[wroclaw #2] ios security - 101
TRANSCRIPT
iOS security - 101 Daniel RamírezOWASP WROCLAW#2 MEETING04/29/16
Agenda
• Introduction iOS• iOS App Architecture• iOS App Runtime Protection Features• Setting up our Environment• Tools for iOS App Review• iOS Risks Analysis
Introduction iOS
• Apps are among the most critical elements of a modern mobile security architecture.
• While apps provide amazing productivity benefits for users, also have the potential to negatively impact system security, stability, and user data if they’re not handled properly.
Introduction iOS
• Because of this, iOS provides layers of protection– Signed and verified– Sandboxed to protect user data.– …
• These elements provide a stable, secure platform for apps without impacting system integrity.
iOS App Architecture• Typical architecture of an iOS application is shown in the
image below.
iOS App Protection Features• ASLR (Address Space Layout Randomization)
• Non-Executable Memory
• ARC (Automatic Reference Counting)
• Code Signing
• Sandboxing
ASLR
ASLR - Example
example: otool –Vh <binary>
Non-Executable Memory
• Data pages are marked non-executable• iOS enforces W^X page protection policy– Pages that are writeable can not become
executable• Injected machine code cannot be immediately
executed
ARC (Automatic Reference Counting)
ARC
Code Signing• 2 Type of Certificates:• Developer• Submission
Apple Review
Sandboxing
Setting up our environment
Setting up our Environment
• A Jailbroken device• PuTTy – SSH Client• iFunBox(Windows)• WinSCP - SFTP Client
Tools for iOS Apps Review
• Dynamic Analysis tools– Cycript (Runtime)– Idb/iNalyzer
• Dissassemblers tools– Class-dump / Class-dump-z (depends on iOS version)– Otool– Hopper
• Clutch – Decrypt App• Keychain dumper
iOS Risks Analysis
• Insecure Data Storage• Insufficient Transport Layer Protection• Unintended Data Leakage• Poor Authorization & Authentication• Lack of Binary Protection
Insecure Data Storage
• SQLite Databases • NSUserDefaults• Plist Files• Log Files• XML Data Stores• Binary data stores• Cookie stores
Insecure Data Storage
Insufficient Transport Layer Protection
• Are all connections properly encrypted?• Are the SSL certificates up to date and self signed?• Will your application accept user accepted
certificates as authorities?• Is Certificate Pinning present?
Insufficient Transport Layer Protection
• Apply SSL/TLS to transport channels that the mobile app will use to transmit sensitive information
• Use certificates signed by a trusted CA and require SSL chain verification.
• Alert through the UI, if the mobile app detects an invalid cert.
Unintended Data Leakage
• The way that the Application stores data, images, key-presses, logging and buffers.
Storing data securely on a mobile device requires proper technique. Whenever possible, simply do not store/cache data. This is the most sure way to avoid data compromise on the device.
Poor Authorization & Authentication
• Insecure Patterns:– Persistent auth within mobile App should be implemented as
opt-in not by default
– Ensure that all authentication requests are performed server-side.
• Developers should assume all client-side authorization & authentication controls can be bypassed by malicious users.
Poor Authorization & Authentication
• Consider the following scenario:– Only authenticated users will be able to generate a
service request that the mobile app submits to its backend for processing.
– During the processing of the request, the server doesn’t verify that the request is associated with a known user. Then adversaries can submit requests to server anonymously.
Demo Time
Demo Time
Demo Time
• ps aux | grep <app name>• Cycript –p <id>
Demo Time
Lack of Binary Protections iOS
• Can someone decrypt the app?• Can someone use a reverse engineering tool
like Hopper ?• The application must follow secure coding
techniques:– Jailbreak Detection Controls– Certificate Pinning Controls– Debugger Detection Controls
Lack of Binary Protections iOS
• Disabling Code Encryption (ClutchMod)• Jailbreak Detection Evasion (xcon)• Class Dumping (class-dump-z || class-dump)• Runtime Code Injection (cycript)• Runtime Monitoring (Snoop-It)• Runtime Analysis (GDB)• Reverse Engineering (Hopper)
Example Clutch & Class-Dump
Example Clutch & Class-Dump
• Clutch2 –i
• Clutch2 <options> <id>
OUTPUTInstalled Apps:
1: Facebook2: Yahoo Weather
Example Clutch & Class-Dump
Summary
• How is the architecture of an ipa file• iOS protection feature– ASLR– W^X– Code Signing
• Risk Analysis• Cycript|Clutch|Class-dump|keychain_dumper