ios application security testing

65
© Blueinfy Solutions iOS Attacks

Upload: blueinfy-solutions

Post on 15-Apr-2017

693 views

Category:

Software


4 download

TRANSCRIPT

Page 1: iOS Application Security Testing

© Blueinfy Solutions

iOS Attacks

Page 2: iOS Application Security Testing

© Blueinfy Solutions

Insecure Data Storage

Page 3: iOS Application Security Testing

© Blueinfy Solutions

Insecure Storage

• Why application needs to store data– Ease of use for the user– Popularity– Competition– Activity with single click– Decrease Transaction time– Post/Get information to/from Social Sites

• 9 out of 10 applications have this vulnerability

Page 4: iOS Application Security Testing

© Blueinfy Solutions

Insecure Storage

• How attacker can gain access– Wifi – Default password after jail breaking (alpine)– Physical Theft– Temporary access to device

Page 5: iOS Application Security Testing

© Blueinfy Solutions

Insecure Storage• What information we usually find

– Authentication Credentials– Authorization tokens– Financial Statements– Credit card numbers– Owner’s Information – Physical Address, Name, Phone

number– Social Engineering Sites profile/habbits– SQL Queries

Page 6: iOS Application Security Testing

© Blueinfy Solutions

System InformationDetail LocationApplications /var/stash/ApplicationsEtc /private/etcVar /private/varUser /var/mobileProvisioning Profile /var/mobileDevice/ProvisioningProfilesLogs /var/log,

/var/logs/var/mobile/Library/Logs

Network Settings /var/preferences/SystemConfiguration/com.apple.network.identification.plist

Wifi Settings /var/preferences/SystemConfiguration/com.apple.wifi.plist/var/preferences/SystemConfiguration/preferences.plist

Apple ID, Owner information and Firmware Information

/root/Library/Lockdown/data_ark.plist

Keychain /var/KeychainsKeyBoard Cache /User/Library/Keyboard/dynamic-text.datTmp /private/var/tmp

Page 7: iOS Application Security Testing

© Blueinfy Solutions

Application InformationDetail LocationAddress Book /var/mobile/Library/AddressBook/AddressBook.sqlitedb

/var/mobile/Library/AddressBook/AddressBookImages.sqlitedb

Last searched Google maps /var/mobile/Library/Caches/MapTiles/MapTiles.sqlitedb

Google Map History Information /var/mobile/Library/Maps/History.plist/var/mobile/Library/Maps/Directions.plist

Calendar /var/mobile/Library/Calendar/Calendar.sqlitedbData under notes application /var/mobile/Library/Notes/notes.sqlite

Configuration file for Applications

/var/mobile/Library/Preferences

Photos /var/mobile/Media/DCIM/Application Pictures when HOME button is pressed (Each application has its own directory - Default applications)

/User/Library/Caches/Snapshots

Page 8: iOS Application Security Testing

© Blueinfy Solutions

Default Services InformationDetail LocationCall History (Odd number is for Outgoing calls, Even number is for Incoming calls)

/var/mobile/Library/Callhistory/call_history.db

SMS (Odd number is for Outgoing calls, Even number is for Incoming calls)

/var/mobile/Library/SMS/sms.db

Voicemail /var/mobile/Library/Voicemail/voicemail.dbVoice mail recording /var/mobile/Library/Voicemail/

System provided applications, ringtons and wallpapers

/var/stash

Call History /var/wireless/Library/CallHistoryCall Log /var/wireless/Library/logsCall Preferences /var/wireless/Library/Preferences

Page 9: iOS Application Security Testing

© Blueinfy Solutions

User Installed ApplicationDetail LocationInstalled Applications /User/Applications or /private/var/mobile/Applications

Application Directory (Binary, supporting files

/User/Applications/<app GUID>/<appname.app> or /private/var/mobile/Applications/<app GUID>/<appname.app>

Applications documents i.e. images, PDF, text files

/User/Applications/<app GUID>/Documents

Application cookies /User/Applications/<app GUID>/Library/Cookies/Cookies.binarycookies

Application Preferences (plist files)

/User/Applications/<app GUID>/Library/Preferences

Application temporary storage

/User/Applications/<app GUID>/tmp

Application crash report /User/Library/Logs/CrashReporter

Application Screens when pressed HOME button

/User/Applications/<app GUID>/Library/Caches/Snapshots

Page 10: iOS Application Security Testing

© Blueinfy Solutions

Browser informationDetail Location

Browser Cookie /var/mobile/Library/Cookies/Cookies.binarycookies

Browser favorites (Book marks)

/var/mobile/Library/Safari/Bookmarks.db

Browser History /var/mobile/Library/Safari/History.plist

Browser Settings /var/mobile/Library/Preferences/com.apple.mobilesafari.plist

Browser Cache /User/Library/Caches/com.apple.WebAppCache/ApplicationCache.db

Page 11: iOS Application Security Testing

© Blueinfy Solutions

Insecure Data Storage

• Access file system – CyberDuck• Plist files – xCode/plist Editor• Keychain file (hardware bound ency) –

KeyChain Dumper• Information in Db files – SQLite Browser• Logs with queries – SQLite Browser

Hands On – Look for Sensitive information in DVDs4Less Application

Page 12: iOS Application Security Testing

© Blueinfy Solutions

Implementation

Page 13: iOS Application Security Testing

© Blueinfy Solutions

Local file access

Page 14: iOS Application Security Testing

© Blueinfy Solutions

Insufficient Transport Layer Protection

Page 15: iOS Application Security Testing

© Blueinfy Solutions

Insecure Network Channel

• Important to encrypt data in the transmission• Easy to perform MiM attacks as Mobile devices

uses untrusted network i.e open/Public WiFi, HotSpot, Carrier’s Network

• Application deals with sensitive data i.e. – Authentication credentials– Authorization token– PII Information (Privacy Violation) (Owner Name,

Phone number, UDID

Page 16: iOS Application Security Testing

© Blueinfy Solutions

Insecure Network Channel

• Can sniff the traffic to get an access to sensitive data

• SSL is the best way to secure communication channel

• Common Issues– Does not deprecate HTTP requests– Allowing invalid certificates– Sensitive information in GET requests

Page 17: iOS Application Security Testing

© Blueinfy Solutions

UI Impersonation/Spoofing

Page 18: iOS Application Security Testing

© Blueinfy Solutions

Activity Monitoring

Page 19: iOS Application Security Testing

© Blueinfy Solutions

Monitoring

• Default OS behavior after iOS 4.0 to cache all the URLS (Request/Response) in the local storage in file named cache.db file

• Request/Response includes the login request with username and password

• Cache.db file is not encrypted

Hands On – Locate cache.db file in DVDs4less application and see request/response

Page 20: iOS Application Security Testing

© Blueinfy Solutions

Malicious Monitoring

• Few services are shared between all the applications

• A malicious user can write application to monitor these services – including clipboard monitor

Page 21: iOS Application Security Testing

© Blueinfy Solutions

Sensitive Data Retrieval

Page 22: iOS Application Security Testing

© Blueinfy Solutions

PII Information Leakage

• Application usually have access to user’s private information i.e. Owner Name, Location, Physical Address, AppID, Phone Number

• This information needs to be handled very carefully as per the law in some countries

• Storing this information in plain text is not allowed in some countries

Page 23: iOS Application Security Testing

© Blueinfy Solutions

Client Side Injection

Page 24: iOS Application Security Testing

© Blueinfy Solutions

SQL Injection in Local database

• Most Mobile platforms uses SQLite as database to store information on the device

• Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information

• In case application is not filtering input, SQL Injection on local database is possible

Page 25: iOS Application Security Testing

© Blueinfy Solutions

Poor Authorization and Authentication

Page 26: iOS Application Security Testing

© Blueinfy Solutions

Authorization & Authentication

• No password complexity specially on mobile • Hidden/No Logout button• Long session time out• No account lock out• Authorization flags or based on the local

storage

Page 27: iOS Application Security Testing

© Blueinfy Solutions

Improper Session Handling

Page 28: iOS Application Security Testing

© Blueinfy Solutions

Improper Session

• Session is key for any application for authorization

• Application is sending sensitive information in GET request (Be it on HTTP or HTTPS)

• GET requests are logged at multiple places• Ends us giving away session to the privilege

user with malicious intent

Page 29: iOS Application Security Testing

© Blueinfy Solutions

Session Cookie

• HTTP is state-less protocol• Application leverages session cookie to

maintain state for the user• Session cookies are stored in binary format in

iOS • File structure is public information • A python script has been written to uncover

cookies (http://securitylearn.net/wp-content/uploads/tools/iOS/BinaryCookieReader.py)

Page 30: iOS Application Security Testing

© Blueinfy Solutions

Security Decisions Via Untrusted Inputs

Page 31: iOS Application Security Testing

© Blueinfy Solutions

Untrusted Source

• Any input from client side which can be modified • Mainly authentication and authorization

decisions based on the untrusted input• Easiest way for developer to solve complex

issues/functionality • Attacker can get this information by either

reverse engineering application or by checking local storage

Page 32: iOS Application Security Testing

© Blueinfy Solutions

KeyChain Dumper (Old Way)

• Upload Keychain Dumper in "/private/var“• Dump all of the entitlements necessary to

access the entries in your target's keychain.• ./keychain_dumper -e > /var/tmp/entitlements.xml

• Sign the obtained entitlements into keychain_dumper.

• ldid -S/var/tmp/entitlements.xml keychain_dumper

• Get all the keys• ./keychain_dumper

Page 33: iOS Application Security Testing

© Blueinfy Solutions

KeyChain Dumper – DON’T

• Do not change Path (Tool just does not do a job well)

• Set proper permissions – Keychain_dumper – Executable permission– keychain-2.db – Read permission

• Files needs to be deleted before running it again

Page 34: iOS Application Security Testing

© Blueinfy Solutions

KeyChain Dumper – Easy Way

• Shell Script

• Shell Script to clean

chmod +x /private/var/keychain_dumperchmod +r /private/var/Keychains/keychain-2.db./keychain_dumper -e > /var/tmp/entitlements.xmlldid -S/var/tmp/entitlements.xml keychain_dumper./keychain_dumper > /tmp/keys.txt

rm -f /private/var/keychain_dumper rm -f /var/tmp/entitlements.xml

Page 35: iOS Application Security Testing

© Blueinfy Solutions

KeyChain Dumper (After 5.0)

• Upload Keychain Dumper in "/private/var“• Dump all of the entitlements necessary to

access the entries in your target's keychain.• ./keychain_dumper -e > /var/tmp/entitlements.xml

• To sign keychain_dumper file, transfer keychain_dumper and entitlements.xml file to any MAC machine

• Install Keychain Access on MAC

Page 36: iOS Application Security Testing

© Blueinfy Solutions

KeyChain Dumper (Cont…)

• Open keychain_access by opening binary at (/Applications/Utilties/Keychain Access.app/Contents/MacOS/Keychain Access)

• Create a “code signing “ “self signed certificate”– Select Type as “Self Signed Root”– Select “Code Signing”

Page 37: iOS Application Security Testing

© Blueinfy Solutions

KeyChain Dumper (Cont…)

• Sign keychain_dumper file using codesign command # codesign -fs "Test" --entitlements

entitlements.xml keychain_dumper• Upload keychain_dumper to iOS device• Get all the keys

• ./keychain_dumper

Page 38: iOS Application Security Testing

© Blueinfy Solutions

KeyChain Dumper – New Version

• Easy as running a command• Upload on to server in /var directory• Give execute permission

– Chmod +x /var/keychain_dumper• Get all the keys

• ./keychain_dumper

Page 39: iOS Application Security Testing

© Blueinfy Solutions

Side Channel Data Leakage

Page 40: iOS Application Security Testing

© Blueinfy Solutions

Data Leakage to third party

• Applications gather Private information and sends to advertisement servers

• Advertisement companies pay per the application (This is how the free apps make money) instance

Page 41: iOS Application Security Testing

© Blueinfy Solutions

Weak Server Side Controls

Page 42: iOS Application Security Testing

© Blueinfy Solutions

Server Side Issues

• Most Application makes server side calls to either web services or some other component. Security of server side component is equally important as client side

• Controls to be tested on the server side – Security Control Categories for Server Side Application– Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage,

Page 43: iOS Application Security Testing

© Blueinfy Solutions

Server Side Issues

Error handling, Session management, Protocol abuse, Input validations, XSS, CSRF, Logic bypass, Insecure crypto, DoS, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, BruteForce, Buffer Overflow, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.

Page 44: iOS Application Security Testing

© Blueinfy Solutions

Broken Cryptography

Page 45: iOS Application Security Testing

© Blueinfy Solutions

Cryptography

• Broken implementation• Hash/Encoding used in place of encryption• Client side script in place of SSL

Page 46: iOS Application Security Testing

© Blueinfy Solutions

Hooking debugger in iOS Applications

Page 47: iOS Application Security Testing

© Blueinfy Solutions

Binary Auditing• AppStore Binary => .ipa file

– It is a ZIP files with executables and resources (images, package info, config files...)

• Simulator Binaries are x86 not ARM• Setup environment

– Jailbreak first– SSH– Gdb/iphonedbg– otool/classdump

Page 48: iOS Application Security Testing

© Blueinfy Solutions

Binary Auditing• Install app on iOS devices

– /var/mobile/Applications/<UUID>/<AppName>.app/

Or– /User/Applications/<UUID>/<AppName>.app/

Page 49: iOS Application Security Testing

© Blueinfy Solutions

Binary Auditing• Look at the directory

Page 50: iOS Application Security Testing

© Blueinfy Solutions

Binary Auditing• Look at the directory

Page 51: iOS Application Security Testing

© Blueinfy Solutions

Binary Auditing• Look at the directory

Page 52: iOS Application Security Testing

© Blueinfy Solutions

Binary Auditing• Decrypt the binary file

– Each executable page is encrypted with AES and a MD5 checksum is computed

• How to know if a binary is encrypted ?– LC_ENCRYPTION_INFO

• cryptid : 1 if the binary is encrypted• cryptoffset : offset of the encrypted data• cryptsize : size of the encrypted data

Page 53: iOS Application Security Testing

© Blueinfy Solutions

Binary Auditing• How to get LC_ENCRYPTION_INFO• otool – tool available in cydia

otool –l <APPNAME>| grep LC_ENCRYPTION_INFO –B1 –A4

Load command 10 cmd LC_ENCRYPTION_INFO

cryptoff 4096cryptsize 36864cryptid 0

Page 54: iOS Application Security Testing

© Blueinfy Solutions

Binary Auditing• Unpack binary

– Use a script that automates the process• Crackulous: tool from Cydia• Just select application, that’s it.

Page 55: iOS Application Security Testing

© Blueinfy Solutions

Binary Auditing• Manual method

– Launch GDB– Set a breakpoint– Run the application– Extract the unencrypted executable code– Patch the architecture specific binary

Page 56: iOS Application Security Testing

© Blueinfy Solutions

Binary Auditing• Look at the binary, open in IDAPro and resolve

obj_msgSend calls• Backtrace calls to objc_msgSend

– By hand– Using Zynamics IDAPython scripts (objc_helper.py)

Page 57: iOS Application Security Testing

© Blueinfy Solutions

Interesting Items to look for• Locate the main class

– UIApplicationDelegate– applicationDidFinishLaunching– ApplicationDidFinishLaunchingWithOptions

• Views– UI*ViewController– viewDidLoad

Page 58: iOS Application Security Testing

© Blueinfy Solutions

Using GDB

Page 59: iOS Application Security Testing

© Blueinfy Solutions

Interesting Items to look for• HTTP(S)• NSURL• Sockets

– CFSocketCreate• UIPasteBoard• Location based API• KeyChain API• ..

Page 60: iOS Application Security Testing

© Blueinfy Solutions

Interesting Items to look for• Some protocol handlers like,

Page 61: iOS Application Security Testing

© Blueinfy Solutions

Interesting Items to look for

Page 62: iOS Application Security Testing

© Blueinfy Solutions

Interesting Items to look for

Page 63: iOS Application Security Testing

© Blueinfy Solutions

Automation in Application Reviews

Page 64: iOS Application Security Testing

© Blueinfy Solutions

Snoop-it

• The only tool today to automate iOS application reviews

• Very handy and gives perfect pointer where to look for

• A long way to go for automation like web • Demo

– https://code.google.com/p/snoop-it/

Page 65: iOS Application Security Testing

© Blueinfy Solutions

Conclusion