Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Breaking iOS Security Testing Barrier

September 15, 2023

Breaking iOS Security Testing Barrier


September 15, 2023

More Decks by Bharath

Other Decks in Technology


  1. Why this talk? iOS security testing is nuanced iOS security

    testing is daunting iOS security testing has a lot of tribal knowledge It’s fun!
  2. How we manage to get hands-on Apple hardware in real

    world Refurbished sellers are your best bet: Cashify OLX Your equivalent in your country
  3. Jailbreak detection An app’s capability to detect when they are

    running on a jailbroken device This has become a baseline security mechanism for most apps (opinion) Apps use a variety of libraries or methods to implement this such as IOSSecuritySuite
  4. What to do when automated scripts or tools fail? Using

    frida we can start experimenting and start hooking into interesting places and syscalls using early instrumentation. Start looking at the unzipped IPA file which contains the Frameworks folder. Check if anything dylib contains any interesting strings or methods Start looking at various syscalls like pathconf , stat64 , fopen etc. Code signature checks using sys_csops syscall
  5. A quick tale from trenches (case study) Testing a hardened

    iOS application The application was doing something unique, it was making using svc #0x80 inline arm assembly call and using dlsym calls to obsfucate function calls Using LLDB we patched those functions Later the application was vulnerable to the issues SSRF as they were heavily banking upon the jailbreak detection check ARM64 code to Hex code mov x16 , #1 ---> 300080D2 svc #0x80 ---> 011000D4
  6. A quick tale from trenches (case study) Using memory scan

    module of Frida Patch the exit syscall to 0x1F , 0x20 , 0x03 , 0xD5 This with patch the exit syscall to the NOP
  7. Certificate Pinning Certificate pinning is mechanism that allows accepting only

    authorized ("pinned") certificates for authentication of client-server connections. This mechainism is devised as a means of thwarting MiTM. For us, it essentially means, we will not be able to use our interception proxies to manipulate API traffic.
  8. What to do when automated scripts or tools fail? Identify

    which protocols the application uses to communicate with the server Does the application depends upon the OS provided SSL library or it comes with its own SSL library (Flutter for example) Does the application has any hardcoded Certificate file, public key stored. Start by hooking at lower level Apple provided networking library like NSURLSession Hook into lower level api calls like SecCertificateCreateWithBytes and replace the bytes with Burp cert bytes
  9. Attacking Webviews Webviews are in-app browser components for displaying interactive

    web content iOS apps generally use WKWebview . UIWebview is deprecated Webviews have a property to call native code from Javascript using JSBridges
  10. Common ways to attack Webviews Looking at application deeplinks Looking

    for the presence of HTML injection (or XSS) Once you find a HTML injection you can Use file:/// and then exfiltrate the data back to your server See if the webview has any JSBridges exposed and what sort of data they serve
  11. Common ways to attack Webviews ObjC.choose(ObjC.classes['WKWebView'], { onMatch: function (wk)

    { console.log('onMatch: ', wk); console.log('URL: ', wk.URL().toString()); console.log('javaScriptEnabled: ', wk.configuration().preferences().javaScriptEnabled()); console.log('allowFileAccessFromFileURLs: ', wk.configuration().preferences().valueForKey_('allowFileAccessFromFileURLs').toString()); console.log('hasOnlySecureContent: ', wk.hasOnlySecureContent().toString()); console.log('allowUniversalAccessFromFileURLs: ', wk.configuration().valueForKey_('allowUniversalAccessFromFileURLs').toString()); }, onComplete: function () { console.log('done for WKWebView!'); } });
  12. A quick tale from trenches (case study) Found a deeplink

    for an iOS application which used to open the T&C page on webview Turns out the deeplink had no URL validation We are able to load an attacker controlled URL and then access JSbridges provided on that Webview
  13. Attacking Cryptographic operations Cryptographic operations in iOS development are crucial

    for securing data, communication, and overall app integrity. They play a significant role in ensuring the privacy and security of user information and maintaining the trust of app users.
  14. Common ways to figure out crypto operations Generally iOS applications

    tend to use cccrypt library which is provided by apple ecosystem to properly do encryption stuff Hook into above library using objection ios monitor crypto Use frida trace frida-trace -U -i "*EVP*" appname frida-trace -U -i "*SHA*" appname In the above frida command keep on experimenting with various keywords
  15. Attacking local storage Devs tend to store information to local

    storage, sometimes it could be sensitive Information we have seen commonly stored on local storage: Property List (PList) files CoreData and SQLite databases NSUserDefaults Stores Insecure Data Keychain
  16. Common ways to look for sensitive stuff it "Command" can

    be: env ios nsuserdefaults get ios plist cat filename.plist ios keychain dump --json keychain.json objection -g AppName explore > Insert "Command"
  17. A quick tale from trenches (case study) We have seen

    developers store AWS Security Creds in Keychain which in turn had excess privileges that we used to escalate privileges in their cloud account
  18. Finding Hidden functions Generally, iOS apps are written in Objective

    C or Swift (unless you are dogmatic and use rust) Developers tend to use internal company names or specific names like debugMenu or debugger etc
  19. Common techniques to figure out hidden functions Enumerate list of

    classes and methods and start going through each of them ( Hacker way would be "grep interesting strings")
  20. A quick tale from trenches (case study) Tested a gaming

    application in which app had a developer console embedded (Intended to do dev operations) We forcefully called it using Frida and then triggered an internal dev console which helped us get unlimted coins which means we won the game!
  21. Shoutouts & people to follow Hexploitable Ole André Leon Jacobs

    Jiska Classen Eduardo Novella FrenchYeti