Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction into iOS security testing

6e1f73fb2fde36f8b9af1ca27db3ac13?s=47 CocoaHeadsNL
February 15, 2017

Introduction into iOS security testing

Introduction to penetration testing by Jeroen Willemsen from Xebia. He taught us some hacking skills by showing how to jailbreak and open applications on iOS, sniff traffic and bypass SSL/ATS.

6e1f73fb2fde36f8b9af1ca27db3ac13?s=128

CocoaHeadsNL

February 15, 2017
Tweet

Transcript

  1. Introduction into iOS security testing COCOAHEADS FEBRUARI 2017 JEROEN WILLEMSEN

  2. About me u Jeroen Willemsen u @commjoenie u jwillemsen@xebia.com ”Full

    stack developer”, “risk management” & “security” Security
  3. Agenda u Introduction u DVIA, MASVS & MSTG u Getting

    started u Your secure connection u Your storage
  4. Why would you care? You … Therefore … Create a

    banking app You need to secure transactions, PII Create a game You want to prevent cheaters to spoil the fun Create an app using personal information (email, gps-location, phone number, …) You need to take care of securing PII or you can get a fine Create an app for a shop You want to prevent stealing items / financial information / get wrong transactions Create a notebook app You need to secure the notebooks of your customers Create an app that costs money You want to prevent it being pirated Create an app with in-app charges You do not want people to bypass them
  5. DVIA u Damn Vulnerable iOS App u Open source vulnerable

    app, u maintained by @prateekg147
  6. OWASP MASVS & MSTG u Mobile Application Security Verification Standard

    (MASVS) u https://github.com/OWASP/ow asp-masvs u Mobile Security Testing Guide (MSTG) u https://github.com/OWASP/o wasp-mstg
  7. Before we get started u Get a 64 bit iOS

    device running ios 9.2 – 9.3.3 and use the Pangu jailbreak u Get an iPhone 7 with iOS 10.1.1 or any other iOS 64 bit device with iOS 10.2 and use the Yalu jailbreak.
  8. WARNING! Many junior mistakes ahead!

  9. Before we get started u Install on your iDevice: openSSH,

    Erica utilities, iOS toolchain, stashing for ios 9.2-10.2 BigBoss Recommended tools , MobileTerminal u iFunbox for app instalation u mobSF for quick analysis. u Update the DVIA app to be compatible with the latest version of iOS and Xcode. u Setup your favorite proxy, such as ZAP
  10. Your secure connection u App Transport Security (ATS) u To

    pin or not to pin? u Workarounds at SSL pinning! u Payload encryption?
  11. “ ” Application Transport Security

  12. Source: https://developer.apple.com

  13. None
  14. Your secure connection: To pin or not to pin? u

    You can pin to the certificate (or keep a list of certificates) u Or use an intermediate certificate u You can pin to the public key (or keep a list of public keys) u Much to say about this…. Is another presentation!
  15. Your secure connection: To pin or not to pin? u

    Trustkit, u Alamofire (or AF-Networking), u use NSUrlSessoin and configure connection:canAuthenticateAgainstProtectionSpace: & con nection:didReceiveAuthenticationChallenge:
  16. To pin or not to pin? Assume not jailbroken or…

    The more standard pinner you use, the most likely there is a killswitch for cydia… (disclaimer: don’t read this as a motivator to create a DIY pinner!)
  17. Your secure connection: workarounds at SSL pinning! Let’s play

  18. Your secure connection: before we begin u Install preference loader

    u Install SSL Killswitch 2 u Get your favorite proxy: OWASP ZAP, Burp, Charles proxy u Pick an app and try it out J
  19. How does this work? OS DVIA app Network + SSL

    killswitch
  20. Your secure connection Demo time!

  21. Your secure connection

  22. Payload encryption u If you want to prevent your data

    being read or injected after SSL compromise u Was removed from the MASVS u Can be very error-prone: please follow standards & DO NOT INVENT YOUR OWN! u Note that there are a few cases when you might want to consider it: loads of PII, Financial data.
  23. Your storage u NSUserdefaults & Plist u CoreData & Realm

    u Keychain u Filesystem protection
  24. Your storage: NSUserDefaults “The NSUserDefaults class provides a programmatic interface

    for interacting with the defaults system. The defaults system allows an application to customize its behavior to match a user’s preferences”
  25. Your storage: NSUserDefaults “The NSUserDefaults class provides a programmatic interface

    for interacting with the defaults system. The defaults system allows an application to customize its behavior to match a user’s preferences”
  26. Your storage: Plists in general u You can store: u

    Application preferences u Small amounts of data: primarily strings and numbers u Inefficient with large blocks of binary data
  27. Your storage: Plist & NsUserDefaults Let’s play

  28. Your storage: Before we begin u Install openSSH on your

    iDevice u Install FileZilla on your Mac for file extraction u Install Dvia u Easy way out: try iExplorer to edit plist files (will skip for now)
  29. Your storage: Plist & NsUserDefaults Demo time!

  30. Your storage

  31. Your Storage plist & NSUserDefaults Don’t put secrets or PII

    in plists!
  32. Your storage: CoreData u “Core Data is a framework that

    you use to manage the model layer objects in your application” (Apple developer) u Well integrated into iOS u You can use the Data Model editor & inspector u Uses predicates
  33. Your storage: Realm u “Realm Swift enables you to efficiently

    write your app’s model layer in a safe, persisted and fast way. ” (realm website) u Uses its own persistence engine u Is fast
  34. Your storage: CoreData & Realm Let’s play

  35. Your storage: Before we begin u Install openSSH on your

    iDevice u Install FileZilla on your Mac for file extraction u Install “DB browser for SQLite” for CoreData u Install “Realm browser” for Realm file u Install Dvia
  36. Your storage: CoreData & Realm Demo time!

  37. u Insert movie here (realm & coredata)

  38. u Insert movie here on Realm

  39. Your storage: CoreData & Realm u CoreData: u Consider trying

    out encrypted-core-data from project-imas u DIY using NSValueTransformer together with RNCrypto or CommonCrypto u Use filesystem protection / ios-level data protection when setting up the database. u Effective security requires a passcode.
  40. Your storage: CoreData & Realm u Realm: Encrypt the data

    at rest: u Use filesystem protection / ios-level data protection let configuration = Realm.Configuration(encryptionKey: getKey() as Data) let realm = try! Realm(configuration: configuration) // Add an object try! realm.write { let obj = EncryptionObject() obj.stringProp = "abcd" realm.add(obj) }
  41. Your storage: Keychain u An Sqlite database controlled by securityd

    daemon. u Access is based on “keychain-access-groups,” “application- identifier,” and “applicationgroup” entitlements. u Security implementation nicely explained in https://www.apple.com/business/docs/iOS_Security_Guide.p df u You specify an Access Control object on how the keychain entry should be secured.
  42. You storage: keychain u You specify a protection class: u

    Don’t use: kSecAttrAccessibleAlways or kSecAttrAccessibleAlwaysThisDeviceOnly u To force a passcode: kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, u No background processing > 10 seconds, No backup u Default = kSecAttrAccessibleWhenUnlocked u You specify flags: userPresence, touchIDAny, touchIDCurrentSet, devicePasscode, ….
  43. Your storage: Keychain u Want to dump keychains? Use https://github.com/ptoomey3

    /Keychain-Dumper u Or work your way through /private/var/Keychains/key chain-2.db
  44. Your storage: Keychain u Dumping keys /passwords still requires to

    provide your touch-ID or passcode depending on the Access Control objects created. u You can use the secure enclave for signing using ECDSA, u kSecAttrTokenID = kSecAttrTokenIDSecureEnclave . u Keys and operations reside in the SE: we did not extract the private key. u Interesting project: Valet from Square
  45. Your storage: Filesystem protection u Files are encrypted by iOS.

    u https://www.apple.com/business/docs/iOS_Security_Guide.pdf u See FileProtectionType (swift) or NSFileProtectionType (obj-c) for more details. u Similar to keychain protection class u Default is already pretty usefull in iOS 9: unlock after first unlock. u Use iExplorer or iFunbox to check whether files are encrypted while the device is locked.
  46. One gentle reminder…. ENCRYPTION of the data does NOT help

    you in protecting the INTEGRITY of the data. For this you SIGN or HMAC the data. - Or you use AES-GCM, which is only a private API -
  47. Other analysis tools for quick warnings u MobSF u Needle

    u iRet u introSpy-iOS
  48. There’s way more! u Circumventing anti-piracy methods u Circumventing jailbreak

    detection u Using Cycript to bypass controls in your Objective-C application u ….. u Check the DVIA u Check the Owasp Mobile Application Security Verification Standard u Check the Owasp Mobile Security Testing Guide u Check ios Secure coding guide and iOS Security guide.
  49. Need help in studying security? Coming soon: an iOS security

    training for developers!
  50. Need help in studying security? http://pages.xebia.com/ios-hacking-foundation-training

  51. Wrap up u Your secure connection: u Always have a

    secure connection u Pin if possible & needed u Use payload encryption if really necessary u Your storage: u Don’t use plists or NSUserdefaults for sensitive information u Encypt data at rest u Use static analyzers
  52. Questions? u @commjoenie u jwillemsen@xebia.com