Reversing an iOS App

With Threat Modeling Insights.

2

In today‘s Presentation…

Mobile Penetration Testing Basics

Mobile OWASP Top 10 2016

Software Engineering of an iOS App

Reversing the iOS App

How to prevent Security Issues with Threat Modeling

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at3

Mobile Penetration Testing Basics

(SECURE) Software Development Life Cycle

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at5

DevSecOps

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at6

Phases of Mobile Penetration Tests

Preparation

Intelligence Gathering

Mapping the Application

Exploitation

Reporting

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at7

Testing Principles

White-Box Testing

Black-Box Testing

Gray-Box Testing

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at8

SAST VS. DAST

• Manual Code Review• Automated Source Code Analysis

Static Source Code Analysis

• Automated Scanning Tools à FALSE-POSITIVES!

• Clipboard• Fuzzing à “Spray and Pray!“• Penetration Testing

Dynamic Source Code Analysis

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at9

What Tools and Gear do you need?

macOS

Xcode and its simulator

Some jailbroken iPhones…

USB Cable for Connection

Cydia, Needle, Frida and a Reverse Enginnering Tool (e.g. Hopper), Burp Suite (Pro), Wireshark

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at10

OWASP Mobile Top 10 2016

OWASP Mobile Top 10 – Part 1

M1 – Improper Plattform Usage

M2 – Insecure Data Storage

M3 – Insecure Communication

M4 – Insecure Authentication

M5– Insecure Cryptography

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at12

OWASP Mobile Top 10 – Part 2

M6 – Insecure Authorization

M7 – Client Code Quality

M8 – Code Tampering

M9 – Reverse Engineering à The all time winner

M10 – Extraneous Functionality

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at13

Software Engineering of an iOS App

Types of Apps

Native Apps

Web Apps

Hybrid Apps

Progressiv Web Apps

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at15

What you need to develop an iOS App

macOS

Xcode

Some kind of an idea

A tiny little bit of software engineering skills

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at16

Coding our first iOS App in Swift

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 17

Deploying our first iOS App to the Simulator

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 18

Testing our first iOS App in the Simulator

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 19

Shipping to the Customer JBecause it seems really secure!

Hang on a minute!„There is something missing, is not it?“

„What is this security thing? It is overrated^^“

21

Reversing the iOS App

”Reversing will always win the fight”

Preparing the IPADipl.-Ing. Daniel Mrskos, BSc | snapsec.at 23

Unzip the IPA for HopperDipl.-Ing. Daniel Mrskos, BSc | snapsec.at 24

Loading the Binary in Hopper

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 25

Searching for the string „wrong“

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 26

Examing data stored as CString

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 27

Finding the unlock key stored in plain text

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 28

Trying out the found unlock key J

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 29

Let’s take a look at the Code to identify the Issue

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 30

How to prevent Security Issues with Threat

Modeling

31

Drawing a Data Flow Diagram of the Application

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at32

Using STRIDE per Interaction to Identify Threats in our Scenario

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at33

Interaction S T R I D E

User sends key X X X X

Checking the plaintext key

X

Design Issue found: Key is stored in plaintext!

Using Attack Libraries to identify Threats as well

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at34

Threat Modeling combined with iOS App Development

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at35

Thanks for your attention!

• #GotAnyQuestions?hello@snapsec.at

• #InteresstedInMobilePentesting?OWASP MSTG

• #ThanksToFHSTPfhstp.ac.at

Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at