Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking & Securing iOS Application for beginners

Owasp
October 12, 2022

Hacking & Securing iOS Application for beginners

Owasp

October 12, 2022
Tweet

More Decks by Owasp

Other Decks in Education

Transcript

  1. HELLO EVERYONE ABOUT ME. Kapil Gurav @Hackersden_ Security consultant at

    Payatu security consulting. Web/Mobile/API/Hardware pentesting guy. Bug Hunter (Bugcrowd) Personally a huge IOS fan. Acknowledged by Apple, Comcast, HSBC Bank, Mastercard, Brex, Boozt, Docusign and many more Find me on twitter (@hackersden_)
  2. ROUGH AGENDA WE WILL DIGRESS • W h y M

    o b i l e S e c u r i t y ? • U n d e r s t a n d i n g i O S A r c h i t e c t u r e a n d s a n d b o x i n g . • I n t r o d u c t i o n s t o i O S a p p l i c a t i o n s . • H o w T o S t a r t o n i O S P e n t e s t i n g ? • W h a t i s J a i l b r e a k ? W h y J a i l b r e a k ? P e r q u i s i t e s ! • D y n a m i c A n a l y s i s • S t a t i c A n a l y s i s • I O S S i d e C h a n n e l D a t a L e a k a g e . • R u n t i m e m a n i p u l a t i o n • B r e a k i n g C r y p t o w i t h F r i d a . • A t t a c k i n g U R L S c h e m a . • B u g B o u n t y N o t e s .
  3. UNDERSTANDING IOS ARCHITECTURE & SANDBOXING Architecture of IOS is a

    layered architecture. At the uppermost level iOS works as an intermediary between the underlying hardware and the apps you make. Apps do not communicate to the underlying hardware directly. Sandbox is Apple’s way of allowing applications to set up a database locally on the device, while still isolating apps from interfering with other applications. IOS Architecture Sandboxing
  4. INTRODUCTIONS TO IOS APPLICATIONS. 01 02 iOS Apps are developed

    using Objective-C & Swift Xcode is the IDE used for development 03 04 Apps' filename have the file extension .ipa Apps can be downloaded from Apple App Store
  5. INTRODUCTION TO IOS APPLICATION SECURITY 01 02 • Dynamic approach

    • Static Analysis 03 04 • IOS Side Channel Data Leakage. • Runtime manipulation 05 06 • URLSchema Fuzzing. • Breaking Crypto with Frida.
  6. GETTING STARTED WITH IOS APPLICATION PENTESTING • Hardware Requirements: iDevice

    - Preferably iPhone 6s Apple Account: Not mandatory Min Setup Required: iPhone 6s running iOS 13.4 or older, can be jailbroken with Checkra1n. If Mac, then great. Or any other laptop with right tools. •Common Tools: SSH Frida | Objection Burp Suite Ghidra | Hopper | IDA
  7. WHAT IS JAILBREAK? WHY JAILBREAK? PERQUISITES! • Types of jailbreak:

    • Untethered Jailbreak • Tethered Jailbreak • Semi-tethered jailbreak • Semi-untethered jailbreak Jailbreaking is the term used to describe hacking into Apple’s mobile operating system (known as iOS) and tweaking it so you can customize the appearance and performance of your iPhone
  8. • STATIC ANALYSIS • DYNAMIC ANALYSIS • IPA = ZIP{Files

    + Binary), Exact the binary (Reverse Engg: Read) • Extract class information • Disassemble the binary using Ghidra/Hopper/IDA • Explore for hardcoded sensitive information, PINS, Secrets, Keys etc. • Bypass security controls like SSL pinning, Jailbreak Detection • Decompiled code → modify logic → Rebuild & Sign → Install • Run the application, analyse it's features • Bypass the SSL pinning, Jailbreak detection to capture the app traffic in a proxy • SSL Pinning/Jailbreak Bypass: Frida/Objection/Decompiling the app • Analyse the app's traffic, i.e. request and response. • Test for API security issues like IDOR, Access control issues, Authentication issues etc. • Find any client side restriction? Any client side security control: Bypass using runtime instrumentation • Explore the local device storage to find what data is being saved and where: •UserDefaults • Keychain • Core Data • SQLite • Property List
  9. IOS INSECURE LOCAL STORAGE • P l i s t

    F i l e s • U s e r D e f a u l t s • C o r e D a t a • K e y c h a i n
  10. IOS SIDE CHANNEL DATA LEAKAGE. • C h e c

    k f o r s e n s i t i v e i n f o r m a t i o n i n s n a p s h o t s • A n a l y s e t h e d e v i c e l o g s . • I n s e c u r e d a t a s t o r a g e i n P a s t e b o a r d • I n v e s t i g a t e C o o k i e s . b i n a r y c o o k i e s
  11. RUNTIME MANIPULATION What is runtime manipulation? How to perform runtime

    manipulation? What we can do with runtime manipulation?
  12. BREAKING CRYPTO WITH FRIDA. How to trace methods and classess?

    How to break CRYPTO with frida How to catch the encryption key?
  13. ATTACKING URLSCHEMA. What are URLSchema ? How URL schemas are

    work ? Is it possible to fuzz the URL schema
  14. • BUG BOUNTY NOTES. Many developers hardcode encryption keys or

    client credentials on iOS apps: Select the Strings tab and search for these terms secret, crypt, private, token. If the app is not loading or immidately crashing when launching, try to search the class dump (or in your disassembler) for methods like isJailbroken, jailbreak, rooted, because chances are they have a jailbreak detection Almost every mobile app uses at least one 3rd party library. Dig into these 3rd party libraries and check their versions, many of them are open source and you can search their public repository for issues and check whether the current version of the library is/isn't affected. All the libraries are inside the Frameworks/ folder in the app's bundle. Many apps use 3rd party backend systems, for this the apps need some credentials or configuration files. Sometimes developers expose credentials or private keys in these files: In the app's bundle search for all the .plist, .json or .conf files. Also, after using the app for a while, check the UserDefaults file, which is a .plist configuration file that some developers use to store sensitive information