SlideShare una empresa de Scribd logo

Pentesting iOS Apps - Runtime Analysis and Manipulation

A
Andreas Kurtz

Apple iOS Apps are primarily developed in Objective-C, an object-oriented extension and strict superset of the C programming language. Objective-C supports the concepts of reflection, also known as introspection. This describes the ability to examine and modify the structure and behavior (specifically the values, meta-data, properties and functions) of an object at runtime. This talk discusses the background, techniques, problems and solutions to Objective-C runtime analysis and manipulation. It will be discussed how running applications can be extended with additional debugging and runtime tracing capabilities, and how this can be used to modify instance variables and to execute or replace arbitrary object methods of an App. Moreover, a new framework to assist dynamic analysis and security assessments of iOS Apps will be introduced and demonstrated.

Tecnología
1 de 63
Descargar para leer sin conexión
Pentesting iOS Apps Runtime Analysis and Manipulation Andreas Kurtz
About • PhD candidate at the Security Research Group, Department of Computer Science, University of Erlangen-Nuremberg – Security of mobile devices & mobile Apps – Dynamic analysis of iOS Apps • Co-Founder of NESO Security Labs GmbH – Software security – Penetration testing, static code analysis 2
Pentesting iOS Apps • Status quo: Focus on backend services – Well-known methodologies and techniques – Numerous tools available • So far only little information on Mobile App mobile App assessments (Frontend) • Lack of tools Backend Services 3
What this talk is about • Introduction to the Objective-C Runtime – Backgrounds, techniques and tools for manipulating iOS Apps at runtime • Use cases and impacts – Pentesters should be able to explore the attack surface of iOS Apps more efficiently – Developers might prefer to avoid client-side logic and security measures in the future 4
Objective-C Runtime INTRODUCTION
Objective-C • Provides a set of extensions to the C programming language • Additions are mostly based on Smalltalk – Object-oriented – Messaging – Dynamic typing These concepts make Objective-C – Reflection quite attractive from a hacking perspective 6
Objective-C • Sample Code: HelloWorld *hello = [[HelloWorld alloc] init]; [hello sayHello:@"DeepSec"]; - (void) sayHello: (NSString *) string { printf("Hello %s!", [string UTF8String]); } 7
Objective-C Runtime • Apps are linked to libobjc.A.dylib # otool -L HelloWorld HelloWorld: /System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 890.1.0) /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0) [..] This library provides all runtime functionalities of the Objective-C Runtime 8
Objective-C Runtime • Most important function: objc_msgSend • Example Class class = objc_getClass("HelloWorld"); id receiver = [[class alloc] init]; SEL selector = NSSelectorFromString(@"sayHello:"); objc_msgSend(theReceiver,theSelector,@"DeepSec"); Pointer to an instance of the class, whose method we want to call 9
Objective-C Runtime • Most important function: objc_msgSend • Example Class class = objc_getClass("HelloWorld"); id receiver = [[class alloc] init]; SEL selector = NSSelectorFromString(@"sayHello:"); objc_msgSend(theReceiver,theSelector,@"DeepSec"); The selector of the method that handles the message 10
Objective-C Runtime • Most important function: objc_msgSend • Example Class class = objc_getClass("HelloWorld"); id receiver = [[class alloc] init]; SEL selector = NSSelectorFromString(@"sayHello:"); objc_msgSend(theReceiver,theSelector,@"DeepSec"); A variable argument list containing the arguments to the method 11
Static vs. Dynamic Analysis • During static analysis, control flow is lost when objc_msgSend is called • Characteristics of the Objective-C Runtime enables comprehensive dynamic analysis Technique Usage  Intercept messages  Trace internal control flow  Send arbitrary messages to  Manipulate internal state and existing objects processing logic of an iOS App  Rewrite implementations of arbitrary methods 12
Backgrounds & Techniques RUNTIME MANIPULATION
Starting Point • Goal: Black box analysis of an arbitrary iOS App – Enterprise or AppStore App – Binary format (no source code available) • Approach: Examine the iOS App on a jailbroken device – Removes the limitations imposed by Apple – Provides root access to the operating system – Enables the installation of additional software – Enables access to the Objective-C Runtime! 14
Runtime Manipulation • Objective-C Runtime [1] offers a wide range of opportunities to manipulate existing iOS Apps • Two different approaches – Injecting a static library with new functionalities – Injecting an interpreter for on-the-fly manipulations 15
Dynamic Library Injection • Advise the dynamic linker to load a dynamic shared library (DYLD_INSERT_LIBRARIES) [2] File System iOS App Address Space Foundation Dynamic Linker CoreFoundation .. libobjc.A.dylib Foundation .. CoreFoundation debug.dylib libobjc.A.dylib debug.dylib 16
Runtime Patching • Replace existing methods and reroute program control during library initialization App API Method Replacement redirect to call API method call original code return return 17
Hooking in Practice • MobileSubstrate [3] – MobileLoader loads 3rd-party patching code into the running application – MobileHooker is used to hook and replace system methods and functions IMP MSHookMessage(Class class, SEL selector, IMP replacement, const char* prefix); void MSHookFunction(void* function, void* replacement, void** p_original); • Recommendation: Theos suite eases the development of MobileSubstrate extensions (Tweaks) [4] 18
Example: Fake Device Information #include "substrate.h" #import <Foundation/Foundation.h> NSString *replaced_UIDevice_uniqueIdentifier() { return @"DeepSec"; } __attribute__((constructor)) static void initialize() { MSHookMessage(objc_getClass("UIDevice"), @selector(uniqueIdentifier), (IMP)replaced_UIDevice_uniqueIdentifier, NULL); } 19
Runtime Manipulation • Objective-C Runtime [1] offers a wide range of opportunities to manipulate existing iOS Apps • Two different approaches – Injecting a static library with new functionalities  – Injecting an interpreter for on-the-fly manipulations 20
Cycript: Objective-JavaScript [5] “ “A programming language designed to blend the barrier between Objective-C and JavaScript.” • Injects a JavaScript interpreter into a running App – Based on MobileSubstrate • Enables runtime manipulations in a flexible way [6], [7] 21
Example: Fake Device Information • Step 1: Attach to the App process # cycript -p <PID> • Step 2: Determine the current UDID cy# [[UIDevice currentDevice] uniqueIdentifier]; @"768f0c93a69276d190b6…" 22
Example: Fake Device Information • Step 3: Replace the implementation of the API method cy# UIDevice.messages['uniqueIdentifier'] = function() { return @"DeepSec"; } • Step 4: Query the UDID again cy# [[UIDevice currentDevice] uniqueIdentifier]; @"DeepSec" 23
Example: Fake Device Information 24
Example: Fake Device Information • Example demonstrates the diverse possibilities of iOS runtime injection • This might be useful in different scenarios – Apps that rely on hardware identifier for authentication – Apps that use binary or any proprietary protocols • Easier to manipulate the App endpoint, compared to modifications at protocol-level 25
USE CASES
Advantages of Runtime Manipulation • By using these techniques, running Apps can be extended with additional debugging and runtime tracing capabilities • This assists security assessments of iOS Apps – Eases the discovery of vulnerabilities – Simplifies bypassing client-side limitations and restrictions 27
Evaluate Encryption Schemes • Typical question: Which App methods are called after the “Login” button is pressed? • Idea: Make use of dynamic analysis to reconstruct the control flow of an App – Use the results to navigate through static code • Solution: Log all messages to objc_msgSend 28
The gdb way (gdb) exec-file /var/mobile/Applications/<APP-EXECUTABLE> Reading symbols for shared libraries . done (gdb) attach <PID> Attaching to program: `/private/var/mobile/Applications/...', process PID. Reading symbols for shared libraries . done Reading symbols for shared libraries ................................ done Reading symbols for shared libraries + done 0x364d7004 in mach_msg_trap () (gdb) break objc_msgSend Breakpoint 1 at 0x32ce2f68 (gdb) commands Type commands for when breakpoint 1 is hit, one per line. End with a line saying just "end". >printf "-[%s %s]n", (char *)class_getName($r0),$r1 >c >end (gdb) c Continuing. 29
The gdb way Breakpoint 1, 0x32ce2f68 in objc_msgSend () -[UIStatusBarServer _receivedStatusBarData:actions:] Breakpoint 1, 0x32ce2f68 in objc_msgSend () -[UIStatusBar statusBarServer:didReceiveStatusBarData:withActions:] Breakpoint 1, 0x32ce2f68 in objc_msgSend () -[UIStatusBar _currentComposedData] Breakpoint 1, 0x32ce2f68 in objc_msgSend () -[UIStatusBar _currentComposedDataForStyle:] Breakpoint 1, 0x32ce2f68 in objc_msgSend () Very noisy! All background -[UIStatusBarComposedData alloc] activities of the runtime are [..] shown as well. 30
App Tracing • Preferred approach: Intercept messages to objc_msgSend within the runtime • Apply filters with different granularity – Enumerate registered App classes and methods using the Objective-C Runtime API (objc_getClassList, class_copyMethodList, etc.) – Output a trace of only matching items • Inspired by Aspective-C [8] and Subjective-C [9] 31
App Tracing • Tricky part is to handle all parameters and to continue normal execution – Logging itself modifies CPU registers and the stack • Current execution state has to be preserved – Allocate an alternate stack within heap memory – Backup r0 - r3 and lr registers to alternate stack – Do the logging and filtering – Restore r0 - r3 and lr – Continue execution 32
Sample Output + [SyncManager sharedSyncManager] - [SyncManager init] - [SyncManager setSynDocumentOpen:], args: 0 + [DataModel setSynchManager:], args: <0x1102ce30> + [DataModel initFromFile] + [DataModel securityModelFilePath] + [DataModel securityModelFilePath] + [PBKDF2 getKeyForPassphrase:], args: <__NSCFConstantString 0x15e2e4: > + [CryptoUtils decrypt] + [DataModel sharedModel] + [CryptoUtils md5:], args: <__NSCFConstantString 0x15dea4: > + [DataModel sharedModel] Encryption scheme is based on a hardcoded key within the App 33
Sample Output + [SyncManager sharedSyncManager] - [SyncManager init] - [SyncManager setSynDocumentOpen:], args: 0 + [DataModel setSynchManager:], args: <0x1102ce30> + [DataModel initFromFile] + [DataModel securityModelFilePath] + [DataModel securityModelFilePath] + [PBKDF2 getKeyForPassphrase:], args: <__NSCFConstantString 0x15e2e4: > + [CryptoUtils decrypt] + [DataModel sharedModel] + [CryptoUtils md5:], args: <__NSCFConstantString 0x15dea4: > + [DataModel sharedModel] 34
Advantages of Runtime Manipulation • The ability to manipulate Apps at runtime strikes out new paths – Discover weak/missing encryption – Bypassing client-side restrictions – Execution of hidden functionality, which was not supposed to be accessible – Unlock additional features and premium content – Dump copyright-protected content – Etc. 35
Lack of Tools “ “Security will not get better until tools for practical exploration of the attack surface are made available” - Josh Wright 36
Closing the Gap • Retrofitting existing apps with debugging and runtime tracing capabilities Debugging XML-RPC Webserver Library App GWT GUI 37
Introducing Snoop-it • A tool to assist security assessments and dynamic analysis of iOS Apps 38
Features Monitoring File system access (print data protection classes) Keychain access HTTP(S) connections Access to sensitive API (address book, photos etc.) Debug outputs Tracing App internals (objc_msgSend) 39
Features Analysis / Fake hardware identifier (UDID, Wireless MAC, etc.) Manipulation Fake location/GPS data Explore and force display of available ViewControllers List custom URL schemes List available Objective-C classes, objects and methods Invoke and replace arbitrary methods at runtime 40
Features Simple installation and configuration Other Easy to use graphical user interface Plenty of filter and search options Detailed description of the XML-RPC web service interface Freely available at the end of this year 41
Getting Started • There’s an App for That!™  Open the Snoop-it Configuration App  Select Apps (System/Cydia/AppStore) to analyze  Adjust settings (GUI, Authentication, …)  Run app & point your browser to the Snoop-it web interface 42
Getting Started • There’s an App for That!™  Open the Snoop-it Configuration App  Select Apps (System/Cydia/AppStore) to analyze  Adjust settings (GUI, Authentication, …)  Run app & point your browser to the Snoop-it web interface 43
Getting Started • There’s an App for That!™  Open the Snoop-it Configuration App  Select Apps (System/Cydia/AppStore) to analyze  Adjust settings (GUI, Authentication, …)  Run app & point your browser to the Snoop-it web interface 44
Getting Started • There’s an App for That!™  Open the Snoop-it Configuration App  Select Apps (System/Cydia/AppStore) to analyze  Adjust settings (GUI, Authentication, …)  Run app & point your browser to the Snoop-it web interface 45
Getting Started • There’s an App for That!™  Open the Snoop-it Configuration App  Select Apps (System/Cydia/AppStore) to analyze  Adjust settings (GUI, Authentication, …)  Run App & point your browser to the Snoop-it web interface 46
DEMO Please follow me on Twitter (@aykay) to stay up-to-date with the latest news on Snoop-it
Filesystem Monitor 49
Location Faker 50
App Tracing 51
Keychain Monitor 52
Runtime Manipulation 53
Jailbreak Detection • Purpose: Verification of platform integrity • Common checks – Suspicious files and directories – File system permissions – Mount options – Symbolic links – Dynamic shared libraries – SSH Loopback – Sandbox integrity (fork) 54
Jailbreak Detection 55
Jailbreak Detection • In order to assess the security of an iOS App, at first the jailbreak detection mechanisms have to be bypassed – Binary / Run-time patching to remove all checks (specific, time-consuming) Delegate.messages['isJailbroken'] = function() { return NO; } – Intercept system calls to simulate an unmodified execution environment (generic) 56
Jailbreak Detection Bypass • Snoop-it supports generic bypass of the most common jailbreak detection mechanisms – Simple configuration switch in the Configuration App 57
Bypassing Jailbreak Detection DEMO
Securing the Runtime • Minimum of data/logic on the client-side • Preferred use of C, at least for security-critical implementations – Inline Functions At least try to, – Obfuscation it’s worth a shot. • Advanced Jailbreak Detection • Runtime Integrity Checks (dladdr()[10]) 59
Summary • Runtime Analysis and Manipulation facilitates both, dynamic and static analysis of iOS Apps • Attack surface of iOS Apps can be explored more efficiently 60
Acknowledgements • Thanks to – Markus Troßbach (University of Heidelberg) – Sebastian Stocker (University of Heidelberg) – Christoph Settgast (University of Erlangen) – Andreas Weinlein (University of Erlangen) – Francesca Serpi (University of Milan) 62
References [1] Objective C Runtime Reference http://developer.apple.com/library/mac/#documentation/Cocoa/Reference/Obj CRuntimeRef/Reference/reference.html [2] dyld - the dynamic link editor (DYLD_INSERT_LIBRARIES) http://developer.apple.com/library/mac/#documentation/Darwin/Reference/M anpages/man1/dyld.1.html [3] Mobile Substrate http://iphonedevwiki.net/index.php/MobileSubstrate [4] Theos http://iphonedevwiki.net/index.php/Theos [5] Cycript http://www.cycript.org 63
References [6] Cycript Overview http://iphonedevwiki.net/index.php/Cycript [7] Cycript Tips http://iphonedevwiki.net/index.php/Cycript_Tricks [8] Aspective-C by saurik http://svn.saurik.com/repos/menes/trunk/aspectivec/AspectiveC.mm [9] Subjective-C by KennyTM~ http://networkpx.blogspot.de/2009/09/introducing-subjective-c.html [10] dladdr - find the image containing a given address http://developer.apple.com/library/Mac/#documentation/Darwin/Reference/ ManPages/man3/dladdr.3.html 64
Weipertstraße 8-10 ∙ 74076 Heilbronn  +49 (7131) 7669-540 info@nesolabs.de www.nesolabs.de

Recomendados

iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS AppsHerman Duarte
 

Recomendados

iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS AppsHerman Duarte
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Kuba Břečka
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application ExploitationPositive Hack Days
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testingn|u - The Open Security Community
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOSKai Aras
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Courseeightbit
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycriptn|u - The Open Security Community
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Yandex
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Gonzalo Parra
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreakingVarun Luthra
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)Sam Bowne
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
Erik
ErikErik
ErikRebeca Ruiz
 
Inspection of Windows Phone applications
Inspection of Windows Phone applicationsInspection of Windows Phone applications
Inspection of Windows Phone applicationsAndrey Chasovskikh
 

Más contenido relacionado

La actualidad más candente

Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Kuba Břečka
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOSKai Aras
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Courseeightbit
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Yandex
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Gonzalo Parra
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)Sam Bowne
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 

La actualidad más candente (20)

Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOS
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycript
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreaking
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 

Destacado

Inspection of Windows Phone applications
Inspection of Windows Phone applicationsInspection of Windows Phone applications
Inspection of Windows Phone applicationsAndrey Chasovskikh
 
Accounting kpi examples
Accounting kpi examplesAccounting kpi examples
Accounting kpi examplesbichukletaylor
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Kpi for accounting department
Kpi for accounting departmentKpi for accounting department
Kpi for accounting departmentdubihugeharris
 

Destacado (9)

Erik
ErikErik
Erik
 
Inspection of Windows Phone applications
Inspection of Windows Phone applicationsInspection of Windows Phone applications
Inspection of Windows Phone applications
 
IOS debugging
IOS debuggingIOS debugging
IOS debugging
 
Accounting kpi examples
Accounting kpi examplesAccounting kpi examples
Accounting kpi examples
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Kpi for accounting department
Kpi for accounting departmentKpi for accounting department
Kpi for accounting department
 
9 accouting based kpi
9 accouting based kpi9 accouting based kpi
9 accouting based kpi
 

Similar a Pentesting iOS Apps - Runtime Analysis and Manipulation

Nike pop up habitat
Nike pop up habitatNike pop up habitat
Nike pop up habitatChef
 
Building production-quality apps with Node.js
Building production-quality apps with Node.jsBuilding production-quality apps with Node.js
Building production-quality apps with Node.jsmattpardee
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...Priyanka Aash
 
Cara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
Cara Tepat Menjadi iOS Developer Expert - Gilang RamadhanCara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
Cara Tepat Menjadi iOS Developer Expert - Gilang RamadhanDicodingEvent
 
2012 java one-con3648
2012 java one-con36482012 java one-con3648
2012 java one-con3648Eing Ong
 
Starting from scratch in 2017
Starting from scratch in 2017Starting from scratch in 2017
Starting from scratch in 2017Stefano Bonetta
 
DevOps for AI Apps
DevOps for AI AppsDevOps for AI Apps
DevOps for AI AppsRichin Jain
 
Matteo Gazzurelli - Andorid introduction - Google Dev Fest 2013
Matteo Gazzurelli - Andorid introduction - Google Dev Fest 2013Matteo Gazzurelli - Andorid introduction - Google Dev Fest 2013
Matteo Gazzurelli - Andorid introduction - Google Dev Fest 2013DuckMa
 
Announcing AWS CodeBuild - January 2017 Online Teck Talks
Announcing AWS CodeBuild - January 2017 Online Teck TalksAnnouncing AWS CodeBuild - January 2017 Online Teck Talks
Announcing AWS CodeBuild - January 2017 Online Teck TalksAmazon Web Services
 
Building Top-Notch Androids SDKs
Building Top-Notch Androids SDKsBuilding Top-Notch Androids SDKs
Building Top-Notch Androids SDKsrelayr
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
iOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for JasakomeriOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for JasakomerAndri Yadi
 
iOS overview
iOS overviewiOS overview
iOS overviewgupta25
 
Hudson
HudsonHudson
Hudson8x8
 
DockerCon 15 Keynote - Day 2
DockerCon 15 Keynote - Day 2DockerCon 15 Keynote - Day 2
DockerCon 15 Keynote - Day 2Docker, Inc.
 

Similar a Pentesting iOS Apps - Runtime Analysis and Manipulation (20)

Power of Azure Devops
Power of Azure DevopsPower of Azure Devops
Power of Azure Devops
 
Nike pop up habitat
Nike pop up habitatNike pop up habitat
Nike pop up habitat
 
Building production-quality apps with Node.js
Building production-quality apps with Node.jsBuilding production-quality apps with Node.js
Building production-quality apps with Node.js
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
 
Ios development
Ios developmentIos development
Ios development
 
Cara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
Cara Tepat Menjadi iOS Developer Expert - Gilang RamadhanCara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
Cara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
 
2012 java one-con3648
2012 java one-con36482012 java one-con3648
2012 java one-con3648
 
Revue des annonces WWDC2015
Revue des annonces WWDC2015Revue des annonces WWDC2015
Revue des annonces WWDC2015
 
Starting from scratch in 2017
Starting from scratch in 2017Starting from scratch in 2017
Starting from scratch in 2017
 
DevOps for AI Apps
DevOps for AI AppsDevOps for AI Apps
DevOps for AI Apps
 
Matteo Gazzurelli - Andorid introduction - Google Dev Fest 2013
Matteo Gazzurelli - Andorid introduction - Google Dev Fest 2013Matteo Gazzurelli - Andorid introduction - Google Dev Fest 2013
Matteo Gazzurelli - Andorid introduction - Google Dev Fest 2013
 
Announcing AWS CodeBuild - January 2017 Online Teck Talks
Announcing AWS CodeBuild - January 2017 Online Teck TalksAnnouncing AWS CodeBuild - January 2017 Online Teck Talks
Announcing AWS CodeBuild - January 2017 Online Teck Talks
 
Building Top-Notch Androids SDKs
Building Top-Notch Androids SDKsBuilding Top-Notch Androids SDKs
Building Top-Notch Androids SDKs
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
iOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for JasakomeriOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for Jasakomer
 
iOS overview
iOS overviewiOS overview
iOS overview
 
Hudson
HudsonHudson
Hudson
 
DockerCon 15 Keynote - Day 2
DockerCon 15 Keynote - Day 2DockerCon 15 Keynote - Day 2
DockerCon 15 Keynote - Day 2
 

Último

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 

Último (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 

Pentesting iOS Apps - Runtime Analysis and Manipulation

  • 1. Pentesting iOS Apps Runtime Analysis and Manipulation Andreas Kurtz
  • 2. About • PhD candidate at the Security Research Group, Department of Computer Science, University of Erlangen-Nuremberg – Security of mobile devices & mobile Apps – Dynamic analysis of iOS Apps • Co-Founder of NESO Security Labs GmbH – Software security – Penetration testing, static code analysis 2
  • 3. Pentesting iOS Apps • Status quo: Focus on backend services – Well-known methodologies and techniques – Numerous tools available • So far only little information on Mobile App mobile App assessments (Frontend) • Lack of tools Backend Services 3
  • 4. What this talk is about • Introduction to the Objective-C Runtime – Backgrounds, techniques and tools for manipulating iOS Apps at runtime • Use cases and impacts – Pentesters should be able to explore the attack surface of iOS Apps more efficiently – Developers might prefer to avoid client-side logic and security measures in the future 4
  • 6. Objective-C • Provides a set of extensions to the C programming language • Additions are mostly based on Smalltalk – Object-oriented – Messaging – Dynamic typing These concepts make Objective-C – Reflection quite attractive from a hacking perspective 6
  • 7. Objective-C • Sample Code: HelloWorld *hello = [[HelloWorld alloc] init]; [hello sayHello:@"DeepSec"]; - (void) sayHello: (NSString *) string { printf("Hello %s!", [string UTF8String]); } 7
  • 8. Objective-C Runtime • Apps are linked to libobjc.A.dylib # otool -L HelloWorld HelloWorld: /System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 890.1.0) /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0) [..] This library provides all runtime functionalities of the Objective-C Runtime 8
  • 9. Objective-C Runtime • Most important function: objc_msgSend • Example Class class = objc_getClass("HelloWorld"); id receiver = [[class alloc] init]; SEL selector = NSSelectorFromString(@"sayHello:"); objc_msgSend(theReceiver,theSelector,@"DeepSec"); Pointer to an instance of the class, whose method we want to call 9
  • 10. Objective-C Runtime • Most important function: objc_msgSend • Example Class class = objc_getClass("HelloWorld"); id receiver = [[class alloc] init]; SEL selector = NSSelectorFromString(@"sayHello:"); objc_msgSend(theReceiver,theSelector,@"DeepSec"); The selector of the method that handles the message 10
  • 11. Objective-C Runtime • Most important function: objc_msgSend • Example Class class = objc_getClass("HelloWorld"); id receiver = [[class alloc] init]; SEL selector = NSSelectorFromString(@"sayHello:"); objc_msgSend(theReceiver,theSelector,@"DeepSec"); A variable argument list containing the arguments to the method 11
  • 12. Static vs. Dynamic Analysis • During static analysis, control flow is lost when objc_msgSend is called • Characteristics of the Objective-C Runtime enables comprehensive dynamic analysis Technique Usage  Intercept messages  Trace internal control flow  Send arbitrary messages to  Manipulate internal state and existing objects processing logic of an iOS App  Rewrite implementations of arbitrary methods 12
  • 14. Starting Point • Goal: Black box analysis of an arbitrary iOS App – Enterprise or AppStore App – Binary format (no source code available) • Approach: Examine the iOS App on a jailbroken device – Removes the limitations imposed by Apple – Provides root access to the operating system – Enables the installation of additional software – Enables access to the Objective-C Runtime! 14
  • 15. Runtime Manipulation • Objective-C Runtime [1] offers a wide range of opportunities to manipulate existing iOS Apps • Two different approaches – Injecting a static library with new functionalities – Injecting an interpreter for on-the-fly manipulations 15
  • 16. Dynamic Library Injection • Advise the dynamic linker to load a dynamic shared library (DYLD_INSERT_LIBRARIES) [2] File System iOS App Address Space Foundation Dynamic Linker CoreFoundation .. libobjc.A.dylib Foundation .. CoreFoundation debug.dylib libobjc.A.dylib debug.dylib 16
  • 17. Runtime Patching • Replace existing methods and reroute program control during library initialization App API Method Replacement redirect to call API method call original code return return 17
  • 18. Hooking in Practice • MobileSubstrate [3] – MobileLoader loads 3rd-party patching code into the running application – MobileHooker is used to hook and replace system methods and functions IMP MSHookMessage(Class class, SEL selector, IMP replacement, const char* prefix); void MSHookFunction(void* function, void* replacement, void** p_original); • Recommendation: Theos suite eases the development of MobileSubstrate extensions (Tweaks) [4] 18
  • 19. Example: Fake Device Information #include "substrate.h" #import <Foundation/Foundation.h> NSString *replaced_UIDevice_uniqueIdentifier() { return @"DeepSec"; } __attribute__((constructor)) static void initialize() { MSHookMessage(objc_getClass("UIDevice"), @selector(uniqueIdentifier), (IMP)replaced_UIDevice_uniqueIdentifier, NULL); } 19
  • 20. Runtime Manipulation • Objective-C Runtime [1] offers a wide range of opportunities to manipulate existing iOS Apps • Two different approaches – Injecting a static library with new functionalities  – Injecting an interpreter for on-the-fly manipulations 20
  • 21. Cycript: Objective-JavaScript [5] “ “A programming language designed to blend the barrier between Objective-C and JavaScript.” • Injects a JavaScript interpreter into a running App – Based on MobileSubstrate • Enables runtime manipulations in a flexible way [6], [7] 21
  • 22. Example: Fake Device Information • Step 1: Attach to the App process # cycript -p <PID> • Step 2: Determine the current UDID cy# [[UIDevice currentDevice] uniqueIdentifier]; @"768f0c93a69276d190b6…" 22
  • 23. Example: Fake Device Information • Step 3: Replace the implementation of the API method cy# UIDevice.messages['uniqueIdentifier'] = function() { return @"DeepSec"; } • Step 4: Query the UDID again cy# [[UIDevice currentDevice] uniqueIdentifier]; @"DeepSec" 23
  • 24. Example: Fake Device Information 24
  • 25. Example: Fake Device Information • Example demonstrates the diverse possibilities of iOS runtime injection • This might be useful in different scenarios – Apps that rely on hardware identifier for authentication – Apps that use binary or any proprietary protocols • Easier to manipulate the App endpoint, compared to modifications at protocol-level 25
  • 27. Advantages of Runtime Manipulation • By using these techniques, running Apps can be extended with additional debugging and runtime tracing capabilities • This assists security assessments of iOS Apps – Eases the discovery of vulnerabilities – Simplifies bypassing client-side limitations and restrictions 27
  • 28. Evaluate Encryption Schemes • Typical question: Which App methods are called after the “Login” button is pressed? • Idea: Make use of dynamic analysis to reconstruct the control flow of an App – Use the results to navigate through static code • Solution: Log all messages to objc_msgSend 28
  • 29. The gdb way (gdb) exec-file /var/mobile/Applications/<APP-EXECUTABLE> Reading symbols for shared libraries . done (gdb) attach <PID> Attaching to program: `/private/var/mobile/Applications/...', process PID. Reading symbols for shared libraries . done Reading symbols for shared libraries ................................ done Reading symbols for shared libraries + done 0x364d7004 in mach_msg_trap () (gdb) break objc_msgSend Breakpoint 1 at 0x32ce2f68 (gdb) commands Type commands for when breakpoint 1 is hit, one per line. End with a line saying just "end". >printf "-[%s %s]n", (char *)class_getName($r0),$r1 >c >end (gdb) c Continuing. 29
  • 30. The gdb way Breakpoint 1, 0x32ce2f68 in objc_msgSend () -[UIStatusBarServer _receivedStatusBarData:actions:] Breakpoint 1, 0x32ce2f68 in objc_msgSend () -[UIStatusBar statusBarServer:didReceiveStatusBarData:withActions:] Breakpoint 1, 0x32ce2f68 in objc_msgSend () -[UIStatusBar _currentComposedData] Breakpoint 1, 0x32ce2f68 in objc_msgSend () -[UIStatusBar _currentComposedDataForStyle:] Breakpoint 1, 0x32ce2f68 in objc_msgSend () Very noisy! All background -[UIStatusBarComposedData alloc] activities of the runtime are [..] shown as well. 30
  • 31. App Tracing • Preferred approach: Intercept messages to objc_msgSend within the runtime • Apply filters with different granularity – Enumerate registered App classes and methods using the Objective-C Runtime API (objc_getClassList, class_copyMethodList, etc.) – Output a trace of only matching items • Inspired by Aspective-C [8] and Subjective-C [9] 31
  • 32. App Tracing • Tricky part is to handle all parameters and to continue normal execution – Logging itself modifies CPU registers and the stack • Current execution state has to be preserved – Allocate an alternate stack within heap memory – Backup r0 - r3 and lr registers to alternate stack – Do the logging and filtering – Restore r0 - r3 and lr – Continue execution 32
  • 33. Sample Output + [SyncManager sharedSyncManager] - [SyncManager init] - [SyncManager setSynDocumentOpen:], args: 0 + [DataModel setSynchManager:], args: <0x1102ce30> + [DataModel initFromFile] + [DataModel securityModelFilePath] + [DataModel securityModelFilePath] + [PBKDF2 getKeyForPassphrase:], args: <__NSCFConstantString 0x15e2e4: > + [CryptoUtils decrypt] + [DataModel sharedModel] + [CryptoUtils md5:], args: <__NSCFConstantString 0x15dea4: > + [DataModel sharedModel] Encryption scheme is based on a hardcoded key within the App 33
  • 34. Sample Output + [SyncManager sharedSyncManager] - [SyncManager init] - [SyncManager setSynDocumentOpen:], args: 0 + [DataModel setSynchManager:], args: <0x1102ce30> + [DataModel initFromFile] + [DataModel securityModelFilePath] + [DataModel securityModelFilePath] + [PBKDF2 getKeyForPassphrase:], args: <__NSCFConstantString 0x15e2e4: > + [CryptoUtils decrypt] + [DataModel sharedModel] + [CryptoUtils md5:], args: <__NSCFConstantString 0x15dea4: > + [DataModel sharedModel] 34
  • 35. Advantages of Runtime Manipulation • The ability to manipulate Apps at runtime strikes out new paths – Discover weak/missing encryption – Bypassing client-side restrictions – Execution of hidden functionality, which was not supposed to be accessible – Unlock additional features and premium content – Dump copyright-protected content – Etc. 35
  • 36. Lack of Tools “ “Security will not get better until tools for practical exploration of the attack surface are made available” - Josh Wright 36
  • 37. Closing the Gap • Retrofitting existing apps with debugging and runtime tracing capabilities Debugging XML-RPC Webserver Library App GWT GUI 37
  • 38. Introducing Snoop-it • A tool to assist security assessments and dynamic analysis of iOS Apps 38
  • 39. Features Monitoring File system access (print data protection classes) Keychain access HTTP(S) connections Access to sensitive API (address book, photos etc.) Debug outputs Tracing App internals (objc_msgSend) 39
  • 40. Features Analysis / Fake hardware identifier (UDID, Wireless MAC, etc.) Manipulation Fake location/GPS data Explore and force display of available ViewControllers List custom URL schemes List available Objective-C classes, objects and methods Invoke and replace arbitrary methods at runtime 40
  • 41. Features Simple installation and configuration Other Easy to use graphical user interface Plenty of filter and search options Detailed description of the XML-RPC web service interface Freely available at the end of this year 41
  • 42. Getting Started • There’s an App for That!™  Open the Snoop-it Configuration App  Select Apps (System/Cydia/AppStore) to analyze  Adjust settings (GUI, Authentication, …)  Run app & point your browser to the Snoop-it web interface 42
  • 43. Getting Started • There’s an App for That!™  Open the Snoop-it Configuration App  Select Apps (System/Cydia/AppStore) to analyze  Adjust settings (GUI, Authentication, …)  Run app & point your browser to the Snoop-it web interface 43
  • 44. Getting Started • There’s an App for That!™  Open the Snoop-it Configuration App  Select Apps (System/Cydia/AppStore) to analyze  Adjust settings (GUI, Authentication, …)  Run app & point your browser to the Snoop-it web interface 44
  • 45. Getting Started • There’s an App for That!™  Open the Snoop-it Configuration App  Select Apps (System/Cydia/AppStore) to analyze  Adjust settings (GUI, Authentication, …)  Run app & point your browser to the Snoop-it web interface 45
  • 46. Getting Started • There’s an App for That!™  Open the Snoop-it Configuration App  Select Apps (System/Cydia/AppStore) to analyze  Adjust settings (GUI, Authentication, …)  Run App & point your browser to the Snoop-it web interface 46
  • 47. DEMO Please follow me on Twitter (@aykay) to stay up-to-date with the latest news on Snoop-it
  • 53. Jailbreak Detection • Purpose: Verification of platform integrity • Common checks – Suspicious files and directories – File system permissions – Mount options – Symbolic links – Dynamic shared libraries – SSH Loopback – Sandbox integrity (fork) 54
  • 55. Jailbreak Detection • In order to assess the security of an iOS App, at first the jailbreak detection mechanisms have to be bypassed – Binary / Run-time patching to remove all checks (specific, time-consuming) Delegate.messages['isJailbroken'] = function() { return NO; } – Intercept system calls to simulate an unmodified execution environment (generic) 56
  • 56. Jailbreak Detection Bypass • Snoop-it supports generic bypass of the most common jailbreak detection mechanisms – Simple configuration switch in the Configuration App 57
  • 58. Securing the Runtime • Minimum of data/logic on the client-side • Preferred use of C, at least for security-critical implementations – Inline Functions At least try to, – Obfuscation it’s worth a shot. • Advanced Jailbreak Detection • Runtime Integrity Checks (dladdr()[10]) 59
  • 59. Summary • Runtime Analysis and Manipulation facilitates both, dynamic and static analysis of iOS Apps • Attack surface of iOS Apps can be explored more efficiently 60
  • 60. Acknowledgements • Thanks to – Markus Troßbach (University of Heidelberg) – Sebastian Stocker (University of Heidelberg) – Christoph Settgast (University of Erlangen) – Andreas Weinlein (University of Erlangen) – Francesca Serpi (University of Milan) 62
  • 61. References [1] Objective C Runtime Reference http://developer.apple.com/library/mac/#documentation/Cocoa/Reference/Obj CRuntimeRef/Reference/reference.html [2] dyld - the dynamic link editor (DYLD_INSERT_LIBRARIES) http://developer.apple.com/library/mac/#documentation/Darwin/Reference/M anpages/man1/dyld.1.html [3] Mobile Substrate http://iphonedevwiki.net/index.php/MobileSubstrate [4] Theos http://iphonedevwiki.net/index.php/Theos [5] Cycript http://www.cycript.org 63
  • 62. References [6] Cycript Overview http://iphonedevwiki.net/index.php/Cycript [7] Cycript Tips http://iphonedevwiki.net/index.php/Cycript_Tricks [8] Aspective-C by saurik http://svn.saurik.com/repos/menes/trunk/aspectivec/AspectiveC.mm [9] Subjective-C by KennyTM~ http://networkpx.blogspot.de/2009/09/introducing-subjective-c.html [10] dladdr - find the image containing a given address http://developer.apple.com/library/Mac/#documentation/Darwin/Reference/ ManPages/man3/dladdr.3.html 64
  • 63. Weipertstraße 8-10 ∙ 74076 Heilbronn  +49 (7131) 7669-540 info@nesolabs.de www.nesolabs.de