Introduction to penetration testing by Jeroen Willemsen from Xebia. He taught us some hacking skills by showing how to jailbreak and open applications on iOS, sniff traffic and bypass SSL/ATS.
Why would you care? You … Therefore … Create a banking app You need to secure transactions, PII Create a game You want to prevent cheaters to spoil the fun Create an app using personal information (email, gps-location, phone number, …) You need to take care of securing PII or you can get a fine Create an app for a shop You want to prevent stealing items / financial information / get wrong transactions Create a notebook app You need to secure the notebooks of your customers Create an app that costs money You want to prevent it being pirated Create an app with in-app charges You do not want people to bypass them
OWASP MASVS & MSTG u Mobile Application Security Verification Standard (MASVS) u https://github.com/OWASP/ow asp-masvs u Mobile Security Testing Guide (MSTG) u https://github.com/OWASP/o wasp-mstg
Before we get started u Get a 64 bit iOS device running ios 9.2 – 9.3.3 and use the Pangu jailbreak u Get an iPhone 7 with iOS 10.1.1 or any other iOS 64 bit device with iOS 10.2 and use the Yalu jailbreak.
Before we get started u Install on your iDevice: openSSH, Erica utilities, iOS toolchain, stashing for ios 9.2-10.2 BigBoss Recommended tools , MobileTerminal u iFunbox for app instalation u mobSF for quick analysis. u Update the DVIA app to be compatible with the latest version of iOS and Xcode. u Setup your favorite proxy, such as ZAP
Your secure connection: To pin or not to pin? u You can pin to the certificate (or keep a list of certificates) u Or use an intermediate certificate u You can pin to the public key (or keep a list of public keys) u Much to say about this…. Is another presentation!
Your secure connection: To pin or not to pin? u Trustkit, u Alamofire (or AF-Networking), u use NSUrlSessoin and configure connection:canAuthenticateAgainstProtectionSpace: & con nection:didReceiveAuthenticationChallenge:
To pin or not to pin? Assume not jailbroken or… The more standard pinner you use, the most likely there is a killswitch for cydia… (disclaimer: don’t read this as a motivator to create a DIY pinner!)
Your secure connection: before we begin u Install preference loader u Install SSL Killswitch 2 u Get your favorite proxy: OWASP ZAP, Burp, Charles proxy u Pick an app and try it out J
Payload encryption u If you want to prevent your data being read or injected after SSL compromise u Was removed from the MASVS u Can be very error-prone: please follow standards & DO NOT INVENT YOUR OWN! u Note that there are a few cases when you might want to consider it: loads of PII, Financial data.
Your storage: NSUserDefaults “The NSUserDefaults class provides a programmatic interface for interacting with the defaults system. The defaults system allows an application to customize its behavior to match a user’s preferences”
Your storage: NSUserDefaults “The NSUserDefaults class provides a programmatic interface for interacting with the defaults system. The defaults system allows an application to customize its behavior to match a user’s preferences”
Your storage: Plists in general u You can store: u Application preferences u Small amounts of data: primarily strings and numbers u Inefficient with large blocks of binary data
Your storage: Before we begin u Install openSSH on your iDevice u Install FileZilla on your Mac for file extraction u Install Dvia u Easy way out: try iExplorer to edit plist files (will skip for now)
Your storage: CoreData u “Core Data is a framework that you use to manage the model layer objects in your application” (Apple developer) u Well integrated into iOS u You can use the Data Model editor & inspector u Uses predicates
Your storage: Realm u “Realm Swift enables you to efficiently write your app’s model layer in a safe, persisted and fast way. ” (realm website) u Uses its own persistence engine u Is fast
Your storage: Before we begin u Install openSSH on your iDevice u Install FileZilla on your Mac for file extraction u Install “DB browser for SQLite” for CoreData u Install “Realm browser” for Realm file u Install Dvia
Your storage: CoreData & Realm u CoreData: u Consider trying out encrypted-core-data from project-imas u DIY using NSValueTransformer together with RNCrypto or CommonCrypto u Use filesystem protection / ios-level data protection when setting up the database. u Effective security requires a passcode.
Your storage: CoreData & Realm u Realm: Encrypt the data at rest: u Use filesystem protection / ios-level data protection let configuration = Realm.Configuration(encryptionKey: getKey() as Data) let realm = try! Realm(configuration: configuration) // Add an object try! realm.write { let obj = EncryptionObject() obj.stringProp = "abcd" realm.add(obj) }
Your storage: Keychain u An Sqlite database controlled by securityd daemon. u Access is based on “keychain-access-groups,” “application- identifier,” and “applicationgroup” entitlements. u Security implementation nicely explained in https://www.apple.com/business/docs/iOS_Security_Guide.p df u You specify an Access Control object on how the keychain entry should be secured.
You storage: keychain u You specify a protection class: u Don’t use: kSecAttrAccessibleAlways or kSecAttrAccessibleAlwaysThisDeviceOnly u To force a passcode: kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, u No background processing > 10 seconds, No backup u Default = kSecAttrAccessibleWhenUnlocked u You specify flags: userPresence, touchIDAny, touchIDCurrentSet, devicePasscode, ….
Your storage: Keychain u Want to dump keychains? Use https://github.com/ptoomey3 /Keychain-Dumper u Or work your way through /private/var/Keychains/key chain-2.db
Your storage: Keychain u Dumping keys /passwords still requires to provide your touch-ID or passcode depending on the Access Control objects created. u You can use the secure enclave for signing using ECDSA, u kSecAttrTokenID = kSecAttrTokenIDSecureEnclave . u Keys and operations reside in the SE: we did not extract the private key. u Interesting project: Valet from Square
Your storage: Filesystem protection u Files are encrypted by iOS. u https://www.apple.com/business/docs/iOS_Security_Guide.pdf u See FileProtectionType (swift) or NSFileProtectionType (obj-c) for more details. u Similar to keychain protection class u Default is already pretty usefull in iOS 9: unlock after first unlock. u Use iExplorer or iFunbox to check whether files are encrypted while the device is locked.
One gentle reminder…. ENCRYPTION of the data does NOT help you in protecting the INTEGRITY of the data. For this you SIGN or HMAC the data. - Or you use AES-GCM, which is only a private API -
There’s way more! u Circumventing anti-piracy methods u Circumventing jailbreak detection u Using Cycript to bypass controls in your Objective-C application u ….. u Check the DVIA u Check the Owasp Mobile Application Security Verification Standard u Check the Owasp Mobile Security Testing Guide u Check ios Secure coding guide and iOS Security guide.
Wrap up u Your secure connection: u Always have a secure connection u Pin if possible & needed u Use payload encryption if really necessary u Your storage: u Don’t use plists or NSUserdefaults for sensitive information u Encypt data at rest u Use static analyzers
cocoaheadsnl
ryou0634
hpprc
eumesy
mhangyo
shuntaros
uepon73
kei18
kikuzo
emi0726
yuri00
johannyjm
malarkey
kevinliebholz
mza
keathley
sugarenia
pedronauck
geeforr
edds
cromwellryan
jnunemaker
iamctodd
danielanewman