iOS ရဲ႕ Passcode ကုိ ဂဏန္းနဲ႕တင္မဟုတ္ဘဲ အကၡရာစုံနဲ႕ Passcode ေပးခ်င္သူေတြအတြက္
Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong...
Transcript of Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong...
![Page 1: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/1.jpg)
Blackbox iOS App Testing Using idb Daniel A. Mayer
@DanlAMayer http://www.idbtool.com
![Page 2: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/2.jpg)
Who we are…
Me: Daniel Mayer Senior Security Consultant with NCC Group in Chicago
Formerly Matasano Security Ph.D. in Computer Science (Security and Privacy)
NCC Group UK Headquarters, Worldwide Offices Application Security Consultancy Software Escrow, Testing, Domain Services
Daniel A. Mayer - Blackbox iOS App Testing Using idb 2
![Page 3: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/3.jpg)
Mobile Dominates Internet Use…
Daniel A. Mayer - Blackbox iOS App Testing Using idb 3
![Page 4: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/4.jpg)
… and Apps Dominate Mobile
Daniel A. Mayer - Blackbox iOS App Testing Using idb 4
![Page 5: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/5.jpg)
Anyone Lost or Got Their Phone Stolen?
Daniel A. Mayer - Blackbox iOS App Testing Using idb 5
![Page 6: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/6.jpg)
Well, you are not alone…
Daniel A. Mayer - Blackbox iOS App Testing Using idb 6
![Page 7: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/7.jpg)
Agenda
1. Introduction 2. (Reasonably) New Tool: idb 3. Common iOS Vulnerabilities
1. Binary 2. Local Storage 3. Information Disclosure 4. Inter-Process Communication 5. Network Communication
4. Conclusion
Daniel A. Mayer - Blackbox iOS App Testing Using idb 7
![Page 8: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/8.jpg)
Introduction
Daniel A. Mayer - Blackbox iOS App Testing Using idb 8
![Page 9: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/9.jpg)
iOS Platform Security
Apps are sandboxed (‘seatbelt’) All apps share same UNIX user ‘mobile’
App code has to be signed
Bypassed when jailbroken Raising the bar
Data Execution Prevention (DEP) Address Space Layout Randomization (ASLR)
Passcode / TouchID
Daniel A. Mayer - Blackbox iOS App Testing Using idb 9
![Page 10: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/10.jpg)
iOS Apps
Native applications Objective-C(++), superset of C(++) Swift Cocoa touch for GUI
Web view applications
Display mobile websites in a UIWebView
Daniel A. Mayer - Blackbox iOS App Testing Using idb 10
![Page 11: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/11.jpg)
iOS App Attack Surface
Vulnerabilities typical arise at trust boundaries
Daniel A. Mayer - Blackbox iOS App Testing Using idb 11
![Page 12: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/12.jpg)
Pentest Setup
Jail-broken iDevice SSH access!
Full UNIX-like environment Full file system access
Mobile (Cydia) Substrate
Patch system functions at runtime http://www.cydiasubstrate.com/
Intercepting Proxy
Monitor app communication
Daniel A. Mayer - Blackbox iOS App Testing Using idb 12
![Page 13: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/13.jpg)
Introducing idb
Daniel A. Mayer - Blackbox iOS App Testing Using idb 13
![Page 14: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/14.jpg)
Existing Tool Landscape
Many great tools [1] Scattered Static and dynamic
Fully understand app’s behavior in assessment My background is in dynamic testing
No “click and done” solution Tool that automates analyses
Daniel A. Mayer - Blackbox iOS App Testing Using idb 14
[1] https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet
![Page 15: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/15.jpg)
Introducing idb
Ruby and Qt (4,500+ loc)
Daniel A. Mayer - Blackbox iOS App Testing Using idb 15
![Page 16: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/16.jpg)
Demo: Pentesting Setup
Connecting to device SSH directly SSH via USB
Port forwarding
Remote Local
Daniel A. Mayer - Blackbox iOS App Testing Using idb 16
![Page 17: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/17.jpg)
Common iOS Vulnerabilities
Daniel A. Mayer - Blackbox iOS App Testing Using idb 17
![Page 18: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/18.jpg)
OWASP Mobile Top 10 - 2014
Daniel A. Mayer - Blackbox iOS App Testing Using idb 18
![Page 19: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/19.jpg)
OWASP Mobile Top 10 - Client-Side
2. Insecure Data Storage
3. Insufficient Transport Layer
Security 4. Unintended Data Leakage
5. Poor Authentication
and Authorization
6. Broken Cryptography
7. Client Side Injection
8. Security Decision via
Untrusted Input
10. Lack of Binary
Protections
Daniel A. Mayer - Blackbox iOS App Testing Using idb 19
![Page 20: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/20.jpg)
The App Binary
Native Code! Buffer overflows Format string flaws
WithFormat - don’t let user specify the format! [1] User after frees
Used as storage space
API keys Credentials Crypto Keys
Daniel A. Mayer - Blackbox iOS App Testing Using idb 20
[1] http://sebug.net/paper/Meeting-Documents/Ruxcon2011/iPhone%20and%20iPad%20Hacking%20-%20van%20Sprundel.ppt
![Page 21: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/21.jpg)
Exploit Mitigation
Take advantage of OS protections Compile as Position Independent Executable (PIE)
Enable stack canaries
Use Automatic Reference Counting Do not store credentials in the binary
Daniel A. Mayer - Blackbox iOS App Testing Using idb 21
![Page 22: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/22.jpg)
Demo: Poor-Man’s Reversing
Basic binary information using otool Strings Weak Class Dump
https://github.com/limneos/weak_classdump
Uses cycript (http://www.cycript.org/)
Daniel A. Mayer - Blackbox iOS App Testing Using idb 22
![Page 23: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/23.jpg)
Local Storage
Apps are sandboxed to /private/var/mobile/ Applications/[guid]/
Sandbox accesible to app Stored in backups If stolen
Jailbreak File system access
Daniel A. Mayer - Blackbox iOS App Testing Using idb 23
![Page 24: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/24.jpg)
File System Encryption
All files encrypted One key per File Passcode! Attacks
PIN cracking Backups Jail-break not enough!
Daniel A. Mayer - Blackbox iOS App Testing Using idb 24
Device UID User Passcode
![Page 25: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/25.jpg)
Using the Data Protection API
Enforce a strong passcode Set a NSFileProtection when storing files Example
Daniel A. Mayer - Blackbox iOS App Testing Using idb 25
NSFileProtection Meaning
Complete Protected when device is locked
CompleteUnlessOpen If open, file can be read when locked
CompleteUntilFirstUserAuthentication (iOS 8) Protected from boot until user unlocks
None (iOS < 8) No protection
[[[NSFileManager defaultManager] createFileAtPath:@“filename” contents:[@"super_secret" dataUsingEncoding:NSUTF8StringEncoding] attributes:[NSDictionarydictionaryWithObject:NSFileProtectionComplete forKey:NSFileProtectionKey]]];
![Page 26: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/26.jpg)
Don’t do your own crypto
Existing frameworks make it hard to get crypto right!
Look into libsodium-ios
General problem on mobile
Where does the key come from? Have to use some Key Derivation Function (KDF)
Shameless plug
Do the Matasano crypto challenges! http://cryptopals.com/
Daniel A. Mayer - Blackbox iOS App Testing Using idb 26
![Page 27: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/27.jpg)
SQLite
A small relational database API Popular to persist data Data stored unencrypted in a file
Daniel A. Mayer - Blackbox iOS App Testing Using idb 27
![Page 28: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/28.jpg)
SQLite Mitigation
Use Data Protection to encrypt sqlite file Third-Party solutions
e.g., http://sqlcipher.net/
Journal may leak deleted data
Use VACUUM to rebuild DB
Daniel A. Mayer - Blackbox iOS App Testing Using idb 28
![Page 29: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/29.jpg)
Property List Files
Structured storage (NSUserDefaults) Stored unencrypted in XML files or binary plist
plutil -convert xml1
Often used for crypto keys, credentials, etc.
Daniel A. Mayer - Blackbox iOS App Testing Using idb 29
![Page 30: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/30.jpg)
Property List Files: Mitigation
Don’t use for sensitive data! File storage for binary data
NSProtectionComplete!
Use keychain for structured data
Daniel A. Mayer - Blackbox iOS App Testing Using idb 30
http://software-security.sans.org/blog/2011/01/05/using-keychain-to-store-passwords-ios-iphone-ipad/
![Page 31: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/31.jpg)
Keychain
Key-Value store Security similar superior to Data Protection
ThisDeviceOnly variants: no migration Access Control:
Require Touch ID or Passcode to access (choice new in )
Daniel A. Mayer - Blackbox iOS App Testing Using idb 31
Protection Class Meaning
kSecAttrAccessibleWhenUnlocked Protected when device is locked.
kSecAttrAccessibleAfterFirstUnlock Protected from boot until user unlocks.
kSecAttrAccessibleAlways No protection.
kSecAttrAccessibleWhenPasscodeSet Only store if passcode is set.
![Page 32: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/32.jpg)
Share Data Securely Between Apps
Keychain Access Group app_id = [bundle_seed] || [bundle_id] BEEF1337 || com.corp.myapp [bundle_seed] generated by Apple. Apps with same [bundle_seed] can share access. kSecAttrAccessGroup
Access through search dictionary
Daniel A. Mayer - Blackbox iOS App Testing Using idb 32
[searchDictionary setObject:@“BEEF1337.com.app.family"
forKey:(id)kSecAttrAccessGroup];
![Page 33: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/33.jpg)
Demo: idb Local Storage Functions
Use SSH connection to analyze sandbox Determine FileProtection using NSFileManager https://github.com/dmayer/protectionclassviewer
Keychain viewer using keychain_dump
https://code.google.com/p/iphone-dataprotectionn
Daniel A. Mayer - Blackbox iOS App Testing Using idb 33
NSString *fileProtectionValue = [[[NSFileManager defaultManager] attributesOfItemAtPath:@“filename” error:NULL] valueForKey:NSFileProtectionKey];
![Page 34: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/34.jpg)
Use Crypto and done, right?
Daniel A. Mayer - Blackbox iOS App Testing Using idb 34
http://xkcd.com/538/
![Page 35: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/35.jpg)
Example: Remote File Read
Daniel A. Mayer - Blackbox iOS App Testing Using idb 35
Cache Upload
/var/mobile/Applications/[guid]/../evil.html
var xhttp = new XMLHttpRequest();xhttp.open("GET","file:///var/mobile/Applications/[..]/file.pdf",false);xhttp.send();alert(xhttp.responseText);// Dont' use alert unless you want entire PDF in alert box :)
![Page 36: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/36.jpg)
Information Disclosure: Screenshot
iOS takes screenshot when app backgrounds Stored unencrypted at
/var/mobile/Applications/
[guid]/Library/Caches/
Snapshots/[bundle_id]/
./Main subfolder
Daniel A. Mayer - Blackbox iOS App Testing Using idb 36
![Page 37: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/37.jpg)
Mitigation: Screenshot
Hide sensitive information from screen Implement applicationDidEnterBackround Popular: Place launch image in foreground
ignoreSnapshotOnNextApplicationLaunch Does NOT prevent screenshot from being taken
Daniel A. Mayer - Blackbox iOS App Testing Using idb 37
![Page 38: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/38.jpg)
Data Leakage: Cache.db
iOS caches requests and responses Disable caching
Send no store headers from server
Daniel A. Mayer - Blackbox iOS App Testing Using idb 38
- (NSCachedURLResponse *)connection:(NSURLConnection *)connectionwillCacheResponse:(NSCachedURLResponse *)cachedResponse { return nil; }
![Page 39: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/39.jpg)
Information Disclosure: Log Files
40 % of 40 tested banking apps disclose data [1] Log files accessible by other apps Wrap your NSLog statements, e.g.
Daniel A. Mayer - Blackbox iOS App Testing Using idb 39
#ifdef DEBUG NSLog(@"password");#fi
[1] http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html
![Page 40: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/40.jpg)
Demo: idb Information Disclosure
Screenshot Tool Walks through steps that create screenshot. Displays screenshot in idb.
iOS console available in
Xcode or iPhone Configuration Utility.
idb uses idevicesyslog [1]
Daniel A. Mayer - Blackbox iOS App Testing Using idb 40
[1] http://www.libimobiledevice.org/
![Page 41: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/41.jpg)
Inter-Process Communication
There is no proper IPC Poor-man’s IPC
UIPasteboard
Custom URL schemes
Apple’s approved solution
Consider using the keychain with access group
Daniel A. Mayer - Blackbox iOS App Testing Using idb 41
![Page 42: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/42.jpg)
Pasteboard
Any app can read it Private Pasteboards are not private There seems to be no API to find all Pasteboards
Don’t use the Pasteboard for IPC To prevent Copy/Paste, subclass UITextView
canPerformAction should return “NO” for copy
Daniel A. Mayer - Blackbox iOS App Testing Using idb 42
[UIPasteboard generalPasteboard];[UIPasteboard pasteboardWithName:@"super_secret" create:NO ];
![Page 43: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/43.jpg)
URL Schemes
Register in Info.plist Handle in: Security Considerations
Malicious input Trust Hijacking
Daniel A. Mayer - Blackbox iOS App Testing Using idb 43
-(BOOL) application:(UIApplication *)application openURL:(NSURL *)url sourceApplication:(NSString *)sourceApplication annotation:(id)annotation !{ // Handle request }
![Page 44: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/44.jpg)
URL Schemes
Exploiting Trust my_app://configure?server=..&port=..
Inject attacker controlled server.
bank://redirect?page=http%3A%2F%2Fphish.me
Phishing —> Credentials. Verify the caller of the URL handler
sourceApplication parameter
Perform strict input validation
Universal Links
Daniel A. Mayer - Blackbox iOS App Testing Using idb 44
![Page 45: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/45.jpg)
Demo: idb IPC Functions
Pasteboard monitor Runs binary on device which pulls content Supports custom pasteboards https://github.com/dmayer/pbwatcher
URL Schemes
List Invoke Basic fuzzer
Daniel A. Mayer - Blackbox iOS App Testing Using idb 45
![Page 46: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/46.jpg)
Network Communication
Communication with Network Services HTTP/S Socket connections Push Notifications
Challenge similar to browsers
Protect data in transit
Typically done through SSL/TLS
Daniel A. Mayer - Blackbox iOS App Testing Using idb 46
![Page 47: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/47.jpg)
iOS Certificate Validation
Default: Accept if signed by CA in trust store Check when using 3rd party libs (see recent AFNetworking flaw)
iOS offers great flexibility in cert. validation the good: can make cert. validation stronger the bad: cert. check often overridden in dev the ugly: easy to accept any cert
Daniel A. Mayer - Blackbox iOS App Testing Using idb 47
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { NSURLProtectionSpace * pSpace = [challenge protectionSpace]; NSURLCredential* cred = [NSURLCredential credentialForTrust:[pSpace serverTrust]]; [[challenge sender] useCredential:cred forAuthenticationChallenge:challenge];}
![Page 48: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/48.jpg)
Certificate Validation
Don’t bypass certificate validation In dev, use free certificates (e.g. startssl.com) Install server cert explicitly on device.
App Transport Security (ATS) Declare secure sites in Info.plist ATS prevents accidental disclosure
Daniel A. Mayer - Blackbox iOS App Testing Using idb 48
![Page 49: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/49.jpg)
Certificate Pinning
Implement certificate pinning! https://github.com/iSECPartners/ssl-conservatory
https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#iOS
Daniel A. Mayer - Blackbox iOS App Testing Using idb 49
I trust this!
My server’s cert was signed by
I don’t trust this!
Without Pinning
With Pinning
CA which signed cert
![Page 50: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/50.jpg)
iOS CA Cert Management
Simulator: [sim]/Library/Keychains/TrustStore.sqlite3 Fiddly: ASN.1 anyone?
Device: /private/var/Keychains/TrustStore.sqlite3
Adding entry not sufficient Fell back to ‘MDM’-based install
Pentest Pinning bypass
https://github.com/iSECPartners/ios-ssl-kill-switch
Daniel A. Mayer - Blackbox iOS App Testing Using idb 50
![Page 51: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/51.jpg)
Planned idb Features
Improvements Grep for the log view Search/upload for the FS Browser Copy data to Pasteboard Analysis of used privacy-invasive APIs
Integration of more awesome tools
iOS SSL Kill Switch
Send me bug reports, feature / pull requests!
Daniel A. Mayer - Blackbox iOS App Testing Using idb 51
![Page 52: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/52.jpg)
Thanks!
Questions?
http://www.idbtool.com
github.com/dmayer/idb gem install idb
Email / XMPP: [email protected] @DanlAMayer
Daniel A. Mayer - Blackbox iOS App Testing Using idb 52
![Page 53: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/53.jpg)
Image Attributions
iPhone icon, unchanged: By Adrian Dediu, https://www.iconfinder.com/iphone5cunlock License: https://creativecommons.org/licenses/by/3.0/us/
CA certificate icon, unchanged: By http://snipicons.com/ License: https://creativecommons.org/licenses/by-nc/3.0/
Storage icon, unchanged: By Barrymieny, http://barrymieny.deviantart.com License: https://creativecommons.org/licenses/by-nc-sa/3.0/
Key, unchanged: Double-J designs, http://www.doublejdesign.co.uk/ License: https://creativecommons.org/licenses/by/3.0/us/
Slide 21, cropped: https://developer.apple.com/library/ios/documentation/iphone/conceptual/iphoneosprogrammingguide/ManagingYourApplicationsFlow/ManagingYourApplicationsFlow.html
Slide 35, cropped: https://developer.apple.com/library/ios/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html
Daniel A. Mayer - Blackbox iOS App Testing Using idb 53
![Page 54: Blackbox iOS App Testing Using idb - NCC Group · Using the Data Protection API Enforce a strong passcode Set a NSFileProtection when storing files Example Daniel A. Mayer - Blackbox](https://reader030.fdocuments.net/reader030/viewer/2022040606/5eadd024ec49cd23fb034d50/html5/thumbnails/54.jpg)
Europe Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Munich
Amsterdam
Zurich
North America Atlanta
Chicago
New York
San Francisco
Seattle
Austin
Australia Sydney
54 Daniel A. Mayer - Blackbox iOS App Testing Using idb