PenTestingiOSApps FIRST2015KenvanWyk,@KRvW Berlin,Germany14-19June2015 KenvanWyk,ken@,@KRvW Copyright©2015KRvWAssociates,LLC Topicswe’llcover We’llfocusonhowtobreaktypicaliOSapps –ics–ics Simpleanalysis –Surfaceofapp–Staticanalysis–Dynamicanalysis Deeperanalysis –Exploreappbinary–Run-timeexplorationand exploitation Copyright©2015KRvWAssociates,LLC
3 Tools Mosttoolswe’lluseareeitheropensourceorinexpensive –iExplorerforexploringfilesystemonaniOSdevice –iOSdeviceandaUSBcable
Preferablyjailbroken
Cydia
Cycript Copyright©2015KRvWAssociates,LLC
4 Clearupsomemisconceptions Apple’siOShasbeenahugeessforApple –TogetherwithAndroid,theyhavere-definedmobiletelephony Applehasmadegreatadvancesinsecurity –Theyarestillfarfromreallygood –Notevensureifthey’reprettygood Softwaredevelopersstillmakesillymistakes Copyright©2015KRvWAssociates,LLC
5 SystemHardeningFeatures AttacksurfacereductionStrippeddownOS –No/bin/sh PrivilegeseparationCodesigningDataexecutionprevention(DEP) –Vitalforreturnorientedprogramming –Noarchitecturalseparationofdataandcodesegments Addressspacelayoutrandomization(ASLR) Copyright©2015KRvWAssociates,LLC
6 Applicationsandboxing Bypolicy,appsareonlypermittedtoessresourcesintheirsandbox –msarebyestablishedAPIsonly
URLs,keychains(limited) –Filei/oin~/Documentsonly Theserulesdon’talwaysapplytoApple’sownapps Copyright©2015KRvWAssociates,LLC
7 Hardwareencryption EachiOSdevice(asof3GS)hashardwarecryptomodule –UniqueAES-256keyforeveryiOSdevice –Sensitivedatahardwareencrypted Soundsbrilliant,right?
–Well... Copyright©2015KRvWAssociates,LLC
8 iOScryptokeys GIDkey-GroupIDkey UIDkey-Uniqueperdev Dkey-Defaultfilekey EMF!
-EncryptsentirefilesystemandHFSjournal Classkeys-Oneperprotectionclass –SomederivedfromUID+Passcode Copyright©2015KRvWAssociates,LLC
9 iOSNAND(SSD)mapping Block0-Lowlevelbootloader Block1-Effaceablestorage –Lockerforcryptokeys,includingDkeyandEMF!
Blocks2-7-NVRAMparameters Blocks8-15-Firmware Blocks8-(N-15)-Filesystem Blocks(N-15)-N-Last15blocksreservedbyApple Copyright©2015KRvWAssociates,LLC 10 Built-infileprotectionclasses iOS(since4)supportsfileprotectionclasses –NSFileProtectionComplete –NSFileProtectionCompleteUnlessOpen –NSFileProtectionCompleteUntilFirstUserAuthentication –NSFileProtectionNone AllbutNonearederived Copyright©2015KRvWAssociates,LLC 11 Built-infileprotectionlimitations Pros –Easytouse,withkeymanagementdonebyiOS –Powerfulfunctionality–Alwaysavailable–Zeroperformancehit Cons –ForComplete,cryptokeyingincludesUDID+Passcode
4digitPINproblem Copyright©2015KRvWAssociates,LLC 12 Keychains KeychainAPIprovidedforstorageofsmallamountsofsensitivedata –Logincredentials,passwords,etc. –Creditcarddataoftenfoundhere StoredinaSQLitedatabase –EncryptedusinghardwareAESwithderivedkey Copyright©2015KRvWAssociates,LLC 13 Jailbreaks Apple’sprotectionarchitectureisbasedonamassivedigitalsignaturehierarchy –Startingfrombootloader –Throughapploader Jailbreaksoftwarebreaksthathierarchy –Currentbreaksupto8.1.2 DFUmodeallowsUSBvectorforbootloader –OlderiPhonesmostly,but… Copyright©2015KRvWAssociates,LLC 14 Keyboarddata All“keystrokes”arestored –Usedforauto-correctfeature –Nicespellchecker Keydatacanbeharvestedusingforensicsprocedures –Passwords,creditcards... –Needleinhaystack?
Copyright©2015KRvWAssociates,LLC 15 Screensnapshots DevicesroutinelygrabscreensnapshotsandstoreinJPG –Usedforminimizingappanimation –Itlookspretty WHAT?
!
–It’saproblem –Requireslocalesstodevice,butstill... Copyright©2015KRvWAssociates,LLC 16 Let’sconsiderthebasics We’llcoverthese(fromthe10) –Protectingsecrets
Atrest
Intransit –Input/outputvalidation–Authentication–Sessionmanagement–esscontrol–Privacyconcerns Copyright©2015KRvWAssociates,LLC 17 Examples Airlineapp –StoresfrequentflyerdatainplaintextXMLfile Healthcareapp –Storespatientdatainplistfile
Butit’sbase64encodedforyourprotection… Bankingapp –Frameworkcacherevealedsensitiveountdata Consumerticketapp –eptedSSLfromselfsignedkey–Exposedcreditcarddata Copyright©2015KRvWAssociates,LLC 18 SQLliteexample Let’slookatadatabaseappthatstoressensitivedataintoaSQLitedb –We’llrecoverittriviallybylookingattheunencrypteddatabasefile Copyright©2015KRvWAssociates,LLC 19 Protectingsecretsatrest Encryptionistheanswer,butit’snotquitesosimple –Wheredidyouputthatkey?
–Surelyyoudidn’thardcodeitintoyourapp –Surelyyou’renotcountingontheusertogenerateandrememberastrongkey Keymanagementisanontriviallysolvedproblem Copyright©2015KRvWAssociates,LLC 20 Staticanalysisofanapp Explorefolders –./Documents–./Library/Caches/*–./Library/Cookies–./Library/Preferences Appbundle –Hexdumpofbinary–plistfiles Whatelse?
Copyright©2015KRvWAssociates,LLC 21 Toolstouse Mactools –Finder–iExplorer–hexdump–strings–otool–otx()–class-dump (/classdump_en.html) Copyright©2015KRvWAssociates,LLC –Emacs(editor) Xcodeadditionaltools –Clang(buildandanalyze)
Findsmemoryleaksandothers 22 Exercise-coffeeshopattack Thisoneistrivial,butlet’stakealook InthisiGoatexercise,theuser’scredentialsaresentplaintext –SimplewebserverrunningonMacresponds –IfthiswereonapublicWiFi,worksnifferwouldbepainlesstolaunch Copyright©2015KRvWAssociates,LLC 23 monSSLmistake We’veallheardofCAsbeingattacked –That’sallimportant,but... –(Certificatepinningcanhelp.) FailingtoproperlyverifyCAsignaturechain –BiggestSSLproblembyfar –Studyshowed1/3ofAndroidappsfelltothis Copyright©2015KRvWAssociates,LLC 24 TestingforSSLproblems Goalistoensureclientperformsstrongcertificateverification MITMonsetup –Appproxyon(e.g.,Burpsuite) –GenerateSSLcertsignedbyyourownCA –PutyourCAcertontestiOSdevice RemembertoremovefakeCAbeforeleavinglabenvironment!
Copyright©2015KRvWAssociates,LLC 25 Butthat’snotenough Copyright©2015KRvWAssociates,LLC 26 ObjCRun-timeisflawed UnlikeinC,“functions”arenotcalled –Messagesarepassed –Objectsdynamicallyallocated Withinprocessspace,dynamictamperingalsopossible –Messagetraffic –Objects Copyright©2015KRvWAssociates,LLC 27 Reverseengineering Attackerwantstolearnhowyourappworks –Deepinternaldetails Attackerwantstoattempttotrickyourappintomisbehaving –Tamperwithruntime How?
Jailbrokendeviceandsomefreetools –Andalotoftime Copyright©2015KRvWAssociates,LLC 28 Prerequisitetoolsandenv MacwithOSXandXcodeJailbrokendevice –evasi0nworksgreat Cydiaandfriends –Cydiainstalledwithevasi0n–Shelless
OpenSSH-installwithCydia –Debugger
gdb-installwithCydia Bareminimumessentials Copyright©2015KRvWAssociates,LLC 29 Analysistechniques Staticanalysis –Observeattributesoftheexecutable,appfiles –Yes,encrypted(appstore)appstoo Dynamicanalysis –Runtheappandlearnhowitworks Tampering –Tricktherun-timeenv Copyright©2015KRvWAssociates,LLC 30 Staticanalysis Anybinarycanbeexamined –Usuallyrevealamaptoclasses,objects,text,symbols,etc. Commontools –otool–class-dump-z–nm Copyright©2015KRvWAssociates,LLC Examples –Linkedlibs,methods
otool-Lappname
otool-lappname –Listofclasses
class-dump-zappname –Symboltable
nmappname 31 It’sCunderneaththehood BeneaththatniceOOPObjClayerliesaCfoundation –PrettymucheverythinginObjCcanbedoneinC
PrimitivesfordoingalltheOOstuff
objc_msgSend(),objc_getClass()areprimeexamples Thismatterstouswhenanalyzingstaticallyordynamically Copyright©2015KRvWAssociates,LLC 32 Encryptedbinariestoo Basicprocess –Useapploadertodecrypt–Calculatememoryoffsets–Storeprocesstodisk
ddisyourfriend
Willalsoneedplutilandgdb HOWTOavailable –http:///2013/05/decrypting-iosbinaries/ Copyright©2015KRvWAssociates,LLC 33 Let’stakealook
Copyright©2015KRvWAssociates,LLC 34 Dynamicanalysis Whatcanwelearnfromobservingitrunning?
–Alot–Allthosemessages–Memorycontents–CPUregisters Youdon’thaveanythingtohide,right?
Copyright©2015KRvWAssociates,LLC 35 Attackingarunningapp Manintheapp(MITA) –Themostdangerousformofon-hostdynamicattack –Internalesstoeverything ThatObjCrun-timemessagingarchitectureis goingtohauntus Copyright©2015KRvWAssociates,LLC 36 Afewmoretools Forthese,you’llwant –gdb–Cycript(seeslide)–Networkproxy(e.g., Burpsuite)–SSLstrip(optional) Copyright©2015KRvWAssociates,LLC 37 Messageeavesdropping Usegdbtobuildasimplebuteffectivemessageeavesdropper –Example gdb-q-pPIDbreakobj_mandsx/a$r0x/s$r1c Copyright©2015KRvWAssociates,LLC 38 Cycript “CycriptallowsdeveloperstoexploreandmodifyrunningapplicationsoneitheriOSorMacOSXusingahybridofObjective-C++andJavaScriptsyntaxthroughaninteractiveconsolethatfeaturessyntaxhighlightingandpletion”—From Itisanamazingutilityfordynamicallyprobingarunningapp Copyright©2015KRvWAssociates,LLC 39 FunwithCycript Basics #cycriptcy#varmyString=[[NSStringalloc]cy>initWithString:@“Helloworld”];“Helloworld”cy#[myStringlength];11 CombinationofJavaScriptandObjCsyntaxgivesamazingcapabilities Copyright©2015KRvWAssociates,LLC 40 Cycript
(2) Safariexample #cycript-pPIDcy#varapp=[UIApplicationsharedApplication];“”cy#[appopenURL:[NSURLURLWithString:cy>@“”]];1cy#workActivityIndicatorVisible=YES Copyright©2015KRvWAssociates,LLC 41 Cycriptingforfunandprofit Breakclient-sidelogic –AlterPINs,booleans,semaphores–Replacemethods Proberunningappdata –Canbeverbose,butyougeteverythinginanobject cy#functionappls(a){varx={};for(iin*a){try{x[i]=(*a)[i];}catch(e){}}returnx;} cy#appls(object); Copyright©2015KRvWAssociates,LLC 42 Client-sidelogic Youdidn’tthinkyoucouldtrustclient-sidelogic,did you?
Copyright©2015KRvWAssociates,LLC 43 Tampering Nowlet’sgobeyondmereobservationReplaceexistingmethods –Changeaddressingdb –Dynamiclinkerattack
PutyourlibraryinDYLD_INSERT_LIBRARIES Automatedynamiclinking –MobileSubstrate Copyright©2015KRvWAssociates,LLC 44 Nothingiswhatitappears Nowwecanchangetheentireuniverseyourapprunsin (Ifthisdoesn’tseembad,gowatchTheMatrix) Copyright©2015KRvWAssociates,LLC 45 Resources HackingandSecuringiOSApplications,JonathanZdziarski,O’Reilly,2012Evasi0n,popularjailbreakingtool,http:/// Copyright©20153KRvWAssociates,LLC 46 Hardening UseractionsandclientconfigurationsArchitecturalconsiderationsHardeningtips Butremember,nothingisperfect. Copyright©2015KRvWAssociates,LLC 47 Useractionsandconfigurations StrongpasscodeshelpMDMscanmanageconfigurationsofentirefleets Copyright©2015KRvWAssociates,LLC 48 Architecturalconsiderations Designchoicesmakeahugedifference –Clientcannotbetrusted
Sensitivedata
Sensitivefunctions
Securitycontrols –Clientshouldprovidepresentationlayer
Minimalfunctionality
Processingshouldbeserver Copyright©2015KRvWAssociates,LLC 49 Hardeningtips Non-obviousnames –Obfuscatefunctionalpurpose Disabledebugging #defineDENY_DEBUG31ptrace(DENY_DEBUG,0,0,0); Complicatedisassembly –Compileroptimizer–Stripsymbols Copyright©2015KRvWAssociates,LLC 50 Hardeningtips
(2) Sensitivecode –Onserver,but…–WriteinCorASM–Compile+linkin-line–Expandloopsmanually ForceyourattackertosinglestepthroughDon’tgiveawayanything Copyright©2015KRvWAssociates,LLC 51 Hardening
(3) Datastorage –Encrypt
DataProtectionAPIforconsumergrade
Keysonserver –CommonCryptoLib SecurefilewipingSQLitedatawiping –Updatebeforedelete Copyright©2015KRvWAssociates,LLC 52 Tamperdetection Howdoweknow?
–Run-timeintegritychecks
Memoryoffsetsofsensitiveobjects –Sandboxintegrity
Attempttofork
Sizeandchecksumof/etc/fstab
Symboliclinksin/Applications
Commonjailbreakfilesandapps –/Applications/Cydia.app –Honeypotsinapp Thereain’tahorsethatcan’tberodeoramanthatcan’tbethrowed. Copyright©2015KRvWAssociates,LLC 53 Tamperresponse Whattodo?
–Remotewipe–Phonehome–Logeverything–Wipeuserdata,keys–workess–Etcetera Copyright©2015KRvWAssociates,LLC 54 hR.vanWykKRvWAssociates,LLC Ken@ @KRvW Copyright©20154KRvWAssociates,LLC 55