hashdays 2011: annika meyer & sebastien andrivet - pentesting iphone & ipad applications

Report

Tags:

Post on 02-Jun-2015

1.033 Views

Category:

Technology

5 Downloads

Preview:

Click to see full reader

DESCRIPTION

Mobile devices are becoming more and more the “new navigator”. It is also the comeback of heavy clients with the proliferation of mobile application. In this market, Apple iPhone and iPad are very particular: they use ARM processors like the competitors but native iOS applications are written mainly in Objective-C. Moreover, every application is validated by Apple. What does this mean in term of security? How do we test these applications for security problems? This presentation will cover different aspects of iPhone and iPad applications pentesting, like extraction and decryption of applications from iTunes, reverse engineering of binaries and interception of communications with web services. It is illustrated by several live demonstrations with real-world examples. We will also talk about previous researches on this subject and why they are either not satisfying or not applicable. Bio: Annika discovered computers as teenager with Commodore 64 and later Apple Macintosh. She started her professional career in the 90’s as an IT Department assistant but she’s quickly switched to the administration of Windows workstations and UNIX servers. As an opportunity rose, she then turned to database development, first under the venerable Progress and then under the more classical Oracle. At the beginning of the new millennium, she participated to several projects and in particular was involved in the creation of an ISO standard. In parallel with her career she founded ADVTOOLS, a Swiss company specialized in information systems security. Bio: Sebastien is playing with computers since the beginning of '80s. After some (short) tentative with the BASIC language, he switched to 8-bit processor assembly programming. In the ’90s, in parallel to studies in the University of Geneva, he specialized in C/C++ and assembly programming on Win/Intel and some Smalltalk. During the Internet years, he participated to several startups and releases some open source applications, including a multi-platform XML parser written in C++. At this time, he was confronted to software pirates and the incredible world of buffer overflows and SQL injections. In 2002, he specialized in applications security and forensics. As a fan of Apple since the famous Apple II and the legendary NeXT, he applies today his skills on iPhone and iPad.

TRANSCRIPT

Pentesting iPhone & iPad Apps

#Days 2011 – October 28 1

Who are we?

• Annika Meyer

President, co-founder of ADVTOOLS

• Sebastien Andrivet

Director, co-founder of ADVTOOLS

2

ADVTOOLS

• Swiss company founded in 2002 in

Geneva

• Specialized in Information Security

& Problems Diagnosis

Pentesting

Security Audits

Forensics

Training

3

Agenda

• Overviews

• Previous researches

• iPhone/iPad application pentest

Our methodology

• Live demonstrations

• Q&A

4

iOS Application Types

• Web Applications

HTML + CSS + Javascript

Run inside Safari

• Native Applications:

Written in Objective-C (+ C/C++)

Compiled into CPU code: ARM for actual

devices, x86 for iOS Simulator

• MonoTouch, Adobe Flash, …

Written in high-level language

Compiled into CPU code 5

iOS Applications

• Distributed as “.ipa” files

in fact simply zip files

• Deployed as “.app” directories

like on Mac OS X

• Executable code is:

encrypted with FairPlay DRM (AES)

signed with Apple’s signature

decryption with GDB or Crackulous

6

Objective-C

• Objective-C = C + Smalltalk

• Object oriented language

• Created in early 1980s by Stepstone

• Objective-C 2.0 released with Leopard

(Mac OS X 10.5)

• Can be mixed with C and C++

7

Reverse Engineering

• Not so obvious at first:

ARM instruction set

Objective-C & objc_msgSend

Generated code sometimes strange

Few (working) scripts and tools

• Finally not so difficult

• Your best friend:

Hex-Rays IDA Pro (Win, Mac, Linux)

8

Data storage

• plist files (Property lists)

Used and abused

Binary (depreciated) or XML

• Sqlite 3

From time to time

• Keychain

• Binary data files (aka unknown)

9

iTunes & Backups

• Every time you connect your device to

your computer, a backup is made

• Contains almost all data

• By default, not encrypted.

• To mitigate security problems:

10

Previous researches

• In general, out of date

• Often inaccurate

• But contain interesting information

• We will give here only some examples

11

Foundstone (McAfee / Intel)

http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-

testing-iphone-ipad-apps.pdf 12

Nicolas Seriot

http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf 13

TippingPoint (now HP)

http://dvlabs.tippingpoint.com/blog/2009/03/06/reverse-engineering-iphone-

appstore-binaries

14

ARTeam

http://www.accessroot.com/arteam/site/download.php?view.222

http://www.accessroot.com/arteam/site/download.php?view.308

15

Pentesting iOS Applications

• Step 1: Preparing a device

• Step 2: Preparing a workstation

• Step 3: Preparing a network

• Step 4: Pentesting

• Step 5: Report

16

Step 1: Preparing a device

• Dedicated iPhone or iPad

• Jailbreaking

Easier if you jailbreak

Forbidden by Apple if you are a developer

Dangerous: jailbreaking is disabling most of the

security features of iOS

• Install tools

17

Tools

• APT 0.7 Strict

• adv-cmds

• Darwin CC Tools

• GNU Debugger

• inetutils

• lsof

• MobileTerminal

• netcat

• network-cmds

• nmap

• OpenSSH

• tcpdump

• top

• wget

18

iOS Default Passwords

• By default, there are two users:

root

mobile

• Passwords = alpine

• Be sure to change them:

passwd

passwd mobile

19

Step 2 : Workstation

• Windows:

OK

• Mac OS X (Lion or Snow Leopard)

Better

• Linux, FreeBSD, …

Good luck!

Possible but you will need a Windows to run

some tools (virtual machine…)

20

Some Tools

• Windows: SecureCRT or Putty, WinSCP

plist Editor for Windows

• Mac OS X: ssh, SecureCRT, Cyberduck

XCode

• Windows / Mac: SQLite Database Browser

Apple iPhone Configuration Utility

Wireshark

Burp, Webscarab …

IDA Pro (+ ARM decompiler)

21

Our Tools

• ADVsock2pipe

Remote network captures (Windows)

• ADVinterceptor 2.0

Communications interception

DNS & Web Servers

• Available on GitHub under GPLv3

https://github.com/ADVTOOLS

22

Step 3: Network

Internet Wifi

Firewall

LAN

23

Step 4: Pentesting

• Step A: Install app. from iTunes

• Step B: Reconnaissance (passive)

B.1: Network capture

B.2: Interception

B.3: Artifacts

B.4: Decrypt + Reverse engineering

• Step C: Attack (active)

C.1: Interception + tampering

24

B.1: Network Capture

tcpdump

+

netcat

ADVsock2pipe Windows

pipe

tcp

25

http://www.wireshark.org/

B.2: Interception

Proxy method

Burp Suite Pro

WebScarab

Proxy

26

B.2: Interception

ADVinterceptor

ADVinterceptor 2

(DNS Server,

Web Server,…)

DNS

HTTP

HTTPS

etc.

27

Inject SSL Certificates

• Root from Burp or ADVinterceptor

• Use Apple iPhone Configuration

28

Demos

Wifi

2G/3G Wifi

Internet

Windows 7 on Mac Book

VNC Client Shell SSH Client

(SecureCRT)

3G+Wifi

29

Q&A

30

Thank you

To contact us:

annika@advtools.com

sebastien@advtools.com

Twitter:

@AndrivetSeb

@ADVTOOLS

www.advtools.com

31

top related

pentesting with linux
Technology
pentesting layer 2 protocols
Technology
pentesting using burp suite
Documents
hashdays 2012 lightning talk - holistic server security
Technology
pentesting con metasploit framework
Technology
pentesting presentation
Documents
auditing&pentesting standards
Documents
pentesting con kali
Documents
hashdays 2011: jean-philippe aumasson - cryptanalysis vs....
Technology
pentesting the internal network
Documents
pentesting cloud environment
Internet
pentesting restful webservices
Technology
ios application pentesting
Internet
thd - pentesting con backtrack
Documents
pentesting android applications
Technology
episodio de pentesting
Technology
pruebas de pentesting
Documents
breaking sap portal (hashdays)
Software
wsd pentesting workshop
Documents
hashdays 2011: mikko hypponen - keynote
Technology