SlideShare una empresa de Scribd logo
1 de 60
Descargar para leer sin conexión
CNIT 128
Hacking Mobile Devices
2. Analyzing iOS Apps

Part 1
Topics: Part 1
• The Security Model

• iOS Apps

• Jailbreaking Explained
Topics: Part 2
• The Data Protection API

• The iOS Keychain

• TouchID

• Reverse Engineering iOS Binaries
The Security Model
Security Features
• Secure boot chain

• Code signing

• Process-level sandboxing

• Data-at-rest encryption

• Generic native language exploit mitigations

• Address space layout randomization

• Non-executable memory

• Stack smashing protection
Initializing iOS with
Secure Boot Chain
• Initializing and loading firmware

• Each step is cryptographically signed and
verified
Secure Boot Chain
• Boot ROM

• Read-only portion of the processor

• Contains public key for Apple's CA

• Used to verify next step: the LLB
Secure Boot Chain
• LLB (Low-Level Bootloader)

• Finds iBoot

• Verifies its signature

• If signature check fails, boots into recovery
mode
Secure Boot Chain
• iBoot

• Verifies and loads the iOS kernel

• iOS Kernel

• Loads usermode environment and OS
Secure Enclave
• Secure coprocessor shipped with all
modern iPhones and iPads

• Since iPhone 5s

• Handles cryptography on device

• Key management for

• Data Protection API

• Touch ID fingerprint data
Secure Enclave
• A customized version of ARM TrustZone

• Partitions itself from main processor

• Provides data integrity even if kernel is
compromised

• Even if device is jailbroken

• Secrets cannot be extracted

• Such as fingerprint data
Cachegrab
• Released in Dec. 2017

• Kernel code can deduce some information
about contents of the Secure Enclave

• Because it shares cache memory with
kernel processes

• Link Ch 2a
Restricting Application
Processes with Code Signing
• Validates signatures each time an app is
executed

• Only code signed with a trusted signature
can run

• Developers can install trusted certificates

• In a provisioning profile signed by Apple
App Store
• Production apps must be signed by Apple

• After submitting them to the App Store

• Apple bans risky activities

• Private APIs

• Apps that download and install
executable code
Isolating Apps with
Process-Level Sandboxing
• All third-party apps run in a sandbox
• Isolated from one another and from OS

• All apps run as the same mobile system user

• Each app is contained in its unique
directory

• Separation maintained by the XNU
Sandbox kernel extension
• From Jonathan Levin (link Ch 2b)
Permissions
• Since iOS 7, app needs permission from
user to access

• Media

• Microphone

• Address book
Protecting Information with
Data-at-Rest Encryption
• All file system data encrypted with AES

• Filesystem key generated on first boot

• Stored on block 1 of NAND flash storage

• Device decrypts filesystem on bootup

• Filesystem is only encrypted at rest

• Remote wipe erases the key
Data Protection API
• Can encrypt individual files and keychain
items

• Key derived from passcode

• Encrypted items are inaccessible when
device is locked
Exploit Mitigations
Write or Execute (W^X)
• Memory pages cannot be both writable and
executable at the same time

• Implemented with ARM's Execute Never
(XN) feature

• Pages marked as writable cannot be later
reverted to executable

• Similar to Data Execution Protection (DEP)
in Windows, Linux, and Mac OS X
Return-Oriented
Programming
• Bypasses non-executable memory

• Injection contains only addresses

• Pointing to fragments of code

• Exploit is built from these fragments
ASLR
• Address Space Layout Randomization

• Code location randomized

• Attacker cannot find the injected code to
run it

• Makes ROP chains more difficult to use
ASLR Weaknesses
• Before iOS 5, dynamic linker was not relocated

• Memory disclosure bugs

• Can be used to improve exploits

• Apps compiled with PIE (Position Independent
Execution) can use full ASLR

• All memory regions randomized

• Other apps put base binary and dynamic linker
at a fixed address
Stack Smashing
• Uses stack canaries
• Pseudorandom values on stack

• Buffer overflow attacks overwrite the
canary values

• And terminate the app
iOS Apps
Three Groups of Apps
• Standard native apps

• Browser-based apps

• Hybrid apps
Standard Native Apps
• Most common type

• Written in Objective-C or Swift

• Compiled to native code

• Linked against iOS SDK and Cocoa Touch
frameworks
Browser-Based Apps
• Render in iOS web views

• Loaded via mobileSafari

• Use HTML, JavaScript, and CSS

• Secure them like Web apps
Hybrid Apps
• Deployed with a native wrapper

• Used to display browser-based apps

• Mobile Enterprise App Platform deployment
Distribution of iOS Apps
• App Store

• Need an Apple Developer account

• Apps signed with a developer certificate
can run on up to 100 iOS devices for
testing

• App store approval has manual and
automated tests

• Blocks malicious apps
Distribution of iOS Apps
• Enterprise Distribution

• Organizations can develop and distribute
custom apps in-house

• Apps signed with enterprise developer
certificate can run on any number of devices

• Apple screens developers entering this
program

• Must have a legitimate business and a Dun
and Bradsheet number
Abuse of Certificates
• An expired enterprise developer certificate
was used

• By changing system date back to the past

• To run a Game Boy advanced emulator

• For Pangu jailbreak
App Structure
• IPA archive is a Zip archive containing

• Payload

• Payload/Application.app 

• Data, compiled code, and resources

• iTunesArtwork

• Icon

• iTunesMetadata.plist

• Developer's name, copyright info
App Permissions
• Before iOS 6, every app in the App Store
had access to

• Contact, photos, other sensitive data
Data Classes in iOS 6
• Location services 

• Contacts 

• Calendar 

• Photos 

• Reminders 

• Microphone access 

• Motion activity 

• Bluetooth access 

• Social media data
Privacy Prompt
CNIT 128 2. Analyzing iOS Applications (Part 1)
iOS 8 Location Information
• Three possible values: app is

• Never allowed access to location
information

• Allowed access only while the app is in
the foreground and in use

• Always allowed access to location
information
Jailbreaking Explained
Reasons for Jailbreaking
• Get apps from unauthorized marketplaces
like Cydia

• Piracy

• Access to restricted functions like tethering
Risks
• Weakens security of OS

• Allow unsigned code to run

• Most iOS malware only runs on jailbroken
phones

• iKee - first iPhone worm, rickrolled
phones using default password

• iKee.B - Botted phones, phished Dutch
users
• Chinese origin

• Only on jailbroken
phones

• Hooked functions to steal
AppleID and password
Types of Jailbreaks
• Untethered - persists across reboots

• Tethered - requires a computer to start the
phone; otherwise you get Recovery Mode

• Semi-tethered - requires a computer to
start into jailbroken state, booting without
the computer ends up in non-jailbroken
state
Jailbreakme v3 Saffron
• Simply visit a Web site hosting a PDF file

• Works for iOS before 4.3.4

• Uses:

• Integer signedness issue to gain code
execution

• ROP payload

• Type confusion vulnerability
evasi0n Jailbreak
• Worked for iOS 6.0 - 6.1.2

• No memory corruption

• Used bypasses and logic bugs

• Lockdownd service allowed file
permissions to be changed

• USB driver allowed arbitrary functions to
be called
Building a Test
Environment
Accessing the Phone
• After jailbreaking

• install OpenSSH in Cydia

• Connect via Wi-Fi or USB

• Default credentials are

• mobile / alpine
• root / alpine
Toolkit
• Cydia -- open app store

• BigBoss Recommended Tools
• Command-line UNIX tools

• Including apt
Apple's CC Tools
• Tools to parse, assemble, and link Mach-O
binaries

• File format for iOS and OSX apps

• Part of the iOS and OS X development
toolchain

• Run on OS X or Linux
• otool
• Object file-displaying tool

• All-purpose tool for Mach-O binary analysis

• Reveals class and method names

• Lists libraries, symbols

• Shows header information and load
commands
Apple's CC Tools
• nm

• Displays symbol table of a binary or
object file

• lipo

• Can combine or remove architecture
types from an app
Apple's CC Tools
Debuggers
• gdb

• Cydia's version doesn't work well on
modern iOS versions

• Radare's version is better
Code Signing
• codesign
• Apple's binary-signing tool

• Can also display signatures

• ldid

• Saurik's code-signer
Installipa
• Normal app installation uses installd
service

• Verifies code signature

• ipainstaller
• Can install unsigned apps on jailbroken
devices
Exploring the Filesystem
• Jailbroken devices allow full access

• Unjailbroken devices allow access to
portions of the filesystem, including

• Sandboxed area where apps are installed

• Must pair to a computer over USB first

• Use apps like iExplorer or iFunBox
On a Jailbroken Device
Property Lists
• .plist files

• Binary format similar to XML

• Stores serialized objects and key-value
pairs

• plutil can convert plists to XML
Other Files
• Binary Cookies

• From Web pages

• Can be opened with
BinaryCookieReader.py

• SQLite Databases
CNIT 128 2. Analyzing iOS Applications (Part 1)

Más contenido relacionado

La actualidad más candente

CNIT 128: 3. Attacking iOS Applications (Part 2)
CNIT 128: 3. Attacking iOS Applications (Part 2)CNIT 128: 3. Attacking iOS Applications (Part 2)
CNIT 128: 3. Attacking iOS Applications (Part 2)Sam Bowne
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)Sam Bowne
 
CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 3)
CNIT 128 6. Analyzing Android Applications (Part 3)CNIT 128 6. Analyzing Android Applications (Part 3)
CNIT 128 6. Analyzing Android Applications (Part 3)Sam Bowne
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 3 of 3)
CNIT 128 6. Analyzing Android Applications (Part 3 of 3)CNIT 128 6. Analyzing Android Applications (Part 3 of 3)
CNIT 128 6. Analyzing Android Applications (Part 3 of 3)Sam Bowne
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2Sam Bowne
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
Yow connected developing secure i os applications
Yow connected   developing secure i os applicationsYow connected   developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsSam Bowne
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Courseeightbit
 
CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)Sam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)Sam Bowne
 

La actualidad más candente (20)

CNIT 128: 3. Attacking iOS Applications (Part 2)
CNIT 128: 3. Attacking iOS Applications (Part 2)CNIT 128: 3. Attacking iOS Applications (Part 2)
CNIT 128: 3. Attacking iOS Applications (Part 2)
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)
 
CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)
 
CNIT 128 6. Analyzing Android Applications (Part 3)
CNIT 128 6. Analyzing Android Applications (Part 3)CNIT 128 6. Analyzing Android Applications (Part 3)
CNIT 128 6. Analyzing Android Applications (Part 3)
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
 
CNIT 128 6. Analyzing Android Applications (Part 3 of 3)
CNIT 128 6. Analyzing Android Applications (Part 3 of 3)CNIT 128 6. Analyzing Android Applications (Part 3 of 3)
CNIT 128 6. Analyzing Android Applications (Part 3 of 3)
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
Yow connected developing secure i os applications
Yow connected   developing secure i os applicationsYow connected   developing secure i os applications
Yow connected developing secure i os applications
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
 
CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)
 

Similar a CNIT 128 2. Analyzing iOS Applications (Part 1)

2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhonessaurabhharit
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Beyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript  practical i os reverse engineering lasconBeyond the 'cript  practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lasconNino Ho
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 
Mobile Devices
Mobile DevicesMobile Devices
Mobile DevicesYnon Perek
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.DataArt
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Introduction to iOS Development
Introduction to iOS DevelopmentIntroduction to iOS Development
Introduction to iOS DevelopmentAsim Rais Siddiqui
 

Similar a CNIT 128 2. Analyzing iOS Applications (Part 1) (20)

2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Inter-process audio options on iOS
Inter-process audio options on iOSInter-process audio options on iOS
Inter-process audio options on iOS
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Beyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript  practical i os reverse engineering lasconBeyond the 'cript  practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lascon
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 
Mobile Devices
Mobile DevicesMobile Devices
Mobile Devices
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
128-ch3.pptx
128-ch3.pptx128-ch3.pptx
128-ch3.pptx
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Introduction to iOS Development
Introduction to iOS DevelopmentIntroduction to iOS Development
Introduction to iOS Development
 

Más de Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers Sam Bowne
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)Sam Bowne
 

Más de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)
 

Último

How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17Celine George
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationMJDuyan
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice documentXsasf Sfdfasd
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsEugene Lysak
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.raviapr7
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICESayali Powar
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxMYDA ANGELICA SUAN
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...CaraSkikne1
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxSaurabhParmar42
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational PhilosophyShuvankar Madhu
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxKatherine Villaluna
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfTechSoup
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxEduSkills OECD
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxKatherine Villaluna
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesMohammad Hassany
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and stepobaje godwin sunday
 

Último (20)

How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive Education
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice document
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George Wells
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICE
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptx
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptx
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational Philosophy
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptx
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming Classes
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and step
 

CNIT 128 2. Analyzing iOS Applications (Part 1)

  • 1. CNIT 128 Hacking Mobile Devices 2. Analyzing iOS Apps Part 1
  • 2. Topics: Part 1 • The Security Model • iOS Apps • Jailbreaking Explained
  • 3. Topics: Part 2 • The Data Protection API • The iOS Keychain • TouchID • Reverse Engineering iOS Binaries
  • 5. Security Features • Secure boot chain • Code signing • Process-level sandboxing • Data-at-rest encryption • Generic native language exploit mitigations • Address space layout randomization • Non-executable memory • Stack smashing protection
  • 6. Initializing iOS with Secure Boot Chain • Initializing and loading firmware • Each step is cryptographically signed and verified
  • 7. Secure Boot Chain • Boot ROM • Read-only portion of the processor • Contains public key for Apple's CA • Used to verify next step: the LLB
  • 8. Secure Boot Chain • LLB (Low-Level Bootloader) • Finds iBoot • Verifies its signature • If signature check fails, boots into recovery mode
  • 9. Secure Boot Chain • iBoot • Verifies and loads the iOS kernel • iOS Kernel • Loads usermode environment and OS
  • 10. Secure Enclave • Secure coprocessor shipped with all modern iPhones and iPads • Since iPhone 5s • Handles cryptography on device • Key management for • Data Protection API • Touch ID fingerprint data
  • 11. Secure Enclave • A customized version of ARM TrustZone • Partitions itself from main processor • Provides data integrity even if kernel is compromised • Even if device is jailbroken • Secrets cannot be extracted • Such as fingerprint data
  • 12. Cachegrab • Released in Dec. 2017 • Kernel code can deduce some information about contents of the Secure Enclave • Because it shares cache memory with kernel processes • Link Ch 2a
  • 13. Restricting Application Processes with Code Signing • Validates signatures each time an app is executed • Only code signed with a trusted signature can run • Developers can install trusted certificates • In a provisioning profile signed by Apple
  • 14. App Store • Production apps must be signed by Apple • After submitting them to the App Store • Apple bans risky activities • Private APIs • Apps that download and install executable code
  • 15. Isolating Apps with Process-Level Sandboxing • All third-party apps run in a sandbox • Isolated from one another and from OS • All apps run as the same mobile system user • Each app is contained in its unique directory • Separation maintained by the XNU Sandbox kernel extension
  • 16. • From Jonathan Levin (link Ch 2b)
  • 17. Permissions • Since iOS 7, app needs permission from user to access • Media • Microphone • Address book
  • 18. Protecting Information with Data-at-Rest Encryption • All file system data encrypted with AES • Filesystem key generated on first boot • Stored on block 1 of NAND flash storage • Device decrypts filesystem on bootup • Filesystem is only encrypted at rest • Remote wipe erases the key
  • 19. Data Protection API • Can encrypt individual files and keychain items • Key derived from passcode • Encrypted items are inaccessible when device is locked
  • 21. Write or Execute (W^X) • Memory pages cannot be both writable and executable at the same time • Implemented with ARM's Execute Never (XN) feature • Pages marked as writable cannot be later reverted to executable • Similar to Data Execution Protection (DEP) in Windows, Linux, and Mac OS X
  • 22. Return-Oriented Programming • Bypasses non-executable memory • Injection contains only addresses • Pointing to fragments of code • Exploit is built from these fragments
  • 23. ASLR • Address Space Layout Randomization • Code location randomized • Attacker cannot find the injected code to run it • Makes ROP chains more difficult to use
  • 24. ASLR Weaknesses • Before iOS 5, dynamic linker was not relocated • Memory disclosure bugs • Can be used to improve exploits • Apps compiled with PIE (Position Independent Execution) can use full ASLR • All memory regions randomized • Other apps put base binary and dynamic linker at a fixed address
  • 25. Stack Smashing • Uses stack canaries • Pseudorandom values on stack • Buffer overflow attacks overwrite the canary values • And terminate the app
  • 27. Three Groups of Apps • Standard native apps • Browser-based apps • Hybrid apps
  • 28. Standard Native Apps • Most common type • Written in Objective-C or Swift • Compiled to native code • Linked against iOS SDK and Cocoa Touch frameworks
  • 29. Browser-Based Apps • Render in iOS web views • Loaded via mobileSafari • Use HTML, JavaScript, and CSS • Secure them like Web apps
  • 30. Hybrid Apps • Deployed with a native wrapper • Used to display browser-based apps • Mobile Enterprise App Platform deployment
  • 31. Distribution of iOS Apps • App Store • Need an Apple Developer account • Apps signed with a developer certificate can run on up to 100 iOS devices for testing • App store approval has manual and automated tests • Blocks malicious apps
  • 32. Distribution of iOS Apps • Enterprise Distribution • Organizations can develop and distribute custom apps in-house • Apps signed with enterprise developer certificate can run on any number of devices • Apple screens developers entering this program • Must have a legitimate business and a Dun and Bradsheet number
  • 33. Abuse of Certificates • An expired enterprise developer certificate was used • By changing system date back to the past • To run a Game Boy advanced emulator • For Pangu jailbreak
  • 34. App Structure • IPA archive is a Zip archive containing • Payload • Payload/Application.app • Data, compiled code, and resources • iTunesArtwork • Icon • iTunesMetadata.plist • Developer's name, copyright info
  • 35. App Permissions • Before iOS 6, every app in the App Store had access to • Contact, photos, other sensitive data
  • 36. Data Classes in iOS 6 • Location services • Contacts • Calendar • Photos • Reminders • Microphone access • Motion activity • Bluetooth access • Social media data
  • 39. iOS 8 Location Information • Three possible values: app is • Never allowed access to location information • Allowed access only while the app is in the foreground and in use • Always allowed access to location information
  • 41. Reasons for Jailbreaking • Get apps from unauthorized marketplaces like Cydia • Piracy • Access to restricted functions like tethering
  • 42. Risks • Weakens security of OS • Allow unsigned code to run • Most iOS malware only runs on jailbroken phones • iKee - first iPhone worm, rickrolled phones using default password • iKee.B - Botted phones, phished Dutch users
  • 43. • Chinese origin • Only on jailbroken phones • Hooked functions to steal AppleID and password
  • 44. Types of Jailbreaks • Untethered - persists across reboots • Tethered - requires a computer to start the phone; otherwise you get Recovery Mode • Semi-tethered - requires a computer to start into jailbroken state, booting without the computer ends up in non-jailbroken state
  • 45. Jailbreakme v3 Saffron • Simply visit a Web site hosting a PDF file • Works for iOS before 4.3.4 • Uses: • Integer signedness issue to gain code execution • ROP payload • Type confusion vulnerability
  • 46. evasi0n Jailbreak • Worked for iOS 6.0 - 6.1.2 • No memory corruption • Used bypasses and logic bugs • Lockdownd service allowed file permissions to be changed • USB driver allowed arbitrary functions to be called
  • 48. Accessing the Phone • After jailbreaking • install OpenSSH in Cydia • Connect via Wi-Fi or USB • Default credentials are • mobile / alpine • root / alpine
  • 49. Toolkit • Cydia -- open app store • BigBoss Recommended Tools • Command-line UNIX tools • Including apt
  • 50. Apple's CC Tools • Tools to parse, assemble, and link Mach-O binaries • File format for iOS and OSX apps • Part of the iOS and OS X development toolchain • Run on OS X or Linux
  • 51. • otool • Object file-displaying tool • All-purpose tool for Mach-O binary analysis • Reveals class and method names • Lists libraries, symbols • Shows header information and load commands Apple's CC Tools
  • 52. • nm • Displays symbol table of a binary or object file • lipo • Can combine or remove architecture types from an app Apple's CC Tools
  • 53. Debuggers • gdb • Cydia's version doesn't work well on modern iOS versions • Radare's version is better
  • 54. Code Signing • codesign • Apple's binary-signing tool • Can also display signatures • ldid • Saurik's code-signer
  • 55. Installipa • Normal app installation uses installd service • Verifies code signature • ipainstaller • Can install unsigned apps on jailbroken devices
  • 56. Exploring the Filesystem • Jailbroken devices allow full access • Unjailbroken devices allow access to portions of the filesystem, including • Sandboxed area where apps are installed • Must pair to a computer over USB first • Use apps like iExplorer or iFunBox
  • 57. On a Jailbroken Device
  • 58. Property Lists • .plist files • Binary format similar to XML • Stores serialized objects and key-value pairs • plutil can convert plists to XML
  • 59. Other Files • Binary Cookies • From Web pages • Can be opened with BinaryCookieReader.py • SQLite Databases