ios (vulner)ability
DESCRIPTION
iOS security architecture.TRANSCRIPT
![Page 1: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/1.jpg)
iOS (Vulner)abilitySubho Halder Co Founder AppKnox
![Page 2: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/2.jpg)
![Page 3: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/3.jpg)
./WhoAmI
Co Founder of AppKnox ( XYSec Labs )
Python Lover
Security Geeks
Found Security Bugs in Apple, Google, Skype, Webkit, Facebook, Microsoft, …..
![Page 5: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/5.jpg)
NSLog [@“Agenda”];
Quick overview of iPhone iOS Platform.
iOS Security Structure
What is a Jailbreak?
iOS App (IN)Securities
![Page 6: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/6.jpg)
Peek into a state-of-art Prison
![Page 7: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/7.jpg)
iOS Hardware Architecture
Application Processor
Baseband
iOSUser interaction
Applications ...
NucleusOSRadio communication
![Page 8: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/8.jpg)
iOS Hardware Architecture
Application Processor Baseband Processor
audio
display
power managment
camera
WIFI
BT
GSM
UART
I2S GPIO DMA
controls sim/net-lock !
![Page 9: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/9.jpg)
Phew, Security Architecture
![Page 10: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/10.jpg)
***[Sandboxing]***
NAND Flash
FTL: converts logical partition to NAND flash architecture
looks like BLOCK device
System Partition / (Read Only)
User Partition /private/var NAND
FTL
Block Device
/ (RO) (System Partition)
/private/var (RW) (User Partition)
![Page 11: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/11.jpg)
***[Sandboxing]***
3rd Party lives only on User Partition
Apps run as mobile user
Kernel Signature checks executables in system-call execve()
%{ How did you Jailbreak it? }%NAND
FTL
Block Device
/ (RO) (System Partition)
/private/var (RW) (User Partition)
![Page 12: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/12.jpg)
**Memory Protection
W^X Policy
Non Executable Stack or Heap
ASLR (Address Space Layout Randomisation)
%{ Did you forget about Return-Oriented-Program }%
![Page 13: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/13.jpg)
Code Signing
Implemented inside Kernel
Kernel signature checks executables in systemcall execve()
Kernel stored on System Partition (kernelcache)
Kernel is signature checked before being loaded.
%{ Can still be by-passed :/ }%
![Page 14: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/14.jpg)
Encryption @#%$#^% !
Everythong is encrypted
Hardware AES Engine
Keys derived from hardware keys GID-key UID-key
%{Possible to use Jailbreak tools e.g. Syringe to use the hardware engine}%
![Page 15: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/15.jpg)
What is J@!lbr3@k ?
![Page 16: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/16.jpg)
How your iPhone boots up?
signature check
signature check
signature check
signature check
Bootrom LLB (Low Level Bootloader)
iBoot Kernel Application
NOR NOR NAND NAND
![Page 17: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/17.jpg)
Recovery Mode?
BootromLLB
(Low Level Bootloader)
iBoot
signature check
signature check
Kernel
Kernel
Ramdisk
![Page 18: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/18.jpg)
DFU Mode !
Bootrom iBSS iBEC Kernel
Ramdisk
Bootrom LLB (Low Level Bootloader)
iBoot Kernel Application
minimal iBoot
![Page 19: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/19.jpg)
Attacking the chain of trust!
signature check
BootromLLB
(Low Level Bootloader)
iBoot Kernel Application
signature check
signature check
signature check
signature check
attack here
(cannot be fixed)
attack here attack here attack here
System Software
![Page 20: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/20.jpg)
Where do we go wrong?
![Page 21: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/21.jpg)
Plists
Used by iPhone to store saved properties and data
XML
Binary (compressed XML) (depreciated)
The binary plists need converting, you can use:
plutil to convert to XML
Property List Editor (in XCode)
plists contain all kinds of juicy information. Check for:
Cookies, emails, usernames, passwords, sensitive application data, client side role identifiers, protocol handlers, etc.
![Page 22: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/22.jpg)
B00M! :O
![Page 23: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/23.jpg)
INSERT into `SQLite`
A lot of iOS applications sensitive data in SQLite3 databases on the device.
Sqlite3 does not have built-in support for encryption.
There are extensions (CEROD is one, sqlcipher is another) that support encryption, but the code is not publicly available, you need to license it. Apple has not, so the included version of sqlite3 does not support encrypted databases.
Still dangerous to store stuff client side.
To bypass: Cerod is as simple as looking for “cerod:passwd” or break pointing and pulling out of memory: sqlite3_open(":cerod:passwd:filename.db", &db);
![Page 24: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/24.jpg)
)()()( Keychains )()()(
Keychain = Encrypted container for storing sensitive information
Smarter devs store passwords and sensitive data using the keychain.
Unfortunately with access to a phone and jailbreaking we can decrypt the keychain and dump the contents.
![Page 25: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/25.jpg)
tail -f /var/logs/
iOS Logs lots of data, NSLog especially, They can be viewed after the fact in:
~/Library/Logs/CrashReporter/MobileDevice/<Device name>/private/var/log/system.log
Can be viewed in you mac “console” app under utilities
![Page 26: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/26.jpg)
File Caching \m/\m/
If the application uses PDF, Excel, or other files it may be possible that these files may have been cached on the device.
These can be found at: ~/Library/Application Support/iPhone simulator/x.x.x/Applications/<application folder>/Documents/temp.pdf
![Page 27: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/27.jpg)
$(`Keyboard Caching`)
Keystrokes for predictive spellcheck are stored in:
~/Library/Application Support/iPhone Simulator/x.x.x/Library/Keyboard/dynamic-text.dat
This issue is similar to autocomplete for web browsers.
Already disabled for password fields Should be disabled for any potentially sensitive fields (account numbers, SSN, etc, etc…)
Set UITextField property autocorrectionType = UITextAutocorrectionNo for mitigation.
![Page 28: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/28.jpg)
Snapshot Caching
When in an application and the home button is pushed, the application stores a snapshot (screenshot) in the apps snapshot folder
~/Library/Application Support/iPhone Simulator/x.x.x/Applications/<application folder>/Library/Caches/Snapshots/
These persist until reboot. Hopefully you weren’t on a screen with any sensitive data!
![Page 29: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/29.jpg)
Snapshot Caching
![Page 30: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/30.jpg)
SQL Injection Client-Side
SQL injection is a problem on the client side too!
BAD:
NSString *sql = [NSString stringWithFormat:@"SELECT name FROM products WHERE id = '%@'", id]; const char *query = [sql UTF8String];
GOOD:
const char *sql = "SELECT name FROM products WHERE id = ?"; sqlite3_prepare_v2(database, sql, -1, &sql_statement, NULL); sqlite3_bind_text(&sql_statement, 1, id, -1, SQLITE_TRANSIENT);
![Page 31: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/31.jpg)
XSS Client-Side
Can occur whenever user controlled Objective C variables populated in to WebView
stringByEvaluatingJavaScriptFromString NSString *javascript = [[NSString alloc] initWithFormat:@"var myvar=\"%@\";", username]; [mywebView stringByEvaluatingJavaScriptFromString:javascript];
![Page 32: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/32.jpg)
Vulnerable Obj-C Methods
NSLog()
[NSString stringWithFormat:]
[NSString initWithFormat:]
[NSMutableString appendFormat:]
[NSAlert informativeTextWithFormat:]
[NSPredicate predicateWithFormat:]
[NSException format:]
NSRunAlertPanel
![Page 33: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/33.jpg)
How can you get started?
https://www.owasp.org/index.php/OWASP_iGoat_Project
![Page 34: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/34.jpg)
AppKnox - Cloud Based Security Automation Tool
![Page 35: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/35.jpg)
Available for Android Coming soon for iOS
![Page 36: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/36.jpg)
–Cicero
“There is no castle so strong that it cannot be overthrown”
![Page 37: iOS (Vulner)ability](https://reader038.vdocument.in/reader038/viewer/2022102901/554a05d8b4c9055b7a8b54d3/html5/thumbnails/37.jpg)
Thank Youhttps://www.appknox.com
http://subho.me @sunnyrockzzs