Introduction into iOS security testing

Transcript

1. Introduction into iOS security testing COCOAHEADS FEBRUARI 2017 JEROEN WILLEMSEN

2. About me u Jeroen Willemsen u @commjoenie u [email protected] ”Full

   stack developer”, “risk management” & “security” Security

3. Agenda u Introduction u DVIA, MASVS & MSTG u Getting

   started u Your secure connection u Your storage

4. Why would you care? You … Therefore … Create a

   banking app You need to secure transactions, PII Create a game You want to prevent cheaters to spoil the fun Create an app using personal information (email, gps-location, phone number, …) You need to take care of securing PII or you can get a fine Create an app for a shop You want to prevent stealing items / financial information / get wrong transactions Create a notebook app You need to secure the notebooks of your customers Create an app that costs money You want to prevent it being pirated Create an app with in-app charges You do not want people to bypass them

5. DVIA u Damn Vulnerable iOS App u Open source vulnerable

   app, u maintained by @prateekg147

6. OWASP MASVS & MSTG u Mobile Application Security Verification Standard

   (MASVS) u https://github.com/OWASP/ow asp-masvs u Mobile Security Testing Guide (MSTG) u https://github.com/OWASP/o wasp-mstg

7. Before we get started u Get a 64 bit iOS

   device running ios 9.2 – 9.3.3 and use the Pangu jailbreak u Get an iPhone 7 with iOS 10.1.1 or any other iOS 64 bit device with iOS 10.2 and use the Yalu jailbreak.

8. WARNING! Many junior mistakes ahead!

9. Before we get started u Install on your iDevice: openSSH,

   Erica utilities, iOS toolchain, stashing for ios 9.2-10.2 BigBoss Recommended tools , MobileTerminal u iFunbox for app instalation u mobSF for quick analysis. u Update the DVIA app to be compatible with the latest version of iOS and Xcode. u Setup your favorite proxy, such as ZAP

10. Your secure connection u App Transport Security (ATS) u To

    pin or not to pin? u Workarounds at SSL pinning! u Payload encryption?

11. “ ” Application Transport Security

12. Source: https://developer.apple.com

13. None

14. Your secure connection: To pin or not to pin? u

    You can pin to the certificate (or keep a list of certificates) u Or use an intermediate certificate u You can pin to the public key (or keep a list of public keys) u Much to say about this…. Is another presentation!

15. Your secure connection: To pin or not to pin? u

    Trustkit, u Alamofire (or AF-Networking), u use NSUrlSessoin and configure connection:canAuthenticateAgainstProtectionSpace: & con nection:didReceiveAuthenticationChallenge:

16. To pin or not to pin? Assume not jailbroken or…

    The more standard pinner you use, the most likely there is a killswitch for cydia… (disclaimer: don’t read this as a motivator to create a DIY pinner!)

17. Your secure connection: workarounds at SSL pinning! Let’s play

18. Your secure connection: before we begin u Install preference loader

    u Install SSL Killswitch 2 u Get your favorite proxy: OWASP ZAP, Burp, Charles proxy u Pick an app and try it out J

19. How does this work? OS DVIA app Network + SSL

    killswitch

20. Your secure connection Demo time!

21. Your secure connection

22. Payload encryption u If you want to prevent your data

    being read or injected after SSL compromise u Was removed from the MASVS u Can be very error-prone: please follow standards & DO NOT INVENT YOUR OWN! u Note that there are a few cases when you might want to consider it: loads of PII, Financial data.

23. Your storage u NSUserdefaults & Plist u CoreData & Realm

    u Keychain u Filesystem protection

24. Your storage: NSUserDefaults “The NSUserDefaults class provides a programmatic interface

    for interacting with the defaults system. The defaults system allows an application to customize its behavior to match a user’s preferences”

25. Your storage: NSUserDefaults “The NSUserDefaults class provides a programmatic interface

    for interacting with the defaults system. The defaults system allows an application to customize its behavior to match a user’s preferences”

26. Your storage: Plists in general u You can store: u

    Application preferences u Small amounts of data: primarily strings and numbers u Inefficient with large blocks of binary data

27. Your storage: Plist & NsUserDefaults Let’s play

28. Your storage: Before we begin u Install openSSH on your

    iDevice u Install FileZilla on your Mac for file extraction u Install Dvia u Easy way out: try iExplorer to edit plist files (will skip for now)

29. Your storage: Plist & NsUserDefaults Demo time!

30. Your storage

31. Your Storage plist & NSUserDefaults Don’t put secrets or PII

    in plists!

32. Your storage: CoreData u “Core Data is a framework that

    you use to manage the model layer objects in your application” (Apple developer) u Well integrated into iOS u You can use the Data Model editor & inspector u Uses predicates

33. Your storage: Realm u “Realm Swift enables you to efficiently

    write your app’s model layer in a safe, persisted and fast way. ” (realm website) u Uses its own persistence engine u Is fast

34. Your storage: CoreData & Realm Let’s play

35. Your storage: Before we begin u Install openSSH on your

    iDevice u Install FileZilla on your Mac for file extraction u Install “DB browser for SQLite” for CoreData u Install “Realm browser” for Realm file u Install Dvia

36. Your storage: CoreData & Realm Demo time!

37. u Insert movie here (realm & coredata)

38. u Insert movie here on Realm

39. Your storage: CoreData & Realm u CoreData: u Consider trying

    out encrypted-core-data from project-imas u DIY using NSValueTransformer together with RNCrypto or CommonCrypto u Use filesystem protection / ios-level data protection when setting up the database. u Effective security requires a passcode.

40. Your storage: CoreData & Realm u Realm: Encrypt the data

    at rest: u Use filesystem protection / ios-level data protection let configuration = Realm.Configuration(encryptionKey: getKey() as Data) let realm = try! Realm(configuration: configuration) // Add an object try! realm.write { let obj = EncryptionObject() obj.stringProp = "abcd" realm.add(obj) }

41. Your storage: Keychain u An Sqlite database controlled by securityd

    daemon. u Access is based on “keychain-access-groups,” “application- identifier,” and “applicationgroup” entitlements. u Security implementation nicely explained in https://www.apple.com/business/docs/iOS_Security_Guide.p df u You specify an Access Control object on how the keychain entry should be secured.

42. You storage: keychain u You specify a protection class: u

    Don’t use: kSecAttrAccessibleAlways or kSecAttrAccessibleAlwaysThisDeviceOnly u To force a passcode: kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, u No background processing > 10 seconds, No backup u Default = kSecAttrAccessibleWhenUnlocked u You specify flags: userPresence, touchIDAny, touchIDCurrentSet, devicePasscode, ….

43. Your storage: Keychain u Want to dump keychains? Use https://github.com/ptoomey3

    /Keychain-Dumper u Or work your way through /private/var/Keychains/key chain-2.db

44. Your storage: Keychain u Dumping keys /passwords still requires to

    provide your touch-ID or passcode depending on the Access Control objects created. u You can use the secure enclave for signing using ECDSA, u kSecAttrTokenID = kSecAttrTokenIDSecureEnclave . u Keys and operations reside in the SE: we did not extract the private key. u Interesting project: Valet from Square

45. Your storage: Filesystem protection u Files are encrypted by iOS.

    u https://www.apple.com/business/docs/iOS_Security_Guide.pdf u See FileProtectionType (swift) or NSFileProtectionType (obj-c) for more details. u Similar to keychain protection class u Default is already pretty usefull in iOS 9: unlock after first unlock. u Use iExplorer or iFunbox to check whether files are encrypted while the device is locked.

46. One gentle reminder…. ENCRYPTION of the data does NOT help

    you in protecting the INTEGRITY of the data. For this you SIGN or HMAC the data. - Or you use AES-GCM, which is only a private API -

47. Other analysis tools for quick warnings u MobSF u Needle

    u iRet u introSpy-iOS

48. There’s way more! u Circumventing anti-piracy methods u Circumventing jailbreak

    detection u Using Cycript to bypass controls in your Objective-C application u ….. u Check the DVIA u Check the Owasp Mobile Application Security Verification Standard u Check the Owasp Mobile Security Testing Guide u Check ios Secure coding guide and iOS Security guide.

49. Need help in studying security? Coming soon: an iOS security

    training for developers!

50. Need help in studying security? http://pages.xebia.com/ios-hacking-foundation-training

51. Wrap up u Your secure connection: u Always have a

    secure connection u Pin if possible & needed u Use payload encryption if really necessary u Your storage: u Don’t use plists or NSUserdefaults for sensitive information u Encypt data at rest u Use static analyzers

52. Questions? u @commjoenie u [email protected]