Breaking iOS Security Testing Barrier

Transcript

1. Breaking iOS Security Testing Barrier How we did it &

   How you can to

2. Akshay Product Security Engineer mast3root Web2/Mobile security specialist Bharath Product

   Security Engineer 0xbharath https://disruptivelabs.in

3. Why this talk? iOS security testing is nuanced iOS security

   testing is daunting iOS security testing has a lot of tribal knowledge It’s fun!

4. The logistics of iOS security testing

5. What device should you buy? https://idevicecentral.com/ios-jailbreak-tool-finder/

6. How we manage to get hands-on Apple hardware in real

   world Refurbished sellers are your best bet: Cashify OLX Your equivalent in your country

7. Structure of an iOS application

8. Jailbreak detection An app’s capability to detect when they are

   running on a jailbroken device This has become a baseline security mechanism for most apps (opinion) Apps use a variety of libraries or methods to implement this such as IOSSecuritySuite

9. Bypassing Jailbreak detection Using Objection objection -g com.attack.ipaname explore -s

   "ios jailbreak disable"

10. Bypassing Jailbreak detection Frida Hooks Frida trace frida-trace -U -i

    "*jailbreak*" appname

11. Bypassing Jailbreak detection LLDB Cydia tweaks

12. What to do when automated scripts or tools fail? Using

    frida we can start experimenting and start hooking into interesting places and syscalls using early instrumentation. Start looking at the unzipped IPA file which contains the Frameworks folder. Check if anything dylib contains any interesting strings or methods Start looking at various syscalls like pathconf , stat64 , fopen etc. Code signature checks using sys_csops syscall

13. A quick tale from trenches (case study) Testing a hardened

    iOS application The application was doing something unique, it was making using svc #0x80 inline arm assembly call and using dlsym calls to obsfucate function calls Using LLDB we patched those functions Later the application was vulnerable to the issues SSRF as they were heavily banking upon the jailbreak detection check ARM64 code to Hex code mov x16 , #1 ---> 300080D2 svc #0x80 ---> 011000D4

14. A quick tale from trenches (case study) Using memory scan

    module of Frida Patch the exit syscall to 0x1F , 0x20 , 0x03 , 0xD5 This with patch the exit syscall to the NOP

15. Certificate Pinning Certificate pinning is mechanism that allows accepting only

    authorized ("pinned") certificates for authentication of client-server connections. This mechainism is devised as a means of thwarting MiTM. For us, it essentially means, we will not be able to use our interception proxies to manipulate API traffic.

16. Bypassing Certificate Pinning - Tips Use Objection Check info.plist SSLkillswitch

    v2 Scripts available on Frida codeshare

17. What to do when automated scripts or tools fail? Identify

    which protocols the application uses to communicate with the server Does the application depends upon the OS provided SSL library or it comes with its own SSL library (Flutter for example) Does the application has any hardcoded Certificate file, public key stored. Start by hooking at lower level Apple provided networking library like NSURLSession Hook into lower level api calls like SecCertificateCreateWithBytes and replace the bytes with Burp cert bytes

18. Attacking Webviews Webviews are in-app browser components for displaying interactive

    web content iOS apps generally use WKWebview . UIWebview is deprecated Webviews have a property to call native code from Javascript using JSBridges

19. Common ways to attack Webviews Looking at application deeplinks Looking

    for the presence of HTML injection (or XSS) Once you find a HTML injection you can Use file:/// and then exfiltrate the data back to your server See if the webview has any JSBridges exposed and what sort of data they serve

20. Common ways to attack Webviews ObjC.choose(ObjC.classes['WKWebView'], { onMatch: function (wk)

    { console.log('onMatch: ', wk); console.log('URL: ', wk.URL().toString()); console.log('javaScriptEnabled: ', wk.configuration().preferences().javaScriptEnabled()); console.log('allowFileAccessFromFileURLs: ', wk.configuration().preferences().valueForKey_('allowFileAccessFromFileURLs').toString()); console.log('hasOnlySecureContent: ', wk.hasOnlySecureContent().toString()); console.log('allowUniversalAccessFromFileURLs: ', wk.configuration().valueForKey_('allowUniversalAccessFromFileURLs').toString()); }, onComplete: function () { console.log('done for WKWebView!'); } });

21. A quick tale from trenches (case study) Found a deeplink

    for an iOS application which used to open the T&C page on webview Turns out the deeplink had no URL validation We are able to load an attacker controlled URL and then access JSbridges provided on that Webview

22. Attacking Cryptographic operations Cryptographic operations in iOS development are crucial

    for securing data, communication, and overall app integrity. They play a significant role in ensuring the privacy and security of user information and maintaining the trust of app users.

23. Common ways to figure out crypto operations Generally iOS applications

    tend to use cccrypt library which is provided by apple ecosystem to properly do encryption stuff Hook into above library using objection ios monitor crypto Use frida trace frida-trace -U -i "*EVP*" appname frida-trace -U -i "*SHA*" appname In the above frida command keep on experimenting with various keywords

24. Attacking local storage Devs tend to store information to local

    storage, sometimes it could be sensitive Information we have seen commonly stored on local storage: Property List (PList) files CoreData and SQLite databases NSUserDefaults Stores Insecure Data Keychain

25. Common ways to look for sensitive stuff it "Command" can

    be: env ios nsuserdefaults get ios plist cat filename.plist ios keychain dump --json keychain.json objection -g AppName explore > Insert "Command"

26. A quick tale from trenches (case study) We have seen

    developers store AWS Security Creds in Keychain which in turn had excess privileges that we used to escalate privileges in their cloud account

27. Finding Hidden functions Generally, iOS apps are written in Objective

    C or Swift (unless you are dogmatic and use rust) Developers tend to use internal company names or specific names like debugMenu or debugger etc

28. Common techniques to figure out hidden functions Enumerate list of

    classes and methods and start going through each of them ( Hacker way would be "grep interesting strings")

29. A quick tale from trenches (case study) Tested a gaming

    application in which app had a developer console embedded (Intended to do dev operations) We forcefully called it using Frida and then triggered an internal dev console which helped us get unlimted coins which means we won the game!

30. Shoutouts & people to follow Hexploitable Ole André Leon Jacobs

    Jiska Classen Eduardo Novella FrenchYeti