Introduction to penetration testing by Jeroen Willemsen from Xebia. He taught us some hacking skills by showing how to jailbreak and open applications on iOS, sniff traffic and bypass SSL/ATS.
banking app You need to secure transactions, PII Create a game You want to prevent cheaters to spoil the fun Create an app using personal information (email, gps-location, phone number, …) You need to take care of securing PII or you can get a fine Create an app for a shop You want to prevent stealing items / financial information / get wrong transactions Create a notebook app You need to secure the notebooks of your customers Create an app that costs money You want to prevent it being pirated Create an app with in-app charges You do not want people to bypass them
device running ios 9.2 – 9.3.3 and use the Pangu jailbreak u Get an iPhone 7 with iOS 10.1.1 or any other iOS 64 bit device with iOS 10.2 and use the Yalu jailbreak.
Erica utilities, iOS toolchain, stashing for ios 9.2-10.2 BigBoss Recommended tools , MobileTerminal u iFunbox for app instalation u mobSF for quick analysis. u Update the DVIA app to be compatible with the latest version of iOS and Xcode. u Setup your favorite proxy, such as ZAP
You can pin to the certificate (or keep a list of certificates) u Or use an intermediate certificate u You can pin to the public key (or keep a list of public keys) u Much to say about this…. Is another presentation!
Trustkit, u Alamofire (or AF-Networking), u use NSUrlSessoin and configure connection:canAuthenticateAgainstProtectionSpace: & con nection:didReceiveAuthenticationChallenge:
The more standard pinner you use, the most likely there is a killswitch for cydia… (disclaimer: don’t read this as a motivator to create a DIY pinner!)
being read or injected after SSL compromise u Was removed from the MASVS u Can be very error-prone: please follow standards & DO NOT INVENT YOUR OWN! u Note that there are a few cases when you might want to consider it: loads of PII, Financial data.
you use to manage the model layer objects in your application” (Apple developer) u Well integrated into iOS u You can use the Data Model editor & inspector u Uses predicates
iDevice u Install FileZilla on your Mac for file extraction u Install “DB browser for SQLite” for CoreData u Install “Realm browser” for Realm file u Install Dvia
out encrypted-core-data from project-imas u DIY using NSValueTransformer together with RNCrypto or CommonCrypto u Use filesystem protection / ios-level data protection when setting up the database. u Effective security requires a passcode.
at rest: u Use filesystem protection / ios-level data protection let configuration = Realm.Configuration(encryptionKey: getKey() as Data) let realm = try! Realm(configuration: configuration) // Add an object try! realm.write { let obj = EncryptionObject() obj.stringProp = "abcd" realm.add(obj) }
daemon. u Access is based on “keychain-access-groups,” “application- identifier,” and “applicationgroup” entitlements. u Security implementation nicely explained in https://www.apple.com/business/docs/iOS_Security_Guide.p df u You specify an Access Control object on how the keychain entry should be secured.
Don’t use: kSecAttrAccessibleAlways or kSecAttrAccessibleAlwaysThisDeviceOnly u To force a passcode: kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, u No background processing > 10 seconds, No backup u Default = kSecAttrAccessibleWhenUnlocked u You specify flags: userPresence, touchIDAny, touchIDCurrentSet, devicePasscode, ….
provide your touch-ID or passcode depending on the Access Control objects created. u You can use the secure enclave for signing using ECDSA, u kSecAttrTokenID = kSecAttrTokenIDSecureEnclave . u Keys and operations reside in the SE: we did not extract the private key. u Interesting project: Valet from Square
u https://www.apple.com/business/docs/iOS_Security_Guide.pdf u See FileProtectionType (swift) or NSFileProtectionType (obj-c) for more details. u Similar to keychain protection class u Default is already pretty usefull in iOS 9: unlock after first unlock. u Use iExplorer or iFunbox to check whether files are encrypted while the device is locked.
detection u Using Cycript to bypass controls in your Objective-C application u ….. u Check the DVIA u Check the Owasp Mobile Application Security Verification Standard u Check the Owasp Mobile Security Testing Guide u Check ios Secure coding guide and iOS Security guide.
secure connection u Pin if possible & needed u Use payload encryption if really necessary u Your storage: u Don’t use plists or NSUserdefaults for sensitive information u Encypt data at rest u Use static analyzers
cocoaheadsnl
circulation
nttcom
niftycorp
hponka
tsantalis
takeshit_m
akifumi_wachi
aya_se
naok615
tmm1
marktimemedia
rmw
eitanlees
eileencodes
rasmusluckow
moore
aki_iinuma
thoeni
cromwellryan
aleyda
kneath
![About me u Jeroen Willemsen u @commjoenie u [email protected] ”Full](https://files.speakerdeck.com/presentations/5675bf58326e464da9e172e9035db0cf/slide_1.jpg){kind=link}
![Questions? u @commjoenie u [email protected]](https://files.speakerdeck.com/presentations/5675bf58326e464da9e172e9035db0cf/slide_51.jpg){kind=link}