› Areas of interest focused on reverse engineering, software vulnerabilities, mobile devices security and OS internals › Not an Apple fanboy › But like all the cool kids... › Goals › This presentation aims at sharing experience and knowledge in iOS apps pentesting › Contact › @milkmix_
Most of Fortune-500 are deploying iPads › Growth in mobile banking › Mobile eShop › Internal applications › Need for security › Access and storage of sensitive information › Online payments
› XML files, sometimes in a binary format › Associates keys (CFString, CFNumber, …) with values › plutil (1) › Convert binary plist file to its XML representation
life ? › A lot of development environments are using self-signed certificates › No built-in method to include certificates in the simulator › Obviously, what did the developers ? › Let's check what's on stackoverflow.com...
› Implement the two following delegates only to bypass certificates validation › CanAuthenticateAgainstProtectionSpace › DidReceiveAuthenticationChallenge
› Still some information locally stored › plist › SQLite3 databases › ... › Could include sensitive data › Built-in protection › Data Protection API since iOS 4.0 › http://code.google.com/p/iphone-dataprotection/ › New attributes when working on files, Keychain entries or databases › Automatically used when calling NSURLCredentialStorage:setDefaultCredential but could not change protection type
kSecAttrAccessibleAfterFirstUnlock Unlocked at least once kSecAttrAccessibleAlways Do not use Data Protection API kSecAttrAccessibleWhenUnlockedThisDeviceOnly Only if unlocked, but do not store in backups kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly Unlocked at least once, but do not store in backups kSecAttrAccessibleAlwaysThisDeviceOnly Do not store in backups
classes are well protected › Still possible to introduce vulnerabilities if developing custom parsing functions for homegrown protocol › Beware to the old threats : format strings › Most likely result : app crash due to software exploitation protections › HTML / Javascript injection › UIWebView controller used to render web pages › More related to server side vulnerabilities
will have › Let's jailbreak it ! › There is another way › Stealthier to do a first recon › Still, jailbreaking the auditor's device is mandatory › Kudos to the jailbreakers teams for their work !
you can do it › Enough documentation on jailbreaking online › Personnal choice › Create a firmware with the smalest footprint as jailbreak detection mechanisms mostly check for Cydia presence › Use device that can be pwned using bootloader vulnerability in DFU mode › Use tcprelay.py relying on usbmux to ssh to the device through the usb cable
an assignment mixing pentest and code review › Use the Simulator › Certificates store › Based on a SQLite3 database › ~/Library/Application Support/iPhone Simulator/<sdk>/Library/Keychains/TrustStore.sqlite3 › GDSSecurity released a script automating the insertion of x509 certificates in the database › https://github.com/GDSSecurity/Add-Trusted-Certificate-to-iOS-Simulator
Method:42] › C++ equivalent › ObjectPointer->Method(42) › Pseudo C generated by the compiler › objc_msgSend(ObjectPointer, "Method", 42) › ARM assembly ›
application's algorithms › Tools › IDA Pro › Hopper › fixobjc.idc to resolve XREFs and parse Obj-C structures › Built-in functionality since version 6.2
application's algorithms › Allows to tamper data › But data tampering is not done with Burp ? › What happens when the protocol is encrypted ? › Need to find the function encrypting the data › Set breakpoint › Modify the data in-memory
Apple as part of iOS SDK › Standalone version or gdbserver with gdb version for ARM targets › Advantage of gdbserver is ability to launch GUI applications › Highly recommend gdbinit* by @osxreverser › Entitlement › Binary will not run out-of-the-box on iDevices › Need to add entitlements after extracting ARMv7 binary › ldid to the rescue * http://reverse.put.as/gdbinit/
you found something (SQL injection, …) › Possible to call methods using gdb's call directive › Too slow to modify data on the fly by hands › Solution › Use code injection to modify the behaviour of the application › Modify data automagically
loving Objective-C › Hooking is a bundled feature › It's called 'swizzling' › Principle › Use the functions provided by Apple, like › class_replaceMethod › method_exchangeimplementations