"#$#%&'()#*&

!"#+,&-.#+/012&&

&

344-+.56(718.9)&

:';&<#1.$(#)+*!'"#1&4*+1+/2(09/&=#$$&>+)9/12*(2+&(&/+=&(44*9(."&(/>&299$&29&

4+*,9*)&4*(.0.($&7$(.%&79?&2+10/@&9/&(/A&#B-&(44$#.(09/8&

&&

'"+1+&>+)91&=#$$&7+&#$$C12*(2+>&C1#/@&2+."/#.($&2+*)1&(/>&299$1&9,&

2*(>+&2"(2&*+$(2+1&29&7$(.%579?&+D9*2&9/&#B-&(44$#.(09/18&

&

E,&2+*)1&1C."&(1F&B7G!H&!$(115<C)45IH&!A.*#42H&!$C2."H&J*9?#+1H&

-.(//+*1H&+2.8&)(%+&A9C&=(/2&29&:';&#2H&4$+(1+&1++&2"+&*+,+*+/.+&

1$#>+1&(2&2"+&+/>&9,&2"+&4*+1+/2(09/&29&C4@*(>+&A9C*&%/9=$+>@+8&

&

B*&A9C&.(/&C1+&2"+&+?#2&>99*&29&1+$+.2&(&>#D+*+/2&2*(.%&!&

&

379C2&)+!!  Security Researcher ,Trainer, Speaker !  Pervious Publications:

!  Lenovo privilege escalation WiFi driver !  SOAP patch for Sqlmap !  Belch – Burp suite plugin for binary protocols (AMF, Jser, etc.) !  EvilQR open Research ! AppUse - Android Applicaition Uniform Security Evaluation

Platform (Developed with Erez Metula) !  Talks: OWASP IL (2011,2012) DC9723(2013)

!  B.Sc. Biomedical Engineering

3@+/>(!

" !C**+/2&K$(.%K9?&#B-&'+."/#LC+&

" !C**+/2&3@9/A&

"  #M($AI+*&

#B-&3441&(/>&

NC$/+*(7#$#0+1!

O+.(4F&:"(2P1&(/&#B-&344&Q!! ObjC/C/C++ Compiled (ARM) Executable !  Encrypted Executable (fairplay) !  Self contained under

~/Applications/GUID/AppName.app folder !  Installed by “mobile” user !  Executes under sandbox ! Under the radar can escape

(SpyPhone, Storm8, etc.)&

#B-&344F&!9))9/&RC$/+*(7#$#0+1!Source: www.owasp.org

K$(.%&K9?&

311+11#/@&

&3441!

http://www.securitygeneration.com/security/pic-of-the-week-real-world-penetration-testing/

#B-&K$(.%&K9?&)+(/1!

Static analysis Dynamic analysis

-2(0.&3/($A1#1&'99$1!" Tools: !  iFile / iTools/ iExplorer (Cydia iOS/PC) ! Clutch (Cydia) !  IDA / Dissasembler (PC) !  SSH / Putty (iOS + PC) ! HexEditor (Win/Mac) !  Plist Editor (iOS, PC) !  -S6#2+&K*9=1+*&T:#/UV(.W&

<A/()#.&3/($A1#1&'99$1!"  Tools: !  Proxy (PC) + Certificate (Root CA) !  iSEC SSL KillSwitch (iOS) !  Mallory (VM) !  WiFi HotSpot !  Cycript (iOS) !  Class-Dump-Z (iOS) !  GDB (iOS) !  Theos / Logos / CaptainHook (iOS)

Typical Black Box Setup

Server

Attacker

Mal

lory

K$(.%&K9?&3@9/AF&X/.9N+*&

2"+&)#11#/@&4#+.+1!No Code

No Simulator

Encrypted by iTunes

Unknown end points

% of Functionality Coverage

Hidden vulnerabilities

Typical approach "  File System: !  Monitoring (DB, Plist, Logs) !  Tampering (SQLite, plutil)

"  Network: !  Monitoring (Mallory, Proxy) !  Tampering (Proxy, Scanners, tools)

"  Application Resources: !  CFURL invocations !  EA protocols

Typical approach - Cont "  Binary: !  Decryption (Clutch) !  Class identification (class-dump-z) !  Reversing (IDA) !  Patching (when needed)

"  Application Runtime: !  Objc_msgSend monitor !  Theos / Logos Tweaks !  GDB !  Cycript

Typical approach – ARM RCE ing Use GDB / IDA Pro + zynamics

Problems: •  Assembly Language ARM •  Overhead for mid scope •  Tedious •  Manual

Eventually you will get there..

Black Box Agony: Signing

Agony: Binary Protocols

Typical Black Box Setup: not enough

Server

Attacker

Mal

lory

Objective C class interposing What should be the result of running this code:

!

Surprise, Surprise!

Objective C class interposing Presenting a new implementation to a foundation

class selector:

Surprise, Surprise!

!

Cycript: Tampering tool " Not a new concept !  F-script.org (OSX) ! Cycript (@saurik iOS) (J. Zdziarski – Hacking and securing iOS applications)

K#/(*A&4*929.9$1&

-#@/+>&O+LC+12&

&

&

-9$N+>H&KC2&/++>&(>N(/.+>&#/1#>+&

344$#.(09/&%/9=$+>@+!

344-+.56(71&#M($AI+*&

!

Getting iNalyzer

Repository url: http://appsec-labs.com/cydia

Starting iNalyzer

After restart open browser to http://< you iDevice IP>:5544

Packaging an App (Dropbox)

Packaging an App (Dropbox)

Extraction (Dropbox)

Dashboard Building In the Payload/Appname.app/Doxygen/ folder:

Execute the doxMe.sh file (Mac) Open dox.Template with DoxyGen (Win)

Dashboard Building: it could take time

Once finished open the Payload/Appname.app/Doxygen/html/index.html

file with FireFox

iNalyzer Dashboard

iNalyzer and Burp Demo

iNalyzer Setup – iPhone as the Pen Testing Tool

Server

Att

acke

r

iNalyzer 5.5b: The Recipe 1. Jail-borken 6.1.2 device (@evad3rs) 2. Clutch to decrypt app (ttwj) 3. Class-dump-Z to app prototypes (@kennytm) 4. Doxygen engine to render a Dashboard (@doxygen) 5. FireFox to run the Dashboard (@firefox) 6. Cycript to modify the app behavior(@saurik) 7. Repeat step 6 until completed Optional: 8. SubjectiveC to log selectors (@kennytm)

Pros:

Cons:

" No GDB/IDA required "  Semi - Automatic Static Analysis (Expandable) " Automatic Call Graph/Hierarchy Graph " Attaches to any scanner or other Web testing

Tool.

"  It’s free, open-source

iNalyzer & Burp Vs. Mailbox

Open Live Demo (as time permits):

Bring it On

Summary

"  iOS Black Box testing, just got grayer !

" V97#$+&J'&*+LC#*+1&V97#$+&C/>+*12(/>#/@&

"  Y9#/&9C*&)97#$+&(44$#.(09/&1+.C*#2A&

"(/>159/&!"#$%$%&&! V97#$+&Z(.%#/@&&TK$(.%&Z(2&X-3&[\]^&_&#B-&U&3/>*9#>&W&

! V97#$+&-+.C*+&!9>#/@&T'K<H&#/,9`(441+.5$(718.9)W&

! V97#$+&3=(*+/+11&T'K<H&#/,9`(441+.5$(718.9)W&

"  ObjC interposing – http://culater.net/wiki/moin.cgi/CocoaReverseEngineering

"  Clutch – https://github.com/ttwj/ClutchMod "  Class-dump-z –

https://github.com/kennytm/Miscellaneous/downloads "  Cycript – http://www.cycript.org/ "  IDA – https://www.hex-rays.com/products/ida/index.shtml "  Mallory – http://intrepidusgroup.com/insight/mallory/ "  Burp – http://www.portswigger.net/burp/download.html

#M($AI+*&_&M9&)9*+&#B-&K$(.%K9?&(11+11)+/21&

"a41FUU(441+.5$(718.9)U#M($AI+*!

!"#$#%&'()#*&

!"#+,&-.#+/012&

&

`b.9*+<C)4&

."#$#%&c(2d&(441+.5$(718.9)&

===8(441+.5$(718.9)&