jean-luc watson ios app security - inst.eecs.berkeley.educs261/fa18/presentations/11_14.pdfapp code...
TRANSCRIPT
iOS App Securityapple.com/business/site/docs/iOS_Security_Guide.pdf
Jean-Luc Watson
App Code Signing is Mandatory
● App writers must sign up for an Apple Developer account ($100/yr)
● In return, they receive a code-signing certificate issued by Apple
Apple Root Authority
App Code Signing is Mandatory
● App writers must sign up for an Apple Developer account ($100/yr)
● In return, they receive a code-signing certificate issued by Apple
● Signed apps are subject to review before being placed in the App Store
and certificates are checked at load time by the OS
Apple Root Authority
review load-time verification
Result
● All code running on an iOS device is signed with a certificate issued by
Apple
● If the OS is secure, what is the benefit of forcing code signing?
Result
● All code running on an iOS device is signed with a certificate issued by
Apple
● If the OS is secure, what is the benefit of forcing code signing?
○ Attribution
○ Restricts dynamic linking to libraries sharing same team identifier
○ Barrier to third-party, unreviewed software
○ Prevents malicious changes to a signed app
Result
● All code running on an iOS device is signed with a certificate issued by
Apple
● If the OS is secure, what is the benefit of forcing code signing?
○ Attribution
○ Restricts dynamic linking to libraries sharing same team identifier
○ Barrier to third-party, unreviewed software
○ Prevents malicious changes to a signed app
● (Old) vulnerability: Masque Attack
iOS Sandbox
● Primary isolation mechanism
● Access to other apps and system resources strictly controlled by iOS
interfaces
● Apps run exclusively in user mode and the OS is read-only
● How should apps execute privileged actions?
iOS Sandbox
● Primary isolation mechanism
● Access to other apps and system resources strictly controlled by iOS
interfaces
● Apps run exclusively in user mode and the OS is read-only
● How should apps execute privileged actions?
○ “Normal” OS (e.g. Linux): setuid bit
○ Problem?
iOS Sandbox
● Primary isolation mechanism
● Access to other apps and system resources strictly controlled by iOS
interfaces
● Apps run exclusively in user mode and the OS is read-only
● How should apps execute privileged actions?
○ “Normal” OS (e.g. Linux): setuid bit
○ Problem? Privilege escalation!
Entitlements
● Key-value pairs set at compile time, signed with developer certificate:
<key>inter-app-audio</key><true/>
● Verified by iOS API calls without requiring privileged execution
● Why can’t an app give itself all entitlements?
Entitlements
● Key-value pairs set at compile time, signed with developer certificate:
<key>inter-app-audio</key><true/>
● Verified by iOS API calls without requiring privileged execution
● Why can’t an app give itself all entitlements?
○ Apple review process will (hopefully) notice the attempt
ARM Execute Never (XN)
● Bit ensures memory in app data pages will never be executed by
processor
● Mitigates dynamically loaded shellcode (e.g. buffer overflow)
● Does not prevent Return-Oriented Programming
● Effectively limits app to static, signed code. Is this a problem?
ARM Execute Never (XN)
● Bit ensures memory in app data pages will never be executed by
processor
● Mitigates dynamically loaded shellcode (e.g. buffer overflow)
● Does not prevent Return-Oriented Programming
● Effectively limits app to static, signed code. Is this a problem?
○ Huge issue for JITs (Safari), but a dangerous capability
○ Solution: Apple-only entitlement that can mmap one WX page
I can’t post on FB without swiping
Gboard can see all my Facebook data + FB can see everything I’ve typed :(
combine address spaces?
I can’t post on FB without swiping
Gboard can still see everything I’ve typed on my device :((
Talk back and forth over IPC?
Extensions
Instantiate Extension
Separate address space/files
Same permissionsLimited Sandbox: no network access and restricted APIs
Secure Accessory Pairing MFi custom Apple IC authenticates access
HomeKit Public/Private Keys
Accessory Public/Private Keys
Secure Accessory Pairing
HomeKit Public/Private Keys
Accessory Public/Private Keys
Secure Remote Password protocol
Code0 4 1 52 5 2 7
Key exchange
Secure Accessory Pairing
HomeKit Public/Private Keys
Accessory Public/Private Keys
HKDF session keys encrypt further communication
Remote Access
● Convenient secure medium to transfer encrypted data:
● iOS device proxies a signed challenge from the accessory MFi chip to
obtain a certificate issued by iCloud
○ Used to authorize iOS users to access the accessory and to connect
to iCloud servers
Remote Access
● Convenient secure medium to transfer encrypted data:
● iOS device proxies a signed challenge from the accessory MFi chip to
obtain a certificate issued by iCloud
○ Used to authorize iOS users to access the accessory and to connect
to iCloud servers
● What are the risks of this registration process?