iOS app security

iOS app security
-analyze and defense
Hokila

Cocoaheads Taipei 2013.10

源起
Android Taipei (2013 August)
Android Apps Security
Taien Wang
Ruby Tuesday (2013.9.10)
別再偷我App裡的⾦金幣:Server端IAP的處理與驗證
Kevin Wang

所以今天是來

致(ㄉㄚˇ )敬(ㄌ⼀一ㄢˇ )
的
( ˘•ω•˘ )

不會講這些
如何破解
神魔之塔 / 百萬亞瑟⺩王 / 全⺠民打棒球

不會講這些
如何破解
神魔之塔 / 百萬亞瑟⺩王 / 全⺠民打棒球
免費使⽤用
Splashtop / KKBOX / WhosCall

會講這些
●
●
●
●
●
●

iOS app native leak
network monitor
IAP crack
Analyze tools
Encode /decode
Good Habits

絕對講不完
我猜可以講⼀一⼩小時

還好之前講過了
2012.12 Cocoaheads Taipei

In App Purchase 攻防戰
youtu.be/g2tWRPdweeY

1.基本功
○ iOS app 資料結構
○ API分析
2. 脫離新⼿手
○ 同時監看多個畫⾯面
○ 常⾒見漏洞＆防禦⽅方法
3.必殺技（屁孩愛⽤用）
○ IAP Free /LocalAppStore
○ iGameGardian /⼋八⾨門神器
○ Flex

OWASP Mobile Top 10 Risk (2013-M1)
M1. 不安全的資料儲存(Insecure Data Storage)
M2. 弱伺服器端的控制(Weak Server Side Controls)
M3. 傳輸層保護不⾜足(Insufficient Transport Layer Protection)
M4. 客⼾戶端注⼊入(Client Side Injection)
M5. 粗糙的授權與認證(Poor Authorization and Authentication)
M6. 不適當的會話處理(Improper Session Handling)
M7. 安全決策是經由不受信任的輸⼊入(Security Decisions Via Untrusted Inputs)
M8. 側通道資料洩漏(Side Channel Data Leakage)
M9. 加密失效(Broken Cryptography)
M10. 敏感資訊洩漏(Sensitive Informaiton Disclosure)

app itself

app /user data
automatically backed up by iCloud.

temporary files,clean when app restart
NSTemporaryDirectory
Library
Application Support

good place for configuration/template

Cache

Data that can be downloaded again or regenerated

Cookie

store cookies for sandbox webView

Prefences

NSUSerDefault

Ref: File System Programming Guide

console log
iphone configuration utility
iTool（2012）

會看到
app沒有埋好的log
framework ⾃自⼰己帶的log
system notification
memory warming

keychain
locate at /var/Keychains/keychain-2.db
Apple says “keychain is a secure place to store keys and
passwords”
dump keychain database (jb necessary)

API Charles / ⽂文化部open data /iCulture

DEMO

1. Charles (Mac Windows) $
2. ZAP (Mac Windows) Free
3. Fiddler (Windows) Free
4. Wire Shark (Mac Windows) Free

⾄至少要同時看
●
●
●
●

device screen
console log
plist、db
API request/response

⼀一些發現
其他app verify資料正確性的作法
某些遊戲讓你抽卡多選1，但是結果在你進⼊入抽
卡畫⾯面時就決定了
竟然有app把db放在google doc和dropbox （⽽而
且還不少）
讓我萬萬沒想到的是......（這邊不能打出來）

class dump-z

● dumping class info from an iOS app
● guess class utility
https://code.google.com/p/networkpx/

破解⼯工具
IAP Free/LocalAppStore
欺騙app 購買成功

破解⼯工具
iGameGardin /⼋八⾨門神器
搜尋記憶體位置，修改value

破解⼯工具
Flex
鎖定function 回傳值
例 -(BOOL)isTransactionSucess
⼀一定回傳YES

破解⼯工具
Flex
鎖定function 回傳值
例 -(BOOL)isTransactionSucess
⼀一定回傳YES

對於developer來說，就是app裡⾯面.....

再安全的OS也有不安全的app
啊啊啊啊啊怎麼辦

不要太相信server/model 的data
適時的關⼼心，請問您是內奸嗎？是的話殺爆他

King Of Design Pattern:MVC
model 和view可以不⼀一樣

use encrypt ,not hash
要hash也記得要加salt

綜合來說，這就是....

這是⼀一個很基本的API
GET http://xxx.yyy/getUserData.php
paeameters
(string)userID

response
(string)name
(array)xxlist
(string)itemname
(int)quantity
(string)status

POST http://xxx.yyy/getUserData.php public
parameters
(string)token
(string)call_file_name
(string)userID

response
(string)name
(array)xxlist
(string)itemname
(int)quantity
(string)status
(int)status

公⼦子獻頭
POST http://xxx.yyy/getUserData.php public
parameters
(string)token
(string)userID

response
(string)name
(array)xxlist
(string)itemname
(int)quantity
(string)status
(int)status

讓對⽅方知道你的下兩步，在第三步衝康他
SSL POST http://xxx.yyy/public
parameters
(string)token
(string)userID

struct object
(string)itemname
(int)quantity
(int)status

response
(string)name
(array)xxlist
(string)itemname
(int)quantity
(int)status
(object)item
base64 encode

In-App Purchase Programming Guide

base64

還能怎麼改？
parameters
(string)token
(string)userID

response
(string)name
(array)xxlist
(object)item

還能怎麼改？
parameters
(string)token
(string)userID

response
(string)name
(array)xxlist
(object)item

Accept = "*/*";
Accept-Language = zh-TW;
Connection = close;
User-Agent = "Something special~~";

確定資料正確
public entry
access token
SSL
status code
object ,not clear dictionary
and...?

Model

memory

View

API
plist
db

NSString
NSNumber

UILabel

encrypt()
08f90c1a417155361a5c4b8d297e0d78

2000

Money

2000

Model

memory

View

API
plist
db

NSString
NSNumber

UILabel

encrypt()

2000

08f90c1a417155361a5c4b8d297e0d78

need protection!!

Money

2000

double_check

http://xxx.yyy/buy
paeameters
(string)user
(string)itemID

response
(string)status
(string)itemID
(int)quantity
(int)leftmoney

double_check

http://xxx.yyy/buy
paeameters
(string)user
(string)itemID

response
(string)status
(string)itemID
(int)quantity
(int)leftmoney

http://xxx.yyy/double_check
paeameters
response
(string)user
(string)status (OK /Reject)
(string)itemID

sha1、md5、base64
這些你敢⽤用？

實驗證明，⼀一個經過訓練的QA可以⾁肉眼反解出1~100的md5 hash

hash⾄至少要加salt
md5($salt.$pass.$username)

sha1($salt.$pass)

md5($salt.md5($pass))

sha1($salt.$username.$pass.$salt)

md5($salt.md5($pass).$salt)

sha1($salt.md5($pass))

encrypt


sha1($salt.$pass)





encrypt
DES
1977誕⽣生、1999被破


sha1($salt.$pass)





encrypt
DES
1977誕⽣生、1999被破
AES-128 AES-256 當今最潮
passwd = AESEncrypt(“string”,” key”)

So....
public data可以不⽤用加密，但是private data⼀一定要加密
要檢查user有沒有作弊，但不要太頻繁的去檢查資料
需要server的service絕對都可以檔(播⾳音樂、遠端遙控)
發現別⼈人app有漏洞，記得回報開發者

So....
public data可以不⽤用加密，但是private data⼀一定要加密
要檢查user有沒有作弊，但不要太頻繁的去檢查資料
需要server的service絕對都可以檔(播⾳音樂、遠端遙控)
發現別⼈人app有漏洞，記得回報開發者

think as a service,not an app.
這樣想會找到很多漏洞

video on niconico youtube

availiable today

Thanks ＆Bye~~
Hokila
mail
blog
FB

hokila.jan@splashtop.com
josihokila.blogspot.com
fb.me/hokilaj

iOS app security

Recomendados

Recomendados

Más contenido relacionado

Similar a iOS app security

Similar a iOS app security (20)

Más de Hokila Jan

Más de Hokila Jan (14)

Último

Último (6)

iOS app security