AppSec USA 2014

Denver, Colorado

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

iOS App Integrity – Got Any?

Research Team: Gregg Ganley(PI) and Gavin Black

iOS Mobile Application Security

Gregg Ganley

Gavin Black

Mobile Security Researchers working at MITRE corp.

Introduction

3

iMAS Background

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

iMAS – iOS Application Defense

iMAS – iOS secure, open source application framework to reduce iOS application vulnerabilities and information loss

iOS Mobile App Security (iMAS)Elevator Pitch

4

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

Hacking and Jailbreaking iOS

Attacks and weaknesses are well documented:

Recent Jailbreak: http://en.panqu.io/ After JB Passcode guessing: < 20 mins

5

Patches the OS Removes security

limitations Allows root access Key protections are

disabled

6

Recent iOS App Coding and OS Reported Vulnerabilities

Top banking apps not secure Jan 13, 2014– 40 apps from 60 top world banks; XSS, Lack jailbreak detect, clear text SQLite DB– http://

blogs.computerworld.com/application-security/23386/mobile-ios-banking-apps-are-miserably-insecure-leaky-messes

Starbucks app Jan 17, 2014– Updated to no longer store username and password in clear text– http://www.macrumors.com/2014/01/17/starbucks-app-updated-security/

iOS Passcode issue Oct 2013– iOS 7.0.3 fixes the issue

App purchase without authorization Nov 2013– iOS 7.04 fixes this issue– http://www.cruxialcio.com/apple-issue-fix-major-ios-7-bug-3824

Disable Find my iPhone Feb 7, 2014– Found in iOS 7.0.4– http://

www.ibtimes.com/ios-7-encounters-new-bug-allows-anyone-disable-find-my-iphone-feature-without-password-video-1553885

SSL Cert verification issue Feb 23, 2014– iOS 7.0.6, fixes SSL cert issue

FireEye touch inputs Feb 25, 2014– Records touch screen inputs– http://www.macrumors.com/2014/02/25/security-flaw-log-touch-inputs/

App Codin

g

iOS Is

sues

source© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

7© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

Major iOS BackdoorsPublished July 18, 2014

http://www.zdziarski.com/blog/

iOS7 and iOS8 vulnerable Allows entire disk to be copied

and sensitive data extracted Collects network traffic, allows

for copy and later examination

8

Problem:Standard iOS Application Today

Internet

Jailbreak / Root AccessRAM and Debugger

Native iOS Application

iPhone / iPad Hardware

iOS

iOS Core Services

Vulnerable Areas

App Signing App Store

User Auth

App Access

SS

H / D

eb

ug

ge

r

Keychain

Flash Data Storage

4 Digit Passcode

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

9

Introducing iMAS

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

10

Research Idea:iMAS Secure Application Framework

iMAS Secure Application Container

Native iOS ApplicationiMAS

Secure Foundation

AppPasswordPasscode

CheckSecurity-Check

Jailbreak / debugger attach

Encrypted Core Data

AppIntegrity Check

AppSignatureCheck

Encrypted RAM Disk

Memory Check

ECM Encrypted Code

Modules

Dynamic App Bundling

App authentication

Data at rest protection

App at rest security

Device Passcode check

Jailbreak detection

Debugger attach detect

Encrypted SQLite

Dynamic application security bundle

Secure Keychain

Memory scrub after use

Dynamic memory usage check

Remote App Wipe

Lighting Connector Off Device Trust

Off Device Trust Check

iPhone / iPad Hardware

iOS

iOS Core Services

SS

H / D

ebu

gg

er Mal

war

e

Security Areas:

Open Sourcegithub.com/project-imas

Security Controls beyond Apple iOS

Reduces iOS app attack surface

Vetted, prioritized security control set

Open source, grow community

Secure MDM Control

Tolerable Security Risk

App Store

Enterprise App Store

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

iOS Security Architecture

Developer Access

Apple Only

Apple Only

11

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

iMAS App Security “trade-space” ComparisonMar 2014

Mobile App Information Level

Security Controls

Consumer Enterprise Enterprise+

iOSv6

MDM

App Containers

Art of the Possible (2014+)

State of the Art (Jan 2014)

iOS

iOS w/COTS

iMAS (Sep 2014)

iMAS controls raise security levels, bringing it closer to the Art of the Possible

Sensitive (e.g. HIPPA)

iMAS

iMAS

iOS w/iMAS

State of the Art (Sep 2013)iMAS (Sep 2014)

with or without COTS

Open Source

12

iOS v4/5

Sept 2013 leveliMAS (Sep 2013)

iOS w/iMAS

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-4177

iOSv7

13

iMAS Security Controls

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

Secure Foundation

AppPassword

PasscodeCheck

Security-Check

Jailbreak / debugger attach

Encrypted Core Data (ECD)

AppIntegrity Check

Forced-inlining

Encrypted Code Modules (ECM)

Jailbreak / Root Access

RAM and Debugger

Keychain

CoreData

No Passcode

Device Access:

Data At Rest:

App Access:

None

Run-time:

Memory Security

AppStore / Malware:

App Tampering

Data in Transit:

Vulnerable Areas

iMAS

Lightning Connector

Future Research

14

MDM Remote Control Dynamic App Bundling

System Monitor

Multi-compiler

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

iMAS – Security Controls

Sentry App

15

iMAS Security Control Use

Apple App Store and

Enterprise App Store

PasscodeCheck

AppPassword

Secure Foundation

Encrypted Core Data (ECD)

Security-Check

Jailbreak / debugger attach

Memory Security

Encrypted Code Modules (ECM)

System Monitor

AppIntegrity Check

Forced-inlining

Enterprise App Store Only

Sentry App

MDM Remote Control

© 2014 The MITRE Corporation. All rights reserved.

16© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

Github: project-imas.github.io13 Controls

17

1. Simple Mobile Device Use (no apps)– Simple email and calendaring deployment– iMAS Sentry App

Open source application ready to run on deployed iOS devices, ready integrate with MDM

Application is built with iMAS security controls and helps protect devices

2. Web Application Mobile Device use (thin client apps)

– Addition of enterprise web apps added to devices for employee use– Enterprise web apps have limited amounts of sensitive information that

needs to be protected beyond the capabilities of built-in Safari web browser

– iMAS secure browser

3. Native Application Mobile Device use (thick client)

– Addition of enterprise developed, custom mobile applications– Applications are used by employees to conduct enterprise functions

remotely– Sensitive enterprise data is stored on the device and is used as part of

native application.– iMAS security controls, built in at compile time.

2014 iMAS Use Scenarios

© 2014 The MITRE Corporation. All rights reserved. For internal MITRE use

iMAS - Encrypted Core Data (ECD)

Apple Core Data– Application database– Object access to SQL DB– SQLite, text file based

Plain Text

Patient name: Gregg Ganley

Blood Pressure: 120 / 70

Conditions: Influenza

iMAS ECD– Encryption layer

Cipher Text

Xzfd;gadga; arga;gja; aer

Agadfgasfa afgadfgaet a’g

Af;gkaf;atra 04akg argagg

Encrypted Core Data

Vulnerable iOS CoreData Protected iOS CoreData

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

Encrypted Core DataAdditional iMAS Support

Encrypted Core Data

Encrypted

Keychain

9^T3^]ʪ

Sensitiv

e

Å¡Xrwsr

Unlock

Keych

ain

Key Lock

/ Checksum

Key onStack

AppPassword

Secure Foundation

Memory Security

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

20

Multi-compiler

clang clang-multi

Produces different binaries each compile Static analysis and ROP exploits must account for variations

No changes to underlying assembly

unless objective-c code changes

Different assembly from same code

via instruction scheduling changesdifferent

registers

NOPs

added

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

21

System Monitor

whitelist domain: mitre.org

blacklist process: dropbox

Monitor all device processes and network calls at the kernel level Filtering tools to find and react to developer defined system events

iOS Kernel

App with system monitoral

erts Handle alerts

• mdm call• wipe memory• app shutdown

dropboxopen

non-mitresite visited

sysctlcall

processinfo

networkconnections

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

22

Memory Security Allows encryption, wiping, and checksums of objects in memory Provides function address space validation

Application Start

track(obj1) track(obj2) validateTrack(func)

Application Running

Critical Section

validateCheck(func)

checksumTest()

// phone home/exit

success

failure

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

iMAS Sentry ApplicationAdd to existing Apple deployed devices

23

Sentry

Jailbreak and Debugger Detection

Geo-Fencing

Security Profile Monitoring

Ability to remotely lock and wipe

Automatic Response

Integrates with commercial or MITRE

open sourced MDM

Leverages iMAS research© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

24

Application Binary At Rest Research

Anti-TamperPatch ResistanceMitigate Static Attack

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

25

Prior ResearchFocus on modifying ELF structures

Shiva– BlackHat 2003

Reverse Engineering Shiva– BlackHat Federal 2003

University of Leuven, Belgium– 2006

iMAS ECM– Focus on mobile, dynamic libraries

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

26

iOS Static App Attacks

Goals– Piracy, reverse engineering and tampering

Free tools and commercial tools are available– iExplorer makes it easy to copy executables from device

to laptop

Attackers often can analyze, copy, and change binary at will

Can determine security algorithm

Knowledge used to side-step security measures

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

27

Static App Attacks Process

iOS Apps Decompiled to source

Algorithms understood Binaries patched Security side-stepped

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

28

Code Injection and Binary Patching

Binary patching– Jon Zdziarskis blog offers iOS Binary patching– http://www.zdziarski.com/blog/?p=2172

– Applidium– http://applidium.com/en/news/securing_ios_apps_patching_binaries/

Used to nullify security code and exfiltrate data

Vectors:– Background malware and physical device attacks

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

29

Consequences of Static Attacks

IBM Arxan NetworkWorld article June 12, 2014

http://www.networkworld.com/article/2362604/wireless/ibm-and-arxan-tackle-the-next-big-security-threat-mobile-apps.html

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

30

Introducing iMAS – Encrypted Code Modules

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

31

Encrypted Code Modules (ECM)WHAT?

Isolate sensitive algorithms into dynamic libraries (.dylib)

At compile time encrypt .dylib files and bundle as part of iOS app IPA file

Deploy to ENTERPRISE App Store – not Apple App Store

Decrypt and use at run-time

Protects against static application attack

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

iMAS Encrypted Code Modules (ECM)Summary

32

ECMDynamicLib

Bundler

• Protected Functionality• Secured with ECM App Key

Ciphertext DynamicLib file

Plaintext

.dylib

app_integrity_check() { read_file() calc_checksum() confirm_integrity()}

iOS App

ECM

DynamicLib

Xcode

• Sensitive Algorithm

bundle

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

33

ECM – Encrypted Code ModulesConcept 1/3

Build Time

ECMDynamicLib

Builder

ciphertextDynamicLibPlaintext

.dylib

Xcode

Protected Functionality

Secured with ECM App Key

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

34

ECM – Encrypted Code ModulesConcept 2/3

iOS App

ECM built into iOS App

ECM Decoder

iOS AppECM

DynamicLib

ECM Decoder

iMAS Security

ECM

DynamicLib

Xcode At Install user enters ECM App Key (EAK)

EAK is encrypted w/User iMAS AppPassword

AppPassword

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

35

ECM – Encrypted Code ModulesConcept 3/3

On Device

iOS AppCritical

Functionality Encrypted

At Rest: In Use:

User Enters app password

iOS App

ECM

DynamicLib

Critical Functionality

Unlocked

ECM Decoder ECM Decoder

Invulnerable to Decompiling

iMAS Security iMAS Security

ECM

DynamicLib

AppPassword

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

36

App Integrity on iOS

Cryptographic hash functions can be leveraged to verify an Apps binary integrity– Checksum

Difficult to: Secure the known good values of the hash Secure the algorithm, specifically

– Read– Call to calculate checksum– Compare checksum values

Mitigates against app tampering

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

37

Demo

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

38

ECM Advantages

Protects the code against static analysis– Forces an attacker to perform a dynamic attack

As long as the code is encrypted, it is protected against targeted tampering

Apps with ECM can – Protect sensitive algorithms– Protect Intellectual Property– “checksum themselves” to ensure binary was not patched– Protect security controls themselves – I.E. Memory

Security

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

39

iMAS ECM available on GithubOpen Source available Aug 4, 2014

https://github.com/project-imas/encrypted_code_modules

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

40

FY15 Technical Approach and Research

Deeper security controls Continue researching security controls (those not finished in FY14)

Advanced resilience and anti-tamper techniques Dynamic App Bundling research

– Continue app repackaging techniques; larger “wrapped” functionality Deeper security for more sensitive application data content

– iMAS Encrypted Code Modules research Implement portions of security controls using iMAS ECM technique

iRASP – iOS Runtime Application Self-Protection – Application instrumentation enabling security detection and prevention– Self-debugging for iOS Apps, expand on Ruminate RIT work, Harmon

iLAD – iOS Leak Analysis and Detection– Extend PiOS research, static call graph and data loss analysis for iOS– Static first, then fold into dynamic iRASP

Off device trust– iOS Lightning Connector and trusted smart charger research

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

iMAS listed as OWASP Mobile Security Project – Mobile Tool

41

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

Questions?

iMAS - iOS Mobile Application Security

Github:

https://project-imas.github.com

POC:

MITRE, Bedford MA

Gregg Ganley

781-271-2739

gganley@mitre.org

Gavin Black

781-271-4771

gblack@mitre.org

42

Please !

• Visit and Discover

• Download and Experiment

• Feedback and push requests

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

43

Backup

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

Web Siteproject-imas.github.com

44

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825

45

iOS Encrypted Code Modules (ECM)Bottom Line Up Front

iOS Static App attacks are very common

Code injection and binary patching can compromise app

Application Integrity is critical to thwarting these techniques

Implementing App Integrity is difficult

iMAS introduces ECM

Next steps with ECM

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2825