Download - [Wroclaw #2] iOS Security - 101
![Page 1: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/1.jpg)
iOS security - 101 Daniel RamírezOWASP WROCLAW#2 MEETING04/29/16
![Page 2: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/2.jpg)
Agenda
• Introduction iOS• iOS App Architecture• iOS App Runtime Protection Features• Setting up our Environment• Tools for iOS App Review• iOS Risks Analysis
![Page 3: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/3.jpg)
Introduction iOS
• Apps are among the most critical elements of a modern mobile security architecture.
• While apps provide amazing productivity benefits for users, also have the potential to negatively impact system security, stability, and user data if they’re not handled properly.
![Page 4: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/4.jpg)
Introduction iOS
• Because of this, iOS provides layers of protection– Signed and verified– Sandboxed to protect user data.– …
• These elements provide a stable, secure platform for apps without impacting system integrity.
![Page 5: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/5.jpg)
iOS App Architecture• Typical architecture of an iOS application is shown in the
image below.
![Page 6: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/6.jpg)
iOS App Protection Features• ASLR (Address Space Layout Randomization)
• Non-Executable Memory
• ARC (Automatic Reference Counting)
• Code Signing
• Sandboxing
![Page 7: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/7.jpg)
ASLR
![Page 8: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/8.jpg)
ASLR - Example
example: otool –Vh <binary>
![Page 9: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/9.jpg)
Non-Executable Memory
• Data pages are marked non-executable• iOS enforces W^X page protection policy– Pages that are writeable can not become
executable• Injected machine code cannot be immediately
executed
![Page 10: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/10.jpg)
ARC (Automatic Reference Counting)
![Page 11: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/11.jpg)
ARC
![Page 12: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/12.jpg)
Code Signing• 2 Type of Certificates:• Developer• Submission
![Page 13: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/13.jpg)
Apple Review
![Page 14: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/14.jpg)
Sandboxing
![Page 15: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/15.jpg)
Setting up our environment
![Page 16: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/16.jpg)
Setting up our Environment
• A Jailbroken device• PuTTy – SSH Client• iFunBox(Windows)• WinSCP - SFTP Client
![Page 17: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/17.jpg)
Tools for iOS Apps Review
• Dynamic Analysis tools– Cycript (Runtime)– Idb/iNalyzer
• Dissassemblers tools– Class-dump / Class-dump-z (depends on iOS version)– Otool– Hopper
• Clutch – Decrypt App• Keychain dumper
![Page 18: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/18.jpg)
iOS Risks Analysis
• Insecure Data Storage• Insufficient Transport Layer Protection• Unintended Data Leakage• Poor Authorization & Authentication• Lack of Binary Protection
![Page 19: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/19.jpg)
Insecure Data Storage
• SQLite Databases • NSUserDefaults• Plist Files• Log Files• XML Data Stores• Binary data stores• Cookie stores
![Page 20: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/20.jpg)
Insecure Data Storage
![Page 21: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/21.jpg)
Insufficient Transport Layer Protection
• Are all connections properly encrypted?• Are the SSL certificates up to date and self signed?• Will your application accept user accepted
certificates as authorities?• Is Certificate Pinning present?
![Page 22: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/22.jpg)
Insufficient Transport Layer Protection
• Apply SSL/TLS to transport channels that the mobile app will use to transmit sensitive information
• Use certificates signed by a trusted CA and require SSL chain verification.
• Alert through the UI, if the mobile app detects an invalid cert.
![Page 23: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/23.jpg)
Unintended Data Leakage
• The way that the Application stores data, images, key-presses, logging and buffers.
Storing data securely on a mobile device requires proper technique. Whenever possible, simply do not store/cache data. This is the most sure way to avoid data compromise on the device.
![Page 24: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/24.jpg)
Poor Authorization & Authentication
• Insecure Patterns:– Persistent auth within mobile App should be implemented as
opt-in not by default
– Ensure that all authentication requests are performed server-side.
• Developers should assume all client-side authorization & authentication controls can be bypassed by malicious users.
![Page 25: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/25.jpg)
Poor Authorization & Authentication
• Consider the following scenario:– Only authenticated users will be able to generate a
service request that the mobile app submits to its backend for processing.
– During the processing of the request, the server doesn’t verify that the request is associated with a known user. Then adversaries can submit requests to server anonymously.
![Page 26: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/26.jpg)
Demo Time
![Page 27: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/27.jpg)
Demo Time
![Page 28: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/28.jpg)
Demo Time
• ps aux | grep <app name>• Cycript –p <id>
![Page 29: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/29.jpg)
Demo Time
![Page 30: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/30.jpg)
Lack of Binary Protections iOS
• Can someone decrypt the app?• Can someone use a reverse engineering tool
like Hopper ?• The application must follow secure coding
techniques:– Jailbreak Detection Controls– Certificate Pinning Controls– Debugger Detection Controls
![Page 31: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/31.jpg)
Lack of Binary Protections iOS
• Disabling Code Encryption (ClutchMod)• Jailbreak Detection Evasion (xcon)• Class Dumping (class-dump-z || class-dump)• Runtime Code Injection (cycript)• Runtime Monitoring (Snoop-It)• Runtime Analysis (GDB)• Reverse Engineering (Hopper)
![Page 32: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/32.jpg)
Example Clutch & Class-Dump
![Page 33: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/33.jpg)
Example Clutch & Class-Dump
• Clutch2 –i
• Clutch2 <options> <id>
OUTPUTInstalled Apps:
1: Facebook2: Yahoo Weather
![Page 34: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/34.jpg)
Example Clutch & Class-Dump
![Page 35: [Wroclaw #2] iOS Security - 101](https://reader036.vdocuments.mx/reader036/viewer/2022070514/587cfa441a28ab1e7e8b4abd/html5/thumbnails/35.jpg)
Summary
• How is the architecture of an ipa file• iOS protection feature– ASLR– W^X– Code Signing
• Risk Analysis• Cycript|Clutch|Class-dump|keychain_dumper