appsec usa 2014 denver, colorado © 2014 the mitre corporation. all rights reserved. approved for...
TRANSCRIPT
AppSec USA 2014
Denver, Colorado
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
iOS App Integrity – Got Any?
Research Team: Gregg Ganley(PI) and Gavin Black
iOS Mobile Application Security
Gregg Ganley
Gavin Black
Mobile Security Researchers working at MITRE corp.
Introduction
3
iMAS Background
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
iMAS – iOS Application Defense
iMAS – iOS secure, open source application framework to reduce iOS application vulnerabilities and information loss
iOS Mobile App Security (iMAS)Elevator Pitch
4
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
Hacking and Jailbreaking iOS
Attacks and weaknesses are well documented:
Recent Jailbreak: http://en.panqu.io/ After JB Passcode guessing: < 20 mins
5
Patches the OS Removes security
limitations Allows root access Key protections are
disabled
6
Recent iOS App Coding and OS Reported Vulnerabilities
Top banking apps not secure Jan 13, 2014– 40 apps from 60 top world banks; XSS, Lack jailbreak detect, clear text SQLite DB– http://
blogs.computerworld.com/application-security/23386/mobile-ios-banking-apps-are-miserably-insecure-leaky-messes
Starbucks app Jan 17, 2014– Updated to no longer store username and password in clear text– http://www.macrumors.com/2014/01/17/starbucks-app-updated-security/
iOS Passcode issue Oct 2013– iOS 7.0.3 fixes the issue
App purchase without authorization Nov 2013– iOS 7.04 fixes this issue– http://www.cruxialcio.com/apple-issue-fix-major-ios-7-bug-3824
Disable Find my iPhone Feb 7, 2014– Found in iOS 7.0.4– http://
www.ibtimes.com/ios-7-encounters-new-bug-allows-anyone-disable-find-my-iphone-feature-without-password-video-1553885
SSL Cert verification issue Feb 23, 2014– iOS 7.0.6, fixes SSL cert issue
FireEye touch inputs Feb 25, 2014– Records touch screen inputs– http://www.macrumors.com/2014/02/25/security-flaw-log-touch-inputs/
App Codin
g
iOS Is
sues
source© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
7© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
Major iOS BackdoorsPublished July 18, 2014
http://www.zdziarski.com/blog/
iOS7 and iOS8 vulnerable Allows entire disk to be copied
and sensitive data extracted Collects network traffic, allows
for copy and later examination
8
Problem:Standard iOS Application Today
Internet
Jailbreak / Root AccessRAM and Debugger
Native iOS Application
iPhone / iPad Hardware
iOS
iOS Core Services
Vulnerable Areas
App Signing App Store
User Auth
App Access
SS
H / D
eb
ug
ge
r
Keychain
Flash Data Storage
4 Digit Passcode
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
9
Introducing iMAS
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
10
Research Idea:iMAS Secure Application Framework
iMAS Secure Application Container
Native iOS ApplicationiMAS
Secure Foundation
AppPasswordPasscode
CheckSecurity-Check
Jailbreak / debugger attach
Encrypted Core Data
AppIntegrity Check
AppSignatureCheck
Encrypted RAM Disk
Memory Check
ECM Encrypted Code
Modules
Dynamic App Bundling
App authentication
Data at rest protection
App at rest security
Device Passcode check
Jailbreak detection
Debugger attach detect
Encrypted SQLite
Dynamic application security bundle
Secure Keychain
Memory scrub after use
Dynamic memory usage check
Remote App Wipe
Lighting Connector Off Device Trust
Off Device Trust Check
iPhone / iPad Hardware
iOS
iOS Core Services
SS
H / D
ebu
gg
er Mal
war
e
Security Areas:
Open Sourcegithub.com/project-imas
Security Controls beyond Apple iOS
Reduces iOS app attack surface
Vetted, prioritized security control set
Open source, grow community
Secure MDM Control
Tolerable Security Risk
App Store
Enterprise App Store
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
iOS Security Architecture
Developer Access
Apple Only
Apple Only
11
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
iMAS App Security “trade-space” ComparisonMar 2014
Mobile App Information Level
Security Controls
Consumer Enterprise Enterprise+
iOSv6
MDM
App Containers
Art of the Possible (2014+)
State of the Art (Jan 2014)
iOS
iOS w/COTS
iMAS (Sep 2014)
iMAS controls raise security levels, bringing it closer to the Art of the Possible
Sensitive (e.g. HIPPA)
iMAS
iMAS
iOS w/iMAS
State of the Art (Sep 2013)iMAS (Sep 2014)
with or without COTS
Open Source
12
iOS v4/5
Sept 2013 leveliMAS (Sep 2013)
iOS w/iMAS
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-4177
iOSv7
13
iMAS Security Controls
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
Secure Foundation
AppPassword
PasscodeCheck
Security-Check
Jailbreak / debugger attach
Encrypted Core Data (ECD)
AppIntegrity Check
Forced-inlining
Encrypted Code Modules (ECM)
Jailbreak / Root Access
RAM and Debugger
Keychain
CoreData
No Passcode
Device Access:
Data At Rest:
App Access:
None
Run-time:
Memory Security
AppStore / Malware:
App Tampering
Data in Transit:
Vulnerable Areas
iMAS
Lightning Connector
Future Research
14
MDM Remote Control Dynamic App Bundling
System Monitor
Multi-compiler
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
iMAS – Security Controls
Sentry App
15
iMAS Security Control Use
Apple App Store and
Enterprise App Store
PasscodeCheck
AppPassword
Secure Foundation
Encrypted Core Data (ECD)
Security-Check
Jailbreak / debugger attach
Memory Security
Encrypted Code Modules (ECM)
System Monitor
AppIntegrity Check
Forced-inlining
Enterprise App Store Only
Sentry App
MDM Remote Control
© 2014 The MITRE Corporation. All rights reserved.
16© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
Github: project-imas.github.io13 Controls
17
1. Simple Mobile Device Use (no apps)– Simple email and calendaring deployment– iMAS Sentry App
Open source application ready to run on deployed iOS devices, ready integrate with MDM
Application is built with iMAS security controls and helps protect devices
2. Web Application Mobile Device use (thin client apps)
– Addition of enterprise web apps added to devices for employee use– Enterprise web apps have limited amounts of sensitive information that
needs to be protected beyond the capabilities of built-in Safari web browser
– iMAS secure browser
3. Native Application Mobile Device use (thick client)
– Addition of enterprise developed, custom mobile applications– Applications are used by employees to conduct enterprise functions
remotely– Sensitive enterprise data is stored on the device and is used as part of
native application.– iMAS security controls, built in at compile time.
2014 iMAS Use Scenarios
© 2014 The MITRE Corporation. All rights reserved. For internal MITRE use
iMAS - Encrypted Core Data (ECD)
Apple Core Data– Application database– Object access to SQL DB– SQLite, text file based
Plain Text
Patient name: Gregg Ganley
Blood Pressure: 120 / 70
Conditions: Influenza
iMAS ECD– Encryption layer
Cipher Text
Xzfd;gadga; arga;gja; aer
Agadfgasfa afgadfgaet a’g
Af;gkaf;atra 04akg argagg
Encrypted Core Data
Vulnerable iOS CoreData Protected iOS CoreData
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
Encrypted Core DataAdditional iMAS Support
Encrypted Core Data
Encrypted
Keychain
9^T3^]ʪ
Sensitiv
e
Å¡Xrwsr
Unlock
Keych
ain
Key Lock
/ Checksum
Key onStack
AppPassword
Secure Foundation
Memory Security
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
20
Multi-compiler
clang clang-multi
Produces different binaries each compile Static analysis and ROP exploits must account for variations
No changes to underlying assembly
unless objective-c code changes
Different assembly from same code
via instruction scheduling changesdifferent
registers
NOPs
added
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
21
System Monitor
whitelist domain: mitre.org
blacklist process: dropbox
Monitor all device processes and network calls at the kernel level Filtering tools to find and react to developer defined system events
iOS Kernel
App with system monitoral
erts Handle alerts
• mdm call• wipe memory• app shutdown
dropboxopen
non-mitresite visited
sysctlcall
processinfo
networkconnections
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
22
Memory Security Allows encryption, wiping, and checksums of objects in memory Provides function address space validation
Application Start
track(obj1) track(obj2) validateTrack(func)
Application Running
Critical Section
validateCheck(func)
checksumTest()
// phone home/exit
success
failure
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
iMAS Sentry ApplicationAdd to existing Apple deployed devices
23
Sentry
Jailbreak and Debugger Detection
Geo-Fencing
Security Profile Monitoring
Ability to remotely lock and wipe
Automatic Response
Integrates with commercial or MITRE
open sourced MDM
Leverages iMAS research© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
24
Application Binary At Rest Research
Anti-TamperPatch ResistanceMitigate Static Attack
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
25
Prior ResearchFocus on modifying ELF structures
Shiva– BlackHat 2003
Reverse Engineering Shiva– BlackHat Federal 2003
University of Leuven, Belgium– 2006
iMAS ECM– Focus on mobile, dynamic libraries
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
26
iOS Static App Attacks
Goals– Piracy, reverse engineering and tampering
Free tools and commercial tools are available– iExplorer makes it easy to copy executables from device
to laptop
Attackers often can analyze, copy, and change binary at will
Can determine security algorithm
Knowledge used to side-step security measures
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
27
Static App Attacks Process
iOS Apps Decompiled to source
Algorithms understood Binaries patched Security side-stepped
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
28
Code Injection and Binary Patching
Binary patching– Jon Zdziarskis blog offers iOS Binary patching– http://www.zdziarski.com/blog/?p=2172
– Applidium– http://applidium.com/en/news/securing_ios_apps_patching_binaries/
Used to nullify security code and exfiltrate data
Vectors:– Background malware and physical device attacks
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
29
Consequences of Static Attacks
IBM Arxan NetworkWorld article June 12, 2014
http://www.networkworld.com/article/2362604/wireless/ibm-and-arxan-tackle-the-next-big-security-threat-mobile-apps.html
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
30
Introducing iMAS – Encrypted Code Modules
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
31
Encrypted Code Modules (ECM)WHAT?
Isolate sensitive algorithms into dynamic libraries (.dylib)
At compile time encrypt .dylib files and bundle as part of iOS app IPA file
Deploy to ENTERPRISE App Store – not Apple App Store
Decrypt and use at run-time
Protects against static application attack
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
iMAS Encrypted Code Modules (ECM)Summary
32
ECMDynamicLib
Bundler
• Protected Functionality• Secured with ECM App Key
Ciphertext DynamicLib file
Plaintext
.dylib
app_integrity_check() { read_file() calc_checksum() confirm_integrity()}
iOS App
ECM
DynamicLib
Xcode
• Sensitive Algorithm
bundle
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
33
ECM – Encrypted Code ModulesConcept 1/3
Build Time
ECMDynamicLib
Builder
ciphertextDynamicLibPlaintext
.dylib
Xcode
Protected Functionality
Secured with ECM App Key
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
34
ECM – Encrypted Code ModulesConcept 2/3
iOS App
ECM built into iOS App
ECM Decoder
iOS AppECM
DynamicLib
ECM Decoder
iMAS Security
ECM
DynamicLib
Xcode At Install user enters ECM App Key (EAK)
EAK is encrypted w/User iMAS AppPassword
AppPassword
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
35
ECM – Encrypted Code ModulesConcept 3/3
On Device
iOS AppCritical
Functionality Encrypted
At Rest: In Use:
User Enters app password
iOS App
ECM
DynamicLib
Critical Functionality
Unlocked
ECM Decoder ECM Decoder
Invulnerable to Decompiling
iMAS Security iMAS Security
ECM
DynamicLib
AppPassword
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
36
App Integrity on iOS
Cryptographic hash functions can be leveraged to verify an Apps binary integrity– Checksum
Difficult to: Secure the known good values of the hash Secure the algorithm, specifically
– Read– Call to calculate checksum– Compare checksum values
Mitigates against app tampering
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
37
Demo
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
38
ECM Advantages
Protects the code against static analysis– Forces an attacker to perform a dynamic attack
As long as the code is encrypted, it is protected against targeted tampering
Apps with ECM can – Protect sensitive algorithms– Protect Intellectual Property– “checksum themselves” to ensure binary was not patched– Protect security controls themselves – I.E. Memory
Security
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
39
iMAS ECM available on GithubOpen Source available Aug 4, 2014
https://github.com/project-imas/encrypted_code_modules
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
40
FY15 Technical Approach and Research
Deeper security controls Continue researching security controls (those not finished in FY14)
Advanced resilience and anti-tamper techniques Dynamic App Bundling research
– Continue app repackaging techniques; larger “wrapped” functionality Deeper security for more sensitive application data content
– iMAS Encrypted Code Modules research Implement portions of security controls using iMAS ECM technique
iRASP – iOS Runtime Application Self-Protection – Application instrumentation enabling security detection and prevention– Self-debugging for iOS Apps, expand on Ruminate RIT work, Harmon
iLAD – iOS Leak Analysis and Detection– Extend PiOS research, static call graph and data loss analysis for iOS– Static first, then fold into dynamic iRASP
Off device trust– iOS Lightning Connector and trusted smart charger research
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
iMAS listed as OWASP Mobile Security Project – Mobile Tool
41
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
Questions?
iMAS - iOS Mobile Application Security
Github:
https://project-imas.github.com
POC:
MITRE, Bedford MA
Gregg Ganley
781-271-2739
Gavin Black
781-271-4771
42
Please !
• Visit and Discover
• Download and Experiment
• Feedback and push requests
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
43
Backup
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
Web Siteproject-imas.github.com
44
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825
45
iOS Encrypted Code Modules (ECM)Bottom Line Up Front
iOS Static App attacks are very common
Code injection and binary patching can compromise app
Application Integrity is critical to thwarting these techniques
Implementing App Integrity is difficult
iMAS introduces ECM
Next steps with ECM
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825