ios client side analysis
TRANSCRIPT
![Page 1: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/1.jpg)
iOS App Pen-TestingClient Side AnalysisOct'16 NULL Meet
![Page 2: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/2.jpg)
Me..
I work at Aleph Tav Technologies as AppSec guyI do web and mobile app pen testing @Aadarshaddy
![Page 3: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/3.jpg)
To-Do
Traffic Analysis Setting proxy. Manipulate parameters using a
proxy tool. Client-Side Analysis (Run-time, rev-eng) Getting the application executable, getting class
info, local data storage, hard-coded information, Debugging
Attack Network Components
![Page 4: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/4.jpg)
Agenda today
Traffic analysis is as simple as setting a proxy and listening to it using a proxy tool in your system. Pretty much like webapp pen-testing.
Agenda today is client-side analysis.
![Page 5: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/5.jpg)
Uses these..
Uses the following technology stack..Objective-C (runtime oriented language)Cocoa library (API)Recently SWIFT
![Page 6: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/6.jpg)
Pre-Requisite
Jailbroken (Cydia installed) device – Mandatory (Advisable to have a unsupported device to avoid frequent updates of OS)
This is a trade-off between what version of the OS the target application to test supports.
Macbook – Recommended to have one for using Xcode
![Page 7: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/7.jpg)
White Box Testing Black Box Testing Most often it is Black Box testing, we shall see
bit of both
![Page 8: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/8.jpg)
Tools list:jailbroken device requiredIos_analyze.pl ,Mac-robber and log2timelineCrackulous, appcrack, Appswitch, Cycript, OpenSSH, unzip, wgetSQLite 3.x, MobileTerminal, class-dump-z, tar, clutch,dumpencrypted, otoolGDB, r2clutch,Snoop-it, iPhonetunnelkeychain dumper, cydia substrate, adv-cmds, Darwin CC toolsAPT 0.6 Transitional, Git, GNU Debugger, less, make, ios-ssl-killswitchFlawfinder, wireshark, Xcode - property list editor, Plutil, otool & other cmd line utilities from mac storeNetcat, Nmap, Burp, SQLite Browser, FuzzDB, IDA Pro, iExplorer
![Page 9: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/9.jpg)
Getting into the device
ssh root@ipaddressOfiPhone default pwd:alpine
apt-get update apt-get upgrade
![Page 10: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/10.jpg)
Two stuffs are a basic knowledge to do analysis on a 3rd party iOS app
In /var/mobile/ApplicationsApplication sandbox is here EncryptedApp downloaded from app store is encrypted
![Page 11: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/11.jpg)
Copying executable
sftp root@ipaddressOfiPhone cd /usr/bin put clutch
Clutch is the application used to decrypt the 3rd party applications. Typing clutch will list the applications which are possible to decrypt
![Page 12: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/12.jpg)
Get the ipa file using clutch and unzip it. Get the class file of the executable using class-
dump-z. The executable is always the app's name.
As in, Class-dump-z path/to/app/executable >class-
info-executable
![Page 13: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/13.jpg)
What and Where to look for?
1. Plists files - Use Plutil to convert to XML
Plutil -convert xml1 xxx.plist
Or Property list editor in Xcode Look for juicy information: passwords,
checksums, email-ids, any sensitive data
![Page 14: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/14.jpg)
What and Where to look for?
2. SQLite: Again client side stored data is dangerous. Sqlite like
in android does not have inbuilt support for encrytion of data.
There are extenstions to do it – CEROD , sqlcipher, smartstore
-but again the encryption keys are available client side and we can breakpoint it and pull the keyfrom memory
Path/to/app/appname.app/database.sqlite3
![Page 15: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/15.jpg)
What and Where to look for?
3. Logging Files:NSLogDefault:~/Library/Logs/CrashReporter/MobileDevice/
<Devicename>/private/var/log/system.logCustom:Grep -r -F “NSLog” $project_path/ | grep -v .svn
![Page 16: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/16.jpg)
What and Where to look for?
4. Caching:File Caching~/Library/Application Support/iPhone
simulator/x.x.x/Applications/<application folder>/Documents/temp.pdfKeyboard Caching~/Library/Application Support/iPhone
Simulator/x.x.x/Library/keyboard/dynamic-text.datSnapshot Caching~/Library/Application Support/iPhone
Simulator/x.x.x/Applications/<application folder>/Library/Caches/Snapshots/
Clipboard Caching
![Page 17: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/17.jpg)
What and Where to look for?
5 .Keychains: It’s a sqlite database file located at
/private/var/Keychains/keychain-2.db and all the data stored in it is encrypted
Snoop-it tool, keychain-dumper
![Page 18: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/18.jpg)
What and Where to look for?
6. Stack Smashing Protection: To mitigate Stack Overflow attacks If used the application binary will contain
_stack_chk_fail and _stack_chk_guard symbols To Test: Otool –I –v ApplicationBinary | grep stack
![Page 19: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/19.jpg)
What and Where to look for?
7. ASLR Flag:To mitigate memory corruption vulnerabilitiesTo Test:Otool –VhApplicaitonBinaryIt should have PIE flag in the output
![Page 20: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/20.jpg)
What and Where to look for?
8. Automatic Reference Counting: Again to avoid memory corruption vulnerability
by moving the responsibility of memory management from the developer to the compiler
Otool –I –v ApplicationBinary | grep _objc_release
![Page 21: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/21.jpg)
What and Where to look for?
Automatic Reference CountingClient Side Authentication bypassClient Side SQL InjectionHardcoded sensitive information anywhereClient Side validation bypassNo jailbreak detectionObselete filesTapjacking?? Every testcase recommended by OWASP for mobile applications in the
checklist P.S: Use putty, iExplorer to access the above mentioned files
![Page 22: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/22.jpg)
Hard time with SSL Pinning
Use ios-ssl-killswitchUse Cycript, do runtime hooks and unpinDowngrade HTTPS to HTTP in burp(or)Ask the client to give the unpinned version – as
simple as that. It might not work for bounty hunters though :P
![Page 23: iOS Client Side Analysis](https://reader035.vdocument.in/reader035/viewer/2022062905/587198f91a28ab044e8b5479/html5/thumbnails/23.jpg)
References
http://www.slideshare.net/jasonhaddix?utm_campaign=profiletracking&utm_medium=sssite&utm_source=ssslideview
http://resources.infosecinstitute.com/http://damnvulnerableiosapp.com/#learnMobile Application hacker's handbook