hacking (and defending) iphone applications
DESCRIPTION
Hacking (and Defending) iPhone Applications. Garrett Held and Kevin Stadmeyer. Managing Consultants with Trustwave SpiderLabs Have performed hundreds of application tests from mainframe to web to mobile. Who Are We?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/1.jpg)
Kevin StadmeyerGarrett Held
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Hacking (and Defending) iPhone Applications
![Page 2: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/2.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Garrett Held and Kevin Stadmeyer
› Managing Consultants with Trustwave SpiderLabs› Have performed hundreds of application tests from mainframe to web to mobile
Who Are We?
![Page 3: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/3.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
› The Basics› Setup For Testing› Secure Storage of Data And Credentials› Inadvertent Local Storage and Caching› Client Side Sanitization› Secure Coding› Push Notifications› Secure Communications
AgendaWhat we’ll cover – secure coding and beyond, what to look for when assessing an iPhone application
![Page 4: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/4.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
The Basics
![Page 5: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/5.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Why are people attacking mobile apps?
› Stealing Money› Embarrassing People (“Hactivists”)› Get Famous
Just the Facts, Ma’am
![Page 6: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/6.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Just the Facts, Ma’amiPhone Apps in the Press
![Page 7: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/7.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
How are people attacking mobile apps?
› New and unsafe operating systems?› Terrible developers who don’t care?› Clueless users who don’t know they should care?
Just the Facts, Ma’am
![Page 8: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/8.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
What Security Model We’re Not Talking About?
› Layer 1: Apple Store› Layer 2: Sandboxing via “Seatbelt”
Just the Facts, Ma’am
![Page 9: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/9.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Just the Facts, Ma’am
![Page 10: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/10.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Setting Up The Testing Environment
![Page 11: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/11.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Don’t you mean setting up the decompiler?
› No
Setting Up The Testing Environment
![Page 12: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/12.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
On das metal – Step 1: get your proxy right
We Built This City
![Page 13: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/13.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
On das metal – Step 2: Get ya certs heard!
We Built This City
![Page 14: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/14.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
On das metal – Step 3: Roll It Up
We Built This City
![Page 15: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/15.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
On das metal – Step 4: Mail it!
We Built This City
![Page 16: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/16.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
On das metal – Step 5: Install It
We Built This City
![Page 17: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/17.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
On das metal – Step 6: Install It (Errrr….)
We Built This City
![Page 18: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/18.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
On das metal – Step 7: Proxy It!
We Built This City
![Page 19: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/19.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
On das metal – Step 8: Victory!
We Built This City
![Page 20: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/20.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
On The Computer Machine – Step 6: Install It!
We Built This City
![Page 21: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/21.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
On The Computer Machine – Step 7: Install It!
We Built This City
![Page 22: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/22.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
On The Computer MachineWe Built This City
› The format is X’<SHA1 Fingerprint>’
![Page 23: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/23.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Now What?We Built This City
![Page 24: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/24.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Now What?We Built This City
![Page 25: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/25.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Now What?We Built This City
![Page 26: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/26.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Secure Storage Of Data
![Page 27: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/27.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
The Keychain› Indefinite Storage› Can you store credentials securely without the keychain?– Don’t let the feature make you lazy– Don’t store credentials in the keychain unless you don’t
care about certain things
Storing Credentials
![Page 28: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/28.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Keychain Compromise via Jailbreaking
› Through a series of steps, retrieves passwords stored in the keychain [1]
› Researchers compromised keychain passwords only, not other protected classes such as passwords for websites– Jailbreak stolen iPhone (requires physical access), gain
SSH access– Copy scripts that will compromise the keychain– Scripts output the victims passwords
Storing Credentials
[1] http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf
![Page 29: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/29.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Where Should You Store Them?› Not on the device?– At least not in plaintext!
Storing Credentials
![Page 30: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/30.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Securely Storing Data At Rest – things to look for
› Database calls?– Injection Possible?
› Using Core Data?– Does the application trust the integrity of the data?– Remember trust boundaries!
Storing Credentials
![Page 31: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/31.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Recommendations for non-credential data
› Do not store data on the phone if at all possible– Never has it been so easy to lose so much data so fast!
› Require user to enter a passcode– Can still be brute-forced with time once the encrypted
text is found– Poor user-experience on mobile devices
Storing Credentials
![Page 32: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/32.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Recommendations for non-credential data
› Store decryption key on a server and require credentials (non-stored) to access key– Only works for applications that do not require offline
access– Increases data usage– Revocable though– Data not “stored” in the cloud
Storing Credentials
![Page 33: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/33.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
B-b-b-but kSecAttrAccessibleWhenUnlocked!
› By default iOS writes information to the keychain with this attribute
› By default most user’s passwords suck
Storing Credentials
![Page 34: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/34.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Look Familiar?Storing Credentials
![Page 35: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/35.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Most UsersStoring Credentials
Pick Simple PINS10,000 possibilities~.1 second to crack (100k a second is pretty standard)
![Page 36: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/36.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Protect Stupid UsersStoring Credentials
Require Strong Passwords (8+ alpha-numeric chars)
Use REAL and GOOD encryption Don’t rely on an inherently
insecure PIN to protect users. If they knew what they were
doing we wouldn’t be here today.
![Page 37: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/37.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Inadvertent Local Storage and Caching
![Page 38: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/38.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Screenshots› Where are they stored?› When are they taken?› Who can access them!
I Accidently Your Data…
![Page 39: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/39.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
ScreenshotsI Accidently Your Data…
![Page 40: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/40.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Screenshot ProtectionI Accidently Your Data…
![Page 41: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/41.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Other Storage Of Information
› Autocomplete, etc.
I Accidently Your Data…
![Page 42: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/42.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Autocomplete› Override autocomplete› textfield.autocorrectionType = UITextAutocorrectionNone
I Accidently Your Data…
![Page 43: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/43.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Client Side Sanitization
![Page 44: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/44.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
It’s bad…› Less burden on server› Critical bypasses (yay!)
Client Side? More like Bad side, amirite?
![Page 45: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/45.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
It’s bad…› Some classic Web Application faults translate well into the iPhone.
› Web developers relied on:– JavaScript controls– Hidden fields– JSON responses– Information stored in Flash objects
Client Side? More like Bad side, amirite?
![Page 46: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/46.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Rogue Clients› Attackers can write apps (Some testers, too)› Client side secrets can be decompiled– We don’t care if it’s obfuscated for now, that’s a
point in time.› Distributed through trusted App store?– Already happened to Android
Client Side? More like Bad side, amirite?
![Page 47: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/47.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
How To Do It Right› Server Side Controls› Assume everything coming in came from a rouge or compromised client
› Enforce secure communications
Client Side? More like Bad side, amirite?
![Page 48: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/48.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
What Applies in the iOS world?Client Side? More like Bad side, amirite?
Applies Does Not ApplySQL Injection CSRF*XML Injection XSS*Other InjectionPrivilege EscalationSession HijackingOverflows (Buffer, Integer)Format String Problems Insecure use of SSL
![Page 49: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/49.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
CSRF and XSS In Apps?› Calls to browser– Recent Android Issue [1]– Loads javascript:alert(document.cookie)
› Embedded browser shares web app issues
› Rogue applications and rogue users
Client Side? More like Bad side, amirite?
]1] http://www.crn.com.au/News/265931,video-details-android-browser-intercept-flaw.aspx
![Page 50: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/50.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Break That Down Into Attackers ViewClient Side? More like Bad side, amirite?
Attacker Targets Server Attacker Targets DeviceSQL Injection Overflows (Buffer, Integer)XML Injection Format String Problems Other InjectionPrivilege EscalationSession HijackingInsecure use of SSL
![Page 51: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/51.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
What Does This Mean to a Developer?
› Time to throw out any assumptions that the device will protect you by obfuscating anything
› A new set of security practices need to be developed and followed when creating App’s
Client Side? More like Bad side, amirite?
![Page 52: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/52.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Shifting Paradigms – we hate ourselves
› Local Storage Review– What is stored and why?
› Educating QA– Proxy testing
› Review Local and Remote Inputs› Information Leakage
Client Side? More like Bad side, amirite?
![Page 53: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/53.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Local Storage Review› Review what’s stored on the device by the application
› Review what’s stored on the device by iOS
› Keep it simple, review to remove
A New Methodology
![Page 54: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/54.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Educating QA› Develop test cases for new and old vulnerabilities
› Formal process for testing communications and settings
A New Methodology
![Page 55: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/55.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Local And Remote Inputs› User input from Apps is always a concern
› Don’t forget about responses that could be intercepted or hijacked.
› Maintain the integrity of the device.
A New Methodology
![Page 56: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/56.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Information Leakage› Examine all traffic to / from the application, like should be done with web applications
› Additional examination of what sensitive data may be in the binary.– Is it necessary? Keep it simple. Review to Remove.
A New Methodology
![Page 57: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/57.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Secure Coding
![Page 58: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/58.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
What Can Go Wrong?› Arbitrary executable code could be loaded and executed on the device
› Bypass “seatbelt”
Buffer Overflow
![Page 59: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/59.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
How To Do It Right› Same concerns as in C› Use appropriate functions [1]– Example: strlcpy NOT strncpy
› Properly calculate buffer size (constants)› Includes integer bounds checking
Buffer Overflow
[1] http://developer.apple.com/library/mac/#documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html
![Page 60: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/60.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
What Can Go Wrong?› Application displays user input (as applications are known to do)
› Uses the [NSString stringWithFormat] method› Uses the printf function› Attacker sends “%s%s%s%s” instead of “Hello”
Format String Attack
![Page 61: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/61.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
How To Do It Right› Enforce Secure Coding Standard– Just like web applications– No vulnerable function should accept untrusted
user input that could be used to determine the format of the output
Format String Attack
![Page 62: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/62.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
What Can Go Wrong?› Application manages state using the deviceID NOT the session ID.
› Sessions not terminated properly on the server side
› Following Conditions– User logged into the application at some point in
the last day and subsequently logged out.– Attacker supplies wrong credentials through the
mobile app.
Race Conditions
![Page 63: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/63.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
What Can Go Wrong?› Following Conditions– Application request “session refresh” while waiting
for the incorrect login response to be sent. – Server “refreshes” the session based on the device
ID.– Application receives a response indicating the login
was successful, followed by a login denied error. – Application subsequently ignores the login denied,
continues using the previous session now tied to the Device ID.
Race Conditions
![Page 64: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/64.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
How To Do It Right› Strong server side controls over access– Policy enforcement on concurrent logins– Do not maintain session via Device ID– Properly Logout Users
› Make sure any mobile applications have the same, proper logic enforcement as web applications.
Race Conditions
![Page 65: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/65.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
What Can Go Wrong?› Just about everything– Logic vulnerabilities– Weak session controls– Classic web application vulnerabilities– Too much trust in the client-side controls
Server Side
![Page 66: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/66.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
How To Do It Right› Harden the server– Every client is treated like it might be malicious
› Use same guidelines as Web Apps– OWASP Secure Development
Server Side
![Page 67: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/67.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Push Notifications
![Page 68: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/68.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Real FastPush Notifications
http://www.dhanjani.com/
![Page 69: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/69.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Secure Communications
![Page 70: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/70.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
SSL Whaaaa?› NSURL method
– iOS is secure by default in regards to SSL certs when using this method to retrieve HTTPS content
Secure Communications
Source: http://www.flickr.com/photos/mikebaird/
![Page 71: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/71.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Well, that’s true now…› SSLizzard
– Exploit developed by SpiderLabs to take advantage of weakness in certificate validation. [1]
– Allowed SSL MITM attacks without errors.– Apple patched this, “This vulnerability has been corrected in versions
5.0b4, 4.3.5, and 4.2.10.”
Secure Communications
[1] TWSL2011-007: iOS SSL Implementation Does Not Validate Certificate Chain, https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt
![Page 72: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/72.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
SSL Whaaaa?Secure Communications
Source: http://www.flickr.com/photos/lenore-m/
![Page 73: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/73.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
This Is It
![Page 74: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/74.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
› The Basics› Setup For Testing› Secure Storage of Data And Credentials› Inadvertent Local Storage and Caching› Client Side Sanitization› Secure Coding› Push Notifications› Secure Communications
This Is ItReview
![Page 75: Hacking (and Defending) iPhone Applications](https://reader035.vdocuments.mx/reader035/viewer/2022070423/5681665e550346895dd9e431/html5/thumbnails/75.jpg)
COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL
Summary› Testing is easy– For you and for “them”
› Security is hard– Really just for you
› So test everything!
This Is It