SlideShare una empresa de Scribd logo

I Want More Ninja – iOS Security Testing

Jason Haddix
Jason Haddix

Presented at Blackhat Training 2013

Internet
1 de 102
Descargar para leer sin conexión
iOS Application Testing
@jhaddix I work at Fortify On Demand We assess a lot of mobile apps http://goo.gl/cjd3JF Me
iDevice apps are downloaded via the appstore or given to you by the customer. They are an extension .ipa which is just a zip file. Your idevice unzips them, handles crypto and signing magic and deploys them to their own sandboxed directory. ZOMG 2hrs!?!!???!?
A jailbroken iDevice? SSHed into their device before? Proxied a mobile app or used Burp Suite before? Lets Play “Who has?”
Setting Up Your Lab  
•  Hardware o MacBook o PC o iPad / Iphone o Bluetooth KB (useful but not necessary)   Ninjas Need Tools
•  Software for MacBook o Xcode with developer utils o USBMux Python package o iTunes o Burp Suite o Wireshark o Hopper Disassembler o iFunBox o Filezilla o libimobiledevice MacBook Software
•  Software for PC o  iFunBox o  iExplorer o  Apple Configuration Utility o  USBMux Python package o  iTunes o  Burp Suite o  SSH/SCP Client (I use Bitvise) o  Plist editor pro o  SQL Database Browser o  SQLite Expert Professional o  Wireshark ++ Tshark o  Python o  Java o  IDA Pro PC Software
Look Ma, Exploits! Setting up your iPad  
Jailbreaking Fancyhardware Objective-C Core Services + Cocoa (Media & UI APIs) iOS (fork of Darwin (fork of BSD)) Opera'ng   System   Language   ARM  Executables  
•  Get us a shell! o  A jailbreak is a set of exploits designed to give us full control over the device. Also installs the Cydia appstore. o  A combination of userland exploits ,kernel exploits, and iOS API trickery. o  Current JB is Evasion 7.1 or Pangu 7.1.2 Jailbreaking
1.  Open and update cydia 2.  Install OpenSSH •  In safari - apptapp://package/openssh   Then Post Jailbreak
•  Install from cydia –  APT 0.7 Strict –  Afc2add –  Cycript –  Appsync –  IPA installer –  Appcake –  ClutchPatched •  Useful packages (packages.txt) •  apt-get install $(<packages.txt) •  reboot iPad Software
1.  Get USB mux installed 1.  This way you don’t need a network Not iPad Software ECHO  OFF     ::CMD  will  no  longer  show  us  what  command  it’s  execu<ng(cleaner)   ECHO  USB  MUX  Connec<on!   Python27python.exe  usbmuxd-­‐1.0.8python-­‐clienttcprelay.py  -­‐t  22:2222  
1.  Now you have a functioning *nix environment on your iPad. 2.  A Lab Mac 3.  A Lab PC Let talk about what we are looking for! Now you have *NIX
Apps and Vulns  
1. We live in userland 2. We still have fun 3. Remember, it’s for the customer We test Apps
On the iDevice, once installed, the IPA file (remember just a zip) is extracted to the applications sandboxed folder: /var/mobile/Applications/APPGUID/ Where Apps live
Use the IPA Installer Console (or appcake) to install apps that you have IPAs for: Appcake IPAs must be dropped in: /var/mobile/Media/Appcake/Imported Installing IPAs Ender:~  root#  ipainstaller  -­‐c  TargetApp.ipa     Clean  installa<on  enabled.     Will  not  restore  any  saved  documents  and  other  resources.     Analyzing  TargetApp.ipa...     Installing  TargetApp  (v1.0)...     Installed  TargetApp  (v1.0)  successfully.     Cleaning  old  contents  of  TargetApp...    
listapps #!/bin/sh     ls  -­‐d  /var/mobile/Applica<ons/*/*.app    |  sort  -­‐f  -­‐t  /  -­‐k  6   Place in /usr/bin/ :
listapps
running #!/bin/bash     ps  aux  |grep  mobile|  awk  -­‐F"  "  '{print  $2,  $11}'|grep  /var/mobile   Place in /usr/bin/ :
running Process  ID  
Appname.app/ Lets explore an app bundle directory, inside it are the barebones pieces of the app once installed: Ls –alX <appPath/appName.app>
$Appname.app/ Other files inside of the bundle (.app/) •  Image files •  Info.plist •  Hard coded certs •  Pre configured SQLite dbs More on the content of the app directory later
$appguid/ Up one directory from your apps .app folder is its sandbox directory folders (the apps “container”). Upon 1st run things will get copied here and the important storage, settings and caches files live here. Ls –alX $appPath/ •  /var/mobile/Applica'ons/<long  string  here>/  
App Directories
Looking for Vulns OWASP  Mobile  Top  10  Risks   M1  –  Weak  Server   Side  Controls   M2  –  Insecure   Data  Storage   M3  -­‐  Insufficient   Transport  Layer   Protec'on   M4  -­‐  Unintended   Data  Leakage   M5  -­‐  Poor   Authoriza'on  and   Authen'ca'on   M6  -­‐  Broken   Cryptography   M7  -­‐  Client  Side   Injec'on   M8  -­‐  Security   Decisions  Via   Untrusted  Inputs   M9  -­‐  Improper   Session  Handling   M10  -­‐  Lack  of   Binary  Protec'ons  
Client-Side OWASP  Mobile  Top  10  Risks   M1  –  Weak  Server   Side  Controls   M2  –  Insecure   Data  Storage   M3  -­‐  Insufficient   Transport  Layer   Protec'on   M4  -­‐  Unintended   Data  Leakage   M5  -­‐  Poor   Authoriza'on  and   Authen'ca'on   M6  -­‐  Broken   Cryptography   M7  -­‐  Client  Side   Injec'on   M8  -­‐  Security   Decisions  Via   Untrusted  Inputs   M9  -­‐  Improper   Session  Handling   M10  -­‐  Lack  of   Binary  Protec'ons  
What are we looking for? •  Usernames •  Authentication tokens •  Passwords •  Cookies •  Location data •  Sensitive Images •  UDID/EMEI •  Device Name •  Network Names •  DoB •  Address •  Social •  Card Data •  Stored application logs •  Debug information •  Cached messages •  Transaction histories •  PIN numbers
What are we looking for? Many apps will encode sensitive data, not encrypt. Look for (this is “password”): •  Base64 –  cGFzc3dvcmQ= •  Hex –  70617373776f7264 •  Decimal –  112 97 115 115 119 111 114 100 •  Md5 –  5f4dcc3b5aa765d61d8327deb882cf99 •  SHA1 –  5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
Logs, SQLite, Plists, Caches, oh my!
Logs, SQLite, Plists, Caches, oh my! M2  –  Insecure   Data  Storage   •  All of the last slide will be stored by one app or another. •  Some are OK to store as long as the file is protected by encryption. •  Others are usually bad to store all the time and should be handled: –  In memory –  Crypted in the keychain –  On the server exclusively
Working with data storage files •  Most data stores can be inspected easily with a text editor, except: – Plists •  XML •  Binary – SQLite Databases
Plists Data storage via: NSUserDefualts Tool On Mac §  Xcode plist editor will read both formats §  Plutil will convert a binary plist to an xml one Tool On Windows §  Plist editor Pro will read and save either format §  Notepad++
SQLite •  iOS supports SQLite for data storage using NSManagedObject (core data) •  Tools: – SQLite Database Browser for Win (GUI) – SQLite on the command line
Checking the encryption level of files •  Most files can be assigned a Data Protection API level (NOT NSuserdefaults) •  This designates when the file is accessible and unencrypted NSFileProtec'onComplete Encrypted  unless  device  is  on   and  unlocked.   NSFileProtec'onCompleteUnlessOpen Encrypted  unless  device  is  on   and  unlocked,  or  the  file  is   already  open. NSFileProtec'onCompleteUn'lFirstUserAuthen'ca'on Encrypted  un'l  user  first   unlocks  the  device,  un'l  device   shutdown.  (default  on  iOS  7) NSFileProtec'onNone Unencrypted  (default  on  iOS  6)  
Checking the encryption level of files Tool FileDP: No  DPAPI     FileDP  -­‐d  $app_path  2>&1  |  grep  -­‐v  ".dll|.nib|.png|.jpeg|.jpg|.css|.gif"  | grep  NSFileProtec'onNone|sed  's/^.*is://'|sed  's/  -­‐  protec'on.*$//'   NSFileProtec<onCompleteUn<lFirstUserAuthen<ca<on  DPAPI     FileDP  -­‐d  $app_path  2>&1  |  grep  -­‐v  ".dll|.nib|.png|.jpeg|.jpg|.css|.gif"  | grep  NSFileProtec'onCompleteUn'lFirstUserAuthen'ca'on|sed  's/^.*is://'|sed  's/  -­‐   protec'on.*$//'  
Logs •  iOS supports logging for applications using NSLog Tools: – Apple Configuration Utility for Win (GUI) – Syslog on the command line (*nix)
Looking at ASL Start:    tail  -­‐f  /var/log/syslog  |  tee  /private/var/root/SYSLOG.log  2>&1  &     Stop:  ps  aux  |  grep  -­‐ie  tail  |  awk  '{print  $2}'  |  xargs  kill  -­‐9  >  /dev/null  2>&1  
Tool keychain dumper: Keychain keychain_dumper  2>/dev/null  |  grep  -­‐i  -­‐B  3  -­‐A  5  "yahoo"  
Keychain
Finding strings credsearch.sh
Data Storage LABs •  Damn Vulnerable iOS App – Install DVIA – Lab Coredata – Lab NSUserDefaults – Lab Find Weak DPAPI levels – Lab Logging – Lab keychain
Web
Proxy the device •  HTTP Traffic: •  Fire up burp •  Go to you phone and navigate to: •  Settings -> Wi-Fi -> Network name -> HTTP Proxy -> Manual •  Enter in the IP address of your machine running Burp and the external port burp is listening on.
Proxy the device
HTTPS •  Once proxied, go to http://burp/cert in safari •  Install SSL cert
SSL Headaches •  Cert Pinning! – SSLkillswitch - hooks functions within the Secure Transport API In /tools
Webservices •  REST – http://bank.com/accntdetails/12345 •  REST Params – http://bank.com/accntdetails?id=12345 •  SOAP
Fuzz strings •  Several payload sets for fuzzing available in seclists: •  Use Burp Intruder for these.
Fuzz strings
3rd Party Tools  
iNalyzer •  Static/bin analysis tool •  Cracks app •  Creates doxygen graph out of classdump-z data •  Offers web gui, finding plists, dbs etc •  Has a cycript console in it’s web gui allowing you to proxy the web gui via burp for fuzzing. •  https://appsec-labs.com/iNalyzer
iNalyzer
Introspy •  Runtime hooking and monitoring tool using mobile substrate •  Will log API calls for crypto, data storage, network connections , ++ , to an SQLite db. •  Separate tool parses the db, offers some automated security checks. •  Bad XML parsing, bad cert pinning, bad keychain usage, pasteboard, http traffic, bad data storage, crypto flaws. •  http://isecpartners.github.io/Introspy-iOS/
idb •  Ruby based GUI Tool to instrument and automate some testing •  GUI for SSH/USBmux, Log viewer, checks imported libs, check for ASLR, SS, PIE (otool checks), pasteboard viewer, URL scheme fuzzer, keychain •  https://github.com/dmayer/idb/wiki/Manual- and--Walk-Through
iret •  Web based GUI instrumentation tool •  Pretty much the same as idb •  Has a function to create theos tweaks
Snoop-it •  Web GUI •  Runtime monitoring, debugging, tracing tool. •  GUI for classes, methods, objects and can invoke views and methods via web gui. •  https://code.google.com/p/snoop-it/
XSecurity •  Xcode  plugin  that  extends  clang  analyzer   •  hops://github.com/XSecurity/XSecurity  
Binary + Source
Grep your way to $profit! •  Un-encrypt a ios app and the strings table can reveal a lot… (clutch works well) •  Classdump-z + otool gives more! •  Whole companies are built on this =(
Unencrypting •  Cracking the app to view data: – Clutchpatched from cydia – Cracked app to be analyzed ends up in – /var/root/Documents/Cracked/
Grep Your way to $ecurity hops://github.com/jhaddix/ios_sh/blob/master/ios.sh   Issue   Bin  or  Source  Grep  string   Web  Comms  (secure  or   unsecure)   hop  OR  hops   openUrl,  handleOpenURL,  NSUrl,  writeToUrl,   CFStream,  NSStreamin   Weak  Cert  management  or   SSL   setAllowsAnyHTTPSCer'ficate|kCFStreamSSLAllowsExpiredRoots |kCFStreamSSLAllowsExpiredCer'ficates| kCFStreamSSLAllowsAnyRoot   Exploit  mi'ga'ons  (PIE,   StackProt,  ARC)   otool  -­‐Ivm  "$app_binary_path"  |grep  stack_chk   otool  -­‐hvm  "$app_binary_path”  |  grep  PIE   otool  -­‐Ivm  "$app_binary_path"  |  grep  _objc  |  sort  |  sed  -­‐n  '1,10p    
Grep Your way to $ecurity Issue   Bin  or  Source  grep  string   Possible  Format  string  bugs   grep  -­‐i  "NSLog  |stringWithFormat|initWithFormat| appendFormat|informa'veTextWithFormat| predicateWithFormat|stringByAppendingFormat| alertWithMessageText|NSExcep'on  +format| NSRunAlertPanel"  |  grep  "%@"     App  checks  for  JB  status  or  has   JB  protec'on  (common  ones)   grep  "^/bin/bash$|^/Applica'ons/Cydia.app$|/cydia.log$"   Pasteboard  enabled   generalpasteboard   SQL  from  dynamic  input   (possible  client/server  SQLi)   grep  -­‐i  "^begin  transac'on|^select  .*  from  |^update  .*  set   |^delete  from  |^insert  into  "  |  grep  "%@"  |  grep  -­‐v  "SELECT   id,access_token  FROM  test_account  WHERE  app_id"   Registered  URL  Schemes  (for   info  only)   grep  -­‐oE  "[a-­‐zA-­‐Z][a-­‐zA-­‐Z0-­‐9+-­‐.]*://[^[:space:]<>#"'] +"|grep  -­‐v  "hop://|hops://|radr://”  
Grep Your way to $Privacy Issue   Bin  +  Source   Privacy  API’s   App  uses  address  book   ABAddressBookCopyArrayOfAllPeople|ABAddressBook   App  uses  ad  or  analy'cs  (some)   GADBannerView|GADRequest|GADInters''al| kGADAd|GADSearch|GoogleConversionPin|adwhirl   App  has  logging  enabled   _NSLog$   App  uses  Bluetooth   GKSession|MCSession|CBCentralManager   App  uses  Calendar   EKEventStore   Possible  Weak  or  Guessable  Hash/ crypto   CC_MD2|CC_MD4|CC_MD5|CC_SHA1| kCCAlgorithmDES   App  uses  geoloaca'on   clloca'on   App  stores  photos  world  accessible   UIImageWriteToSavedPhotosAlbum   App  uses  Push  No'fica'ons   registerForRemoteNo'fica'onTypes  
Grep Your way to $Privacy Issue   Bin  +  Source   Privacy  API’s   App  uses  address  book   ABAddressBookCopyArrayOfAllPeople|ABAddressBook   App  uses  ad  or  analy'cs  (some)   GADBannerView|GADRequest|GADInters''al| kGADAd|GADSearch|GoogleConversionPin|adwhirl   App  has  logging  enabled   _NSLog$   App  uses  Bluetooth   GKSession|MCSession|CBCentralManager   App  uses  Calendar   EKEventStore   Possible  Weak  or  Guessable  Hash/ crypto   CC_MD2|CC_MD4|CC_MD5|CC_SHA1| kCCAlgorithmDES   App  uses  geoloaca'on   clloca'on   App  stores  photos  world  accessible   UIImageWriteToSavedPhotosAlbum   App  uses  Push  No'fica'ons   registerForRemoteNo'fica'onTypes  
Bin Analysis w/Hopper •  http://www.hopperapp.com/ DVIA Challenges •  Binary Patching •  Broken Cryptography •  Security Via Untrusted Inputs
Common Findings (some)  
Client Side Vulns Vuln   Notes   Format  String  Injec'on   Image  Cache  Disclosure   Saving  priv  photos  to  the  global  photoroll   instead  of  sandbox   Client  side  SQL  injec'on   Low  risk   Sensi've  data  over  unauthen'cated  Web   Service   Encryp'on  Using  ECB  Mode   Failure  to  Validate  Source  Applica'on  from   openURL   General  Pasteboard  Use   iOS  Keyboard  Cache  Exposure   Weak  Cryptographic  Hash:  Hardcoded  Salt   Keychain  entry  unencrypted  
Client Side Vulns Vuln   Notes   Cryptographic  Keys  Stored  in  Client   Usually  in  binary  or  sqlitedb   Applica'on  Compiled  Without  Stack-­‐ Smashing  Protec'on   Found  using  otool   Applica'on  Compiled  Without  PIE   Protec'on   Found  using  otool     Applica'on  Creden'als  Stored  Clear  Text  in   Memory     Applica'on  Logs  Leak  Sensi've  Info  (NSLog)   Found  by  monitoring  ASL   Sensi've  data  storage  using  a  binary  sqlite   database  (NSManagedObjects)   Sensi've  data  storage  using  binary  plists   (NSUserDefaults)   Authoriza'on  Bypass   On  pin/pass  screens,  Usually  using  cycript  
Transport and Web Vulns Vuln   Notes   No  SSL   Preoy  much  all  sensi've  info  should  be   over  HTTPS   Weak  Cer'ficate  Management   See  slide  54   HTTPS  can  be  downgraded  to  HTTP   Anyone  in  the  middle  can  use  SSLstrip  to   do  this,  or  burp  -­‐  hop://goo.gl/DnP4GA   Account  Enumera'on  via  Response     Usernames  mostly   Sensi've  data  sent  to  ad  or  analy'cs   endpoint  (hop  or  hops)   Baking  in  a  ad/analy'cs  framework  can   o}en  do  things  devs  don’t  even  know   about   Arbitrary  file  upload   Self  explanatory;  try  old  tricks  here  -­‐   hop://goo.gl/HqMDeY   Web  Service  Data  Exposure   A  lot  of  these  mobile  WS  will  return  a  ton   data,  and  the  app  will  only  parse  out   some  of  it.  An  aoacker  will  get  it  all.  
Transport and Web Vulns Vuln   SSL/Cert  Pinning  implementa'on  Defeatable   sslkillswitch   CSRF   Open  Redirec'on   XML  En'ty  Expansion  Injec'on   Weak  Serverside  SSL  Implementa'on     SSLabs  or  SSLAudit  -­‐  hop:// goo.gl/5CtFBq   Logout  does  not  destroy  session  serverside  (cookie   reuse  a}er  logout)  
Transport and Web Vulns Vuln   Applica'on  accepts  message  switch  (GET/POST)   Verbose  Errors   SQL  Injec'on   Burp  scanner  or   Generic_SQLi.txt  fuzz  list   XSS   Creden'als/session  tokens  Sent  In  URL  Query  String   Lack  of  Account  Lockout   Web  service  does  not  use  correct  content  type   Make  sure  all  web  service  calls   return  non  javascript   executable  content  types   UDID  Leakage   Directory  Traversal   Logout  Does  Not  Clear  Saved  Creden'als  /  Destroy   Session   Copy  cookies,  logout,  replace   cookies  
Things we didn’t talk about due to time constraints:   1.  Manually  decryp'ng  apps   2.  Classdump-­‐z   3.  Otool   4.  MobileSubstrate  or  Theos  or  CaptainHook  frameworks   5.  Flex  patching  for  beginners   6.  XML  Parsing  vulns   7.  KB  cache   8.  Snapshot  caching   9.  Copy  paste  buffer  /  UI  pasteboard   10. URL  Scheme  fuzzing  (can  be  done  easily  with  idb)   11. URL  Scheme  spoofing   12. Capturing  non-­‐hop(s)  traffic   13. Cookie  parsing   14. Filemon   15. Sqlite  injec'on   16. Shared  keychain  access  
Runtime
Cycript •  Labs – DVIA Jialbreak test 1 – DVIA Login Method 1 •  Practical reading: – /resources/cycript and GDB/
Special Thanks James Fitts Daniel Miessler Dawn Isabell Brad Wolfe Prateek Gianchandani
Sources:     Sep  12,  2013  -­‐  How  to  Assess  and  Secure  iOS  apps  by  NCC  Group   May  2,  2012  -­‐  iOSApplica'on  (In)Securityby  Dominic  Chell     October  2,  2012  –  iOS  Security  by  Apple     April  21,  2011  -­‐  Secure  Development  on  iOS  by  David  Thiel  (NCC  Group)     Aug  11,  2011  –  Audi‚ng  iPhone  and  iPad  applica'ons  by  Ilja  Van  Sprundel   iOS  Reverse  engineering  blog  content  by  Prateek  Gianchandani  of  Highal'tudehacks.com     Tool  Demos:     Daniel  Mayer  –  idb   Sa'sh  Bomse‚  -­‐  FileDP         Auxiliary  reading:     My  Old  class   hops://dl.dropboxusercontent.com/u/37776965/Sources_external.rar        
Collage of #FAIL      
Screenshots  aka  iOS   Backgrounding  
Logging  
3rd  party   analy'cs   companies  are   sent   your  age,  zip,   loca'on,  UDID,   etc  
Library/ Preferences/ com.kik.chat.plist :     -­‐  Username     -­‐  Password     -­‐  Email    
    Documents/kik.sqlite:     –Chat  history    
I Want More Ninja – iOS Security Testing

Recomendados

iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testingn|u - The Open Security Community
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS AppsHerman Duarte
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 

Recomendados

iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testingn|u - The Open Security Community
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS AppsHerman Duarte
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOSKai Aras
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Courseeightbit
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Kuba Břečka
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Gonzalo Parra
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Yandex
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 

Más contenido relacionado

La actualidad más candente

OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOSKai Aras
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Courseeightbit
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Kuba Břečka
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Gonzalo Parra
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Yandex
 

La actualidad más candente (20)

iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOS
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
 

Destacado

Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Smart phone security ios system
Smart phone security ios systemSmart phone security ios system
Smart phone security ios systemJamil S. Alagha
 
My Bug Hunting With Open Source
My Bug Hunting With Open SourceMy Bug Hunting With Open Source
My Bug Hunting With Open SourceMadhu Akula
 
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its TracksHow to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its TracksAlienVault
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesYair Amit
 
Behind the scenes with IOS security
Behind the scenes with IOS securityBehind the scenes with IOS security
Behind the scenes with IOS securityPriyanka Aash
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyRapid7
 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
«How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga «How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga 0xdec0de
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sOnyo
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKGuardSquare
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Giorgio Fedon
 

Destacado (19)

Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Smart phone security ios system
Smart phone security ios systemSmart phone security ios system
Smart phone security ios system
 
My Bug Hunting With Open Source
My Bug Hunting With Open SourceMy Bug Hunting With Open Source
My Bug Hunting With Open Source
 
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its TracksHow to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious Profiles
 
Behind the scenes with IOS security
Behind the scenes with IOS securityBehind the scenes with IOS security
Behind the scenes with IOS security
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD Methodology
 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in Fail
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
«How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga «How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`s
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
 

Similar a I Want More Ninja – iOS Security Testing

iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side AnalysisAadarsh N
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)TestDevLab
 
First app on Samsung Smart TV - WarsawJS Meetup #1
First app on Samsung Smart TV - WarsawJS Meetup #1First app on Samsung Smart TV - WarsawJS Meetup #1
First app on Samsung Smart TV - WarsawJS Meetup #1Piotr Kowalski
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andAlisa Esage Шевченко
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdfBeratAkit
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
Ubuntu Core 技术详解
Ubuntu Core 技术详解Ubuntu Core 技术详解
Ubuntu Core 技术详解Rex Tsai
 

Similar a I Want More Ninja – iOS Security Testing (20)

iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side Analysis
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
Usb Drive Protector
Usb Drive ProtectorUsb Drive Protector
Usb Drive Protector
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
 
First app on Samsung Smart TV - WarsawJS Meetup #1
First app on Samsung Smart TV - WarsawJS Meetup #1First app on Samsung Smart TV - WarsawJS Meetup #1
First app on Samsung Smart TV - WarsawJS Meetup #1
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
 
Ubuntu Core 技术详解
Ubuntu Core 技术详解Ubuntu Core 技术详解
Ubuntu Core 技术详解
 

Último

PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 

Último (17)

PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 

I Want More Ninja – iOS Security Testing

  • 2. @jhaddix I work at Fortify On Demand We assess a lot of mobile apps http://goo.gl/cjd3JF Me
  • 3. iDevice apps are downloaded via the appstore or given to you by the customer. They are an extension .ipa which is just a zip file. Your idevice unzips them, handles crypto and signing magic and deploys them to their own sandboxed directory. ZOMG 2hrs!?!!???!?
  • 4. A jailbroken iDevice? SSHed into their device before? Proxied a mobile app or used Burp Suite before? Lets Play “Who has?”
  • 6. •  Hardware o MacBook o PC o iPad / Iphone o Bluetooth KB (useful but not necessary)   Ninjas Need Tools
  • 7. •  Software for MacBook o Xcode with developer utils o USBMux Python package o iTunes o Burp Suite o Wireshark o Hopper Disassembler o iFunBox o Filezilla o libimobiledevice MacBook Software
  • 8. •  Software for PC o  iFunBox o  iExplorer o  Apple Configuration Utility o  USBMux Python package o  iTunes o  Burp Suite o  SSH/SCP Client (I use Bitvise) o  Plist editor pro o  SQL Database Browser o  SQLite Expert Professional o  Wireshark ++ Tshark o  Python o  Java o  IDA Pro PC Software
  • 10. Jailbreaking Fancyhardware Objective-C Core Services + Cocoa (Media & UI APIs) iOS (fork of Darwin (fork of BSD)) Opera'ng   System   Language   ARM  Executables  
  • 11. •  Get us a shell! o  A jailbreak is a set of exploits designed to give us full control over the device. Also installs the Cydia appstore. o  A combination of userland exploits ,kernel exploits, and iOS API trickery. o  Current JB is Evasion 7.1 or Pangu 7.1.2 Jailbreaking
  • 12. 1.  Open and update cydia 2.  Install OpenSSH •  In safari - apptapp://package/openssh   Then Post Jailbreak
  • 13. •  Install from cydia –  APT 0.7 Strict –  Afc2add –  Cycript –  Appsync –  IPA installer –  Appcake –  ClutchPatched •  Useful packages (packages.txt) •  apt-get install $(<packages.txt) •  reboot iPad Software
  • 14. 1.  Get USB mux installed 1.  This way you don’t need a network Not iPad Software ECHO  OFF     ::CMD  will  no  longer  show  us  what  command  it’s  execu<ng(cleaner)   ECHO  USB  MUX  Connec<on!   Python27python.exe  usbmuxd-­‐1.0.8python-­‐clienttcprelay.py  -­‐t  22:2222  
  • 15. 1.  Now you have a functioning *nix environment on your iPad. 2.  A Lab Mac 3.  A Lab PC Let talk about what we are looking for! Now you have *NIX
  • 17. 1. We live in userland 2. We still have fun 3. Remember, it’s for the customer We test Apps
  • 18. On the iDevice, once installed, the IPA file (remember just a zip) is extracted to the applications sandboxed folder: /var/mobile/Applications/APPGUID/ Where Apps live
  • 19. Use the IPA Installer Console (or appcake) to install apps that you have IPAs for: Appcake IPAs must be dropped in: /var/mobile/Media/Appcake/Imported Installing IPAs Ender:~  root#  ipainstaller  -­‐c  TargetApp.ipa     Clean  installa<on  enabled.     Will  not  restore  any  saved  documents  and  other  resources.     Analyzing  TargetApp.ipa...     Installing  TargetApp  (v1.0)...     Installed  TargetApp  (v1.0)  successfully.     Cleaning  old  contents  of  TargetApp...    
  • 20. listapps #!/bin/sh     ls  -­‐d  /var/mobile/Applica<ons/*/*.app    |  sort  -­‐f  -­‐t  /  -­‐k  6   Place in /usr/bin/ :
  • 22. running #!/bin/bash     ps  aux  |grep  mobile|  awk  -­‐F"  "  '{print  $2,  $11}'|grep  /var/mobile   Place in /usr/bin/ :
  • 24. Appname.app/ Lets explore an app bundle directory, inside it are the barebones pieces of the app once installed: Ls –alX <appPath/appName.app>
  • 25.
  • 26. $Appname.app/ Other files inside of the bundle (.app/) •  Image files •  Info.plist •  Hard coded certs •  Pre configured SQLite dbs More on the content of the app directory later
  • 27. $appguid/ Up one directory from your apps .app folder is its sandbox directory folders (the apps “container”). Upon 1st run things will get copied here and the important storage, settings and caches files live here. Ls –alX $appPath/ •  /var/mobile/Applica'ons/<long  string  here>/  
  • 29. Looking for Vulns OWASP  Mobile  Top  10  Risks   M1  –  Weak  Server   Side  Controls   M2  –  Insecure   Data  Storage   M3  -­‐  Insufficient   Transport  Layer   Protec'on   M4  -­‐  Unintended   Data  Leakage   M5  -­‐  Poor   Authoriza'on  and   Authen'ca'on   M6  -­‐  Broken   Cryptography   M7  -­‐  Client  Side   Injec'on   M8  -­‐  Security   Decisions  Via   Untrusted  Inputs   M9  -­‐  Improper   Session  Handling   M10  -­‐  Lack  of   Binary  Protec'ons  
  • 30. Client-Side OWASP  Mobile  Top  10  Risks   M1  –  Weak  Server   Side  Controls   M2  –  Insecure   Data  Storage   M3  -­‐  Insufficient   Transport  Layer   Protec'on   M4  -­‐  Unintended   Data  Leakage   M5  -­‐  Poor   Authoriza'on  and   Authen'ca'on   M6  -­‐  Broken   Cryptography   M7  -­‐  Client  Side   Injec'on   M8  -­‐  Security   Decisions  Via   Untrusted  Inputs   M9  -­‐  Improper   Session  Handling   M10  -­‐  Lack  of   Binary  Protec'ons  
  • 31. What are we looking for? •  Usernames •  Authentication tokens •  Passwords •  Cookies •  Location data •  Sensitive Images •  UDID/EMEI •  Device Name •  Network Names •  DoB •  Address •  Social •  Card Data •  Stored application logs •  Debug information •  Cached messages •  Transaction histories •  PIN numbers
  • 32. What are we looking for? Many apps will encode sensitive data, not encrypt. Look for (this is “password”): •  Base64 –  cGFzc3dvcmQ= •  Hex –  70617373776f7264 •  Decimal –  112 97 115 115 119 111 114 100 •  Md5 –  5f4dcc3b5aa765d61d8327deb882cf99 •  SHA1 –  5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
  • 33. Logs, SQLite, Plists, Caches, oh my!
  • 34. Logs, SQLite, Plists, Caches, oh my! M2  –  Insecure   Data  Storage   •  All of the last slide will be stored by one app or another. •  Some are OK to store as long as the file is protected by encryption. •  Others are usually bad to store all the time and should be handled: –  In memory –  Crypted in the keychain –  On the server exclusively
  • 35. Working with data storage files •  Most data stores can be inspected easily with a text editor, except: – Plists •  XML •  Binary – SQLite Databases
  • 36. Plists Data storage via: NSUserDefualts Tool On Mac §  Xcode plist editor will read both formats §  Plutil will convert a binary plist to an xml one Tool On Windows §  Plist editor Pro will read and save either format §  Notepad++
  • 37.
  • 38.
  • 39. SQLite •  iOS supports SQLite for data storage using NSManagedObject (core data) •  Tools: – SQLite Database Browser for Win (GUI) – SQLite on the command line
  • 40. Checking the encryption level of files •  Most files can be assigned a Data Protection API level (NOT NSuserdefaults) •  This designates when the file is accessible and unencrypted NSFileProtec'onComplete Encrypted  unless  device  is  on   and  unlocked.   NSFileProtec'onCompleteUnlessOpen Encrypted  unless  device  is  on   and  unlocked,  or  the  file  is   already  open. NSFileProtec'onCompleteUn'lFirstUserAuthen'ca'on Encrypted  un'l  user  first   unlocks  the  device,  un'l  device   shutdown.  (default  on  iOS  7) NSFileProtec'onNone Unencrypted  (default  on  iOS  6)  
  • 41. Checking the encryption level of files Tool FileDP: No  DPAPI     FileDP  -­‐d  $app_path  2>&1  |  grep  -­‐v  ".dll|.nib|.png|.jpeg|.jpg|.css|.gif"  | grep  NSFileProtec'onNone|sed  's/^.*is://'|sed  's/  -­‐  protec'on.*$//'   NSFileProtec<onCompleteUn<lFirstUserAuthen<ca<on  DPAPI     FileDP  -­‐d  $app_path  2>&1  |  grep  -­‐v  ".dll|.nib|.png|.jpeg|.jpg|.css|.gif"  | grep  NSFileProtec'onCompleteUn'lFirstUserAuthen'ca'on|sed  's/^.*is://'|sed  's/  -­‐   protec'on.*$//'  
  • 42. Logs •  iOS supports logging for applications using NSLog Tools: – Apple Configuration Utility for Win (GUI) – Syslog on the command line (*nix)
  • 43. Looking at ASL Start:    tail  -­‐f  /var/log/syslog  |  tee  /private/var/root/SYSLOG.log  2>&1  &     Stop:  ps  aux  |  grep  -­‐ie  tail  |  awk  '{print  $2}'  |  xargs  kill  -­‐9  >  /dev/null  2>&1  
  • 44. Tool keychain dumper: Keychain keychain_dumper  2>/dev/null  |  grep  -­‐i  -­‐B  3  -­‐A  5  "yahoo"  
  • 47. Data Storage LABs •  Damn Vulnerable iOS App – Install DVIA – Lab Coredata – Lab NSUserDefaults – Lab Find Weak DPAPI levels – Lab Logging – Lab keychain
  • 48. Web
  • 49. Proxy the device •  HTTP Traffic: •  Fire up burp •  Go to you phone and navigate to: •  Settings -> Wi-Fi -> Network name -> HTTP Proxy -> Manual •  Enter in the IP address of your machine running Burp and the external port burp is listening on.
  • 51. HTTPS •  Once proxied, go to http://burp/cert in safari •  Install SSL cert
  • 52. SSL Headaches •  Cert Pinning! – SSLkillswitch - hooks functions within the Secure Transport API In /tools
  • 53. Webservices •  REST – http://bank.com/accntdetails/12345 •  REST Params – http://bank.com/accntdetails?id=12345 •  SOAP
  • 54. Fuzz strings •  Several payload sets for fuzzing available in seclists: •  Use Burp Intruder for these.
  • 57. iNalyzer •  Static/bin analysis tool •  Cracks app •  Creates doxygen graph out of classdump-z data •  Offers web gui, finding plists, dbs etc •  Has a cycript console in it’s web gui allowing you to proxy the web gui via burp for fuzzing. •  https://appsec-labs.com/iNalyzer
  • 59. Introspy •  Runtime hooking and monitoring tool using mobile substrate •  Will log API calls for crypto, data storage, network connections , ++ , to an SQLite db. •  Separate tool parses the db, offers some automated security checks. •  Bad XML parsing, bad cert pinning, bad keychain usage, pasteboard, http traffic, bad data storage, crypto flaws. •  http://isecpartners.github.io/Introspy-iOS/
  • 60.
  • 61. idb •  Ruby based GUI Tool to instrument and automate some testing •  GUI for SSH/USBmux, Log viewer, checks imported libs, check for ASLR, SS, PIE (otool checks), pasteboard viewer, URL scheme fuzzer, keychain •  https://github.com/dmayer/idb/wiki/Manual- and--Walk-Through
  • 62.
  • 63. iret •  Web based GUI instrumentation tool •  Pretty much the same as idb •  Has a function to create theos tweaks
  • 64.
  • 65. Snoop-it •  Web GUI •  Runtime monitoring, debugging, tracing tool. •  GUI for classes, methods, objects and can invoke views and methods via web gui. •  https://code.google.com/p/snoop-it/
  • 66.
  • 67. XSecurity •  Xcode  plugin  that  extends  clang  analyzer   •  hops://github.com/XSecurity/XSecurity  
  • 69. Grep your way to $profit! •  Un-encrypt a ios app and the strings table can reveal a lot… (clutch works well) •  Classdump-z + otool gives more! •  Whole companies are built on this =(
  • 70. Unencrypting •  Cracking the app to view data: – Clutchpatched from cydia – Cracked app to be analyzed ends up in – /var/root/Documents/Cracked/
  • 71. Grep Your way to $ecurity hops://github.com/jhaddix/ios_sh/blob/master/ios.sh   Issue   Bin  or  Source  Grep  string   Web  Comms  (secure  or   unsecure)   hop  OR  hops   openUrl,  handleOpenURL,  NSUrl,  writeToUrl,   CFStream,  NSStreamin   Weak  Cert  management  or   SSL   setAllowsAnyHTTPSCer'ficate|kCFStreamSSLAllowsExpiredRoots |kCFStreamSSLAllowsExpiredCer'ficates| kCFStreamSSLAllowsAnyRoot   Exploit  mi'ga'ons  (PIE,   StackProt,  ARC)   otool  -­‐Ivm  "$app_binary_path"  |grep  stack_chk   otool  -­‐hvm  "$app_binary_path”  |  grep  PIE   otool  -­‐Ivm  "$app_binary_path"  |  grep  _objc  |  sort  |  sed  -­‐n  '1,10p    
  • 72. Grep Your way to $ecurity Issue   Bin  or  Source  grep  string   Possible  Format  string  bugs   grep  -­‐i  "NSLog  |stringWithFormat|initWithFormat| appendFormat|informa'veTextWithFormat| predicateWithFormat|stringByAppendingFormat| alertWithMessageText|NSExcep'on  +format| NSRunAlertPanel"  |  grep  "%@"     App  checks  for  JB  status  or  has   JB  protec'on  (common  ones)   grep  "^/bin/bash$|^/Applica'ons/Cydia.app$|/cydia.log$"   Pasteboard  enabled   generalpasteboard   SQL  from  dynamic  input   (possible  client/server  SQLi)   grep  -­‐i  "^begin  transac'on|^select  .*  from  |^update  .*  set   |^delete  from  |^insert  into  "  |  grep  "%@"  |  grep  -­‐v  "SELECT   id,access_token  FROM  test_account  WHERE  app_id"   Registered  URL  Schemes  (for   info  only)   grep  -­‐oE  "[a-­‐zA-­‐Z][a-­‐zA-­‐Z0-­‐9+-­‐.]*://[^[:space:]<>#"'] +"|grep  -­‐v  "hop://|hops://|radr://”  
  • 73. Grep Your way to $Privacy Issue   Bin  +  Source   Privacy  API’s   App  uses  address  book   ABAddressBookCopyArrayOfAllPeople|ABAddressBook   App  uses  ad  or  analy'cs  (some)   GADBannerView|GADRequest|GADInters''al| kGADAd|GADSearch|GoogleConversionPin|adwhirl   App  has  logging  enabled   _NSLog$   App  uses  Bluetooth   GKSession|MCSession|CBCentralManager   App  uses  Calendar   EKEventStore   Possible  Weak  or  Guessable  Hash/ crypto   CC_MD2|CC_MD4|CC_MD5|CC_SHA1| kCCAlgorithmDES   App  uses  geoloaca'on   clloca'on   App  stores  photos  world  accessible   UIImageWriteToSavedPhotosAlbum   App  uses  Push  No'fica'ons   registerForRemoteNo'fica'onTypes  
  • 74. Grep Your way to $Privacy Issue   Bin  +  Source   Privacy  API’s   App  uses  address  book   ABAddressBookCopyArrayOfAllPeople|ABAddressBook   App  uses  ad  or  analy'cs  (some)   GADBannerView|GADRequest|GADInters''al| kGADAd|GADSearch|GoogleConversionPin|adwhirl   App  has  logging  enabled   _NSLog$   App  uses  Bluetooth   GKSession|MCSession|CBCentralManager   App  uses  Calendar   EKEventStore   Possible  Weak  or  Guessable  Hash/ crypto   CC_MD2|CC_MD4|CC_MD5|CC_SHA1| kCCAlgorithmDES   App  uses  geoloaca'on   clloca'on   App  stores  photos  world  accessible   UIImageWriteToSavedPhotosAlbum   App  uses  Push  No'fica'ons   registerForRemoteNo'fica'onTypes  
  • 75. Bin Analysis w/Hopper •  http://www.hopperapp.com/ DVIA Challenges •  Binary Patching •  Broken Cryptography •  Security Via Untrusted Inputs
  • 77. Client Side Vulns Vuln   Notes   Format  String  Injec'on   Image  Cache  Disclosure   Saving  priv  photos  to  the  global  photoroll   instead  of  sandbox   Client  side  SQL  injec'on   Low  risk   Sensi've  data  over  unauthen'cated  Web   Service   Encryp'on  Using  ECB  Mode   Failure  to  Validate  Source  Applica'on  from   openURL   General  Pasteboard  Use   iOS  Keyboard  Cache  Exposure   Weak  Cryptographic  Hash:  Hardcoded  Salt   Keychain  entry  unencrypted  
  • 78. Client Side Vulns Vuln   Notes   Cryptographic  Keys  Stored  in  Client   Usually  in  binary  or  sqlitedb   Applica'on  Compiled  Without  Stack-­‐ Smashing  Protec'on   Found  using  otool   Applica'on  Compiled  Without  PIE   Protec'on   Found  using  otool     Applica'on  Creden'als  Stored  Clear  Text  in   Memory     Applica'on  Logs  Leak  Sensi've  Info  (NSLog)   Found  by  monitoring  ASL   Sensi've  data  storage  using  a  binary  sqlite   database  (NSManagedObjects)   Sensi've  data  storage  using  binary  plists   (NSUserDefaults)   Authoriza'on  Bypass   On  pin/pass  screens,  Usually  using  cycript  
  • 79. Transport and Web Vulns Vuln   Notes   No  SSL   Preoy  much  all  sensi've  info  should  be   over  HTTPS   Weak  Cer'ficate  Management   See  slide  54   HTTPS  can  be  downgraded  to  HTTP   Anyone  in  the  middle  can  use  SSLstrip  to   do  this,  or  burp  -­‐  hop://goo.gl/DnP4GA   Account  Enumera'on  via  Response     Usernames  mostly   Sensi've  data  sent  to  ad  or  analy'cs   endpoint  (hop  or  hops)   Baking  in  a  ad/analy'cs  framework  can   o}en  do  things  devs  don’t  even  know   about   Arbitrary  file  upload   Self  explanatory;  try  old  tricks  here  -­‐   hop://goo.gl/HqMDeY   Web  Service  Data  Exposure   A  lot  of  these  mobile  WS  will  return  a  ton   data,  and  the  app  will  only  parse  out   some  of  it.  An  aoacker  will  get  it  all.  
  • 80. Transport and Web Vulns Vuln   SSL/Cert  Pinning  implementa'on  Defeatable   sslkillswitch   CSRF   Open  Redirec'on   XML  En'ty  Expansion  Injec'on   Weak  Serverside  SSL  Implementa'on     SSLabs  or  SSLAudit  -­‐  hop:// goo.gl/5CtFBq   Logout  does  not  destroy  session  serverside  (cookie   reuse  a}er  logout)  
  • 81. Transport and Web Vulns Vuln   Applica'on  accepts  message  switch  (GET/POST)   Verbose  Errors   SQL  Injec'on   Burp  scanner  or   Generic_SQLi.txt  fuzz  list   XSS   Creden'als/session  tokens  Sent  In  URL  Query  String   Lack  of  Account  Lockout   Web  service  does  not  use  correct  content  type   Make  sure  all  web  service  calls   return  non  javascript   executable  content  types   UDID  Leakage   Directory  Traversal   Logout  Does  Not  Clear  Saved  Creden'als  /  Destroy   Session   Copy  cookies,  logout,  replace   cookies  
  • 82. Things we didn’t talk about due to time constraints:   1.  Manually  decryp'ng  apps   2.  Classdump-­‐z   3.  Otool   4.  MobileSubstrate  or  Theos  or  CaptainHook  frameworks   5.  Flex  patching  for  beginners   6.  XML  Parsing  vulns   7.  KB  cache   8.  Snapshot  caching   9.  Copy  paste  buffer  /  UI  pasteboard   10. URL  Scheme  fuzzing  (can  be  done  easily  with  idb)   11. URL  Scheme  spoofing   12. Capturing  non-­‐hop(s)  traffic   13. Cookie  parsing   14. Filemon   15. Sqlite  injec'on   16. Shared  keychain  access  
  • 84. Cycript •  Labs – DVIA Jialbreak test 1 – DVIA Login Method 1 •  Practical reading: – /resources/cycript and GDB/
  • 85. Special Thanks James Fitts Daniel Miessler Dawn Isabell Brad Wolfe Prateek Gianchandani
  • 86. Sources:     Sep  12,  2013  -­‐  How  to  Assess  and  Secure  iOS  apps  by  NCC  Group   May  2,  2012  -­‐  iOSApplica'on  (In)Securityby  Dominic  Chell     October  2,  2012  –  iOS  Security  by  Apple     April  21,  2011  -­‐  Secure  Development  on  iOS  by  David  Thiel  (NCC  Group)     Aug  11,  2011  –  Audi‚ng  iPhone  and  iPad  applica'ons  by  Ilja  Van  Sprundel   iOS  Reverse  engineering  blog  content  by  Prateek  Gianchandani  of  Highal'tudehacks.com     Tool  Demos:     Daniel  Mayer  –  idb   Sa'sh  Bomse‚  -­‐  FileDP         Auxiliary  reading:     My  Old  class   hops://dl.dropboxusercontent.com/u/37776965/Sources_external.rar        
  • 88.
  • 89. Screenshots  aka  iOS   Backgrounding  
  • 90.
  • 92.
  • 93.
  • 94.
  • 95.
  • 96.
  • 97.
  • 98.
  • 99. 3rd  party   analy'cs   companies  are   sent   your  age,  zip,   loca'on,  UDID,   etc  
  • 100. Library/ Preferences/ com.kik.chat.plist :     -­‐  Username     -­‐  Password     -­‐  Email    
  • 101.     Documents/kik.sqlite:     –Chat  history