Staring into chaos

Transcript

1. STARING INTO CHAOS OWASP SAITAMA MTG #8, TALK #1 Image

   by ST1138 on flickr, CC-BY-NC-ND 2.0

2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK Image by Nico Kaiser

   on flickr, CC-BY 2.0

3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) https://keybase.io/alterakey ▸

   Monolith Works Inc. Co-founder, CTO Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ ٬һݚڀһ

4. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps →Financial, Games, IoT related, etc. (>200) →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps →POS, RAD tools etc. ▸ Network/Web penetration testing →PCI-DSS etc. ▸ Search engine reconnaissance (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ DEF CON 25 Demo Labs (2017) DEF CON 27 AI Village (2019) CODE BLUE (2017, 2019) CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

6. TEXT BACKGROUND ▸ ΞϓϦͷڍಈʹ͍ͭͯશͯ೺Ѳ͍ͯ͠·͔͢ʁ ▸ ඞͣ͠΋ਧௌ͍ͯ͠Δ௨ΓͰ͋Δඞཁ͸ͳ͍ →ॻ͖खͷࣗ༝ ▸ Ͱ΋Ϣʔβ͔Β͸ࠔΔ… Image

   by Sam Azgor on flickr, CC-BY 2.0

7. TEXT ANDROID: STATIC ANALYSIS + DEATH TRAP ▸ ެ։࣌ʹࣗಈղੳΛࢪ͠ѱҙͷͳ͍͜ͱΛ֬ೝ ▸

   Ϣʔβ͔Βͷใࠂ͋Δ͍͸ൈ͖ଧͪݕࠪͰ ΞΧ΢ϯτBANॲஔ → σετϥοϓ ▸ ܯࠂ΋΄΅͠ͳ͍ ▸ ൓࿦΋΄΅ฉ͔ͳ͍ (HNͳͲʹࢮࢡྦྷʑ) ▸ نఆͷվఆʹ͸൓Ԡ͢Δ·Ͱެ։ఀࢭॲஔ ▸ େখ໰ΘͣͨͩͷҰϢʔβͰ͔͠ͳ͍ Image by Daniel Arrhakis - Visual Arts on flickr, CC-BY-NC 2.0

8. TEXT IOS: MANUAL REVIEW ▸ ެ։࣌ʹਓ͕ؒΞϓϦΛ֬ೝ ▸ UIنఆҧ൓ͳͲ; ʮUIنఆʯͱ͍͍࣮࣭ͭͭతͳશମن཯ ▸

   ҧ൓ͨ͠৔߹reject ▸ ԟʑʹͯ͠ԇᅀͷࠜݯ ▸ ͋Δఔ౓ॊೈʹରԠͯ͘͠ΕΔ Image by Giåm on flickr, CC-BY-SA 2.0

9. TEXT MANUAL REVIEWING IS SAFER..? ▸ iOSͷ৔߹Appleͷελοϑ͕ΞϓϦΛ֬ೝͯ͠ ͍ΔͷͰมͳΞϓϦ͸ೖͬͯ͜ͳ͍ʢͷͰ AndroidͳΜ͔ΑΓ҆શʣͱ͍͏Ұൠೝࣝ ▸

   ຊ౰ʹʁ Image by Glen Bledsoe on flickr, CC-BY 2.0

10. TEXT A. REMOTE FLAGS TO CONTROL BEHAVIOR ▸ ࿈ܞ͢ΔAPIαʔόʹ͓͍ͯηʔϑͳ಺༰Λ౉͢ ͜ͱͰ৹ࠪΛ੾Γൈ͚Δख๏

    ▸ ໌Β͔ͳςετ؀ڥͩͱreject͞ΕΔ →ͦΕͳΓʹ੔͓͑ͯ͘ඞཁ͕͋Δ ▸ ΘΓͱྑ͘ݟ͔͚Δ ▸ ৹ࠪ༻؀ڥ/εςʔδϯά؀ڥ etc. Image by Vinicius | www.viniciuscvenancio.com.br on flickr, CC-BY-NC-ND 2.0

11. TEXT CASE #0 ▸ ອըΞϓϦ ▸ ອը͸Ѫ͞Ε͍ͯΔ͕จԽతʹ᫁᫟Λྑ͘ੜΉ

12. TEXT CASE #0 ▸ ੩తղੳ * Extract: checkra1n + frida-ios-dump

    * Analysis: Ghidra 10 ▸ APIαʔόΛܦ༝͢Δࣔࠦ ▸ ༨ஊ: DFUϞʔυʹೖΕΔ࣌ʹେมͳۤ࿑ →macOS͔Βͷׯব͕ଟ෼ݪҼ →checkra1n 0.12.4͸M1Ͱ͸ಈ࡞͠ͳ͍

13. TEXT CASE #0 ▸ τϥϑΟοΫղੳ * Aggregation: StrongSwan 5.8 +

    iptables * Analysis: Burp Suite (transparent proxy) ※transparent proxy mode͕Ͱ͖Ε͹ZAP/ mitmproxyͳͲͰ΋໰୊ͳ͘Ͱ͖Δ ▸ APIαʔόͷԠ౴Ͱίϯτϩʔϧ͞ΕΔ؍ଌ

14. TEXT CASE #0 ▸ APIαʔόʹڍಈΛ੍ޚ͞Ε͍ͯΔ →ʢݴ͍ํ͸ѱ͍͕ʣӅṭՄೳ ▸ ౰ͨΓલͱݴΘΕΕ͹ͦ͏͕ͩ… ▸ ৹ࠪظؒதʹมͳ΋ͷΛग़͢ॴҎ͸ͳ͍͸ͣ

15. TEXT CASE #1: ਺ಠΞϓϦ ▸ Ұݟແ֐ͳɺ޿ࠂ෇͖ΞϓϦ ▸ ͦ΋ͦ΋4+

16. TEXT CASE #1: ਺ಠΞϓϦ ▸ ͕… ޿ࠂͷ಺༰͕… ▸ ։ൃݩ͕޿ࠂιʔεઃఆΛม͑ͨՄೳੑ →ཧ༝͕ͳΜͰ͋Εෆద੾

    →޿ࠂ͕ݪҼͰreject͞ΕΔ͜ͱ͕౰વ͋Δ ▸ ࢠڙ༻ͷApple IDͰ͋Ε͹޿ࠂ಺༰͸ن੍͞Ε Δ͸͕ͣͩ… ࠅ͍޿ࠂओ͕᪎ᬚ͍ͯ͠Δ

17. TEXT CASE #2: ੒ਓ޲͚ίϯςϯπ ▸ ͍ΘΏΔແमਖ਼ίϯςϯπΛ഑৴͍ͯ͠Δʁ →͜Ε͸͓͔͍͠ ▸ ͦ΋ͦ΋: iOS͸͜͏͍͏΋ͷΛڐ͍ͯ͠ͳ͍

    →δϣϒε࣌୅΋ΫοΫ࣌୅΋Ұ؏͍ͯ͠Δ ▸ ৹ࠪ࣌ʹӅṭͨ͠ͱߟ͑Δͷ͕ଥ౰Ͱ͸ͳ͍͔

18. TEXT CASE #3: SNS ▸ ͔ͭͯΑΓWebίϯςϯπΛࣗ༝ʹදࣔͰ͖Δ ΋ͷ͸17+ͱ͍͏ن੍͕͋Δ ▸ SNSྨʹ͓͍ͯ΋ϝοηʔδͰࢦࣔ͞ΕͨURL͕ ։͚Δ→͜ͷϧʔϧ͕ద༻ʹͳΔͷͰ͸ͳ͍

    ͔ʁ Image by 5kul1k flickr, CC-BY 2.0

19. TEXT CASE #3: SNS ▸ େ෦෼͕12+Ͱྲྀ௨; ࣌ྲྀʁ ▸ LINE: 12+

    ▸ Snapchat/Facebook/Instagram: 12+ ▸ TikTok: 12+ ▸ Twitter: 17+ (←ͳͥʁ) ▸ Telegram: 17+ (←ͳͥʁʁ)

20. TEXT CASE #3: SNS ▸ Kakao Talk: 4+ʁʁʁ ▸ ઌྫʹͳΒ͑͹12+͕ଥ౰Ͱ͸ͳ͍ͷ͔

    ▸ ౰ॳػೳ͋Δ͍͸ن੍͕গͳ͔ͬͨ࣌ظʹ4+ ͰऔΓɺͦΕ͔Βͳ่͠͠తʹདྷͨՄೳੑʁ ʢi.e. มߋਃࠂ͍ͯ͠ͳ͍ʁʣ

21. TEXT B. REVIEWERS MATTER ▸ ϨϏϡΞʔʮΨνϟʯΛ௨Δ·Ͱճͯ͠੾Γൈ͚ Δํ๏ ▸ App IDΛม͑ͯ੾Γൈ͚ͨྫ΋͋Δ

    ▸ ϨϏϡʔࣗମͦ΋ͦ΋ٕज़తʹ͸೉୊ ▸ େྔͷΞϓϦΛࡹ͔ͳͯ͘͸͍͚ͳ͍ ▸ ຊ֨తͳղੳΛߦͳ͏ʹ͸͕͔͔࣌ؒΔ ▸ ࣌ؒʹ௥ΘΕͳ͕Βେ࿮ͷ඼࣭Λݟ͍ͯΔͱ ͢Δͷ͕ଥ౰ Image by kleuske on flickr, CC-BY-SA 2.0
22. None
23. None
24. None

25. TEXT C. EXPEDITED REVIEW REQUESTED ▸ ಛٸϨϏϡʔΛཁٻ͠ѹྗΛֻ͚Δख๏ ▸ Ҏલ͸৽نΞϓϦʹ͸࢖༻Ͱ͖ͳ͔ͬͨ ▸

    Ӆ͠ػೳ΍ѱҙͷ͋ΔίʔυΛݟ͵͚Δ͔ʁ →࣮֬ͳݕ஌͸ෆೳͱԾఆ͢Δͷ͕ଥ౰ ▸ ৽نΞϓϦͰ͋Ε͹ؾΛ͚ͭΔͩΖ͏͕ɺ Ұ౓ΫϩʔϦϯάͨ͠ΞϓϦͰ͋ͬͨΒ… Image by foshydog on flickr, CC-BY-NC-ND 2.0

26. TEXT CONCLUSION ▸ ਓྗϨϏϡʔ͸ࣗಈղੳ+σετϥοϓΑΓ΋༗ޮͱ ͸ܾͯ͠ݴ͑ͳ͍ ▸ iOS͸ਓ͕ؒݟ͍ͯΔ͔Β҆શͱ͍͏େऺ৴ڼʹ͸ શࠜ͘ڌ͕ͳ͍; Ή͠Ζةݥ (i.e.

    false sense of …) ▸ ͨͩͷҰ఺ͷঢ়ଶΛݕূ͍ͯ͠Δ͚ͩ →Androidํࣜʹ͸ࢍ൱྆࿦͋Δ͕༏ल ▸ ਓؒʹ͸ਓؒͷϛε; ར఺ͱͯ͠͸ײੑͷΈ →ݟམ͠ɺ৺ཧঢ়ଶͳͲ Image by chaim zvi on flickr, CC-BY-ND 2.0

27. TEXT CONCLUSION ▸ Stay safe! Image by ▓▒░ TORLEY ░▒▓

    on flickr, CC-BY-SA 2.0

28. Q?

29. ONE MORE THING.. Image by mac-ash on flickr, CC-BY-NC-ND 2.0

30. TEXT TIKTOK .. ▸ TikTok…͋Ε͔ΒͲ͏ͳͬͨͷ͔ ▸ iOS.. Pasteboardؔ࿈notif.͸Ͳ͏ͳͬͨͷ͔… ▸ Noti

    fi cation͸ݟͳ͘ͳͬͨ

31. TEXT TIKTOK .. ▸ ݟͳ͘ͳͬͨཁҼ: iOS 14ʹ͓͍ͯܗࣜಛఆ༻API͕௥Ճ͞ΕͨͨΊ ▸ iOS 15:

    Secure Pasteboard; ΞΫςΟϒͳΞϓϦҎ֎ ͔ΒPasteboardΛಡΊͳ͍Α͏ʹվળˠAndroidͰ ͸લ͔Βۭ͋ͬͨ࣌త๷ޚػߏ ※iOS 14Ͱಋೖ͞ΕͨΑ͏ͳ௨஌͕Android 12Ͱ௥ Ճ͞Ε͍ͯΔ… ྲྀΕతʹ͸ෆཁͳ͸͕ͣͩʁ ▸ TikTok: ΍ΓํΛม͍͑ͯΔՄೳੑ →ͳΜΒ͔ͷճආํࡦʁݕূ͕ඞཁ

32. FIN. 28.6.2022 TAKAHIRO YOSHIMURA (@ALTERAKEY)