Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Common iOS Vulnerabilities and How to Fix Them

Common iOS Vulnerabilities and How to Fix Them

Julia Mezher

May 17, 2021
Tweet

More Decks by Julia Mezher

Other Decks in Programming

Transcript

  1. How do we know the vulnerability is common? OWASP Mobile

    Top 10 CVE-List by MITRE Security tools/services vendors News and Twitter 🙂 Our own experience 😎
  2. OWASP Mobile Top 10 M1: Improper Platform Usage M2: Insecure

    Data Storage M3: Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality https://owasp.org/www-project-mobile-top-10/
  3. OWASP Mobile Top 10 M1: Improper Platform Usage M2: Insecure

    Data Storage M3: Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality https://owasp.org/www-project-mobile-top-10/
  4. 2016 M1: Improper Platform Usage M2: Insecure Data Storage M3:

    Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality M1: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M6: Broken Cryptography M7: Client Side Injection M8: Security Decisions Via Untrusted Inputs M9: Improper Session Handling M10: Lack of Binary Protection 2014 OWASP Mobile Top 10
  5. 2016 M1: Improper Platform Usage M2: Insecure Data Storage M3:

    Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality M1: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M6: Broken Cryptography M7: Client Side Injection M8: Security Decisions Via Untrusted Inputs M9: Improper Session Handling M10: Lack of Binary Protection 2014 OWASP Mobile Top 10
  6. Improper Platform Usage UserDefaults Not encrypted, accessible on a locked

    device. Keychain Encrypted storage, becomes decrypted on unlock. If I want to store some data…
  7. Improper Platform Usage UserDefaults Not encrypted, accessible on a locked

    device. Keychain Encrypted storage, becomes decrypted on unlock. Secure Enclave Stores keys that can be used to encrypt Keychain entries. If I want to store some data…
  8. Insecure Data Storage Data generated by the app: 🔹 Logs

    🔹 Databases 🔹 Caches 🔹 Other saved files
  9. Insecure Data Storage Data generated by the app: 🔹 Logs

    🔹 Databases 🔹 Caches 🔹 Other saved files Check if any sensitive data may appear there!
  10. Insecure Data Storage Data generated by the app: 🔹 Logs

    🔹 Databases 🔹 Caches 🔹 Other saved files Check if any sensitive data may appear there! (check the code, not the files)
  11. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables Look for testing credentials and endpoints!
  12. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables Look for testing credentials and endpoints! (actually, any credentials and endpoints)
  13. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables Look for testing credentials and endpoints! (actually, any credentials and endpoints) (config comments may not be removed)
  14. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables [22:05:16] juliapotapenko:MyAwesomeAppl.app $ strings MyAwesomeApp | grep "https://"
  15. Insecure Communication App Transport Security Do not allow HTTP HTTP

    allowed for all endpoints HTTP allowed for localhost
  16. Insecure Communication SERVER iOS APP ATTACKER TLS Pinning Prevent MiTM

    TLS Cert MiTM Cert ✅ Is trusted CA? ✅ Not expired?
  17. Insecure Communication SERVER iOS APP ATTACKER TLS Pinning Prevent MiTM

    TLS Cert MiTM Cert ✅ Is trusted CA? ✅ Not expired? ❓ Is it our server’s cert?
  18. Insecure Communication TLS Pinning Prevent MiTM It is just an

    Info.plist entry. I can bypass pinning by removing or changing it. Correct. But the main goal is to protect against MiTM when the attacked doesn’t have access to a physical device.
  19. Insecure Communication TLS Pinning Prevent MiTM It is just an

    Info.plist entry. I can bypass pinning by removing or changing it. Correct. But the main goal is to protect against MiTM when the attacked doesn’t have access to a physical device.
  20. Unintended Data Leakage Application Backgrounding What to protect? * *

    * * * Think of accidental sharing Sensitive data
  21. Unintended Data Leakage Application Backgrounding What to protect? * *

    * * * Think of accidental sharing Sensitive data How to protect? Screen overlay Remove entered data Return to previous screen
  22. Summary We’ve learned - where we can read about common

    vulnerabilities - examples of top vulnerabilities - keychain - app generated content - allowing HTTP - biometrics - data stored in .ipa - TLS pinning - backgrounging - screen overlay