Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Basic iOS Security Analysis

58376779023f009fc13d160bb3e82515?s=47 John Downey
January 11, 2013
Programming
3
230

Basic iOS Security Analysis

58376779023f009fc13d160bb3e82515?s=128

John Downey

January 11, 2013
Tweet

More Decks by John Downey

See All by John Downey
Cryptography Pitfalls at CactusCon 2019
58376779023f009fc13d160bb3e82515?s=48 jtdowney
0
78
Intro to Cybersecurity Workshop
58376779023f009fc13d160bb3e82515?s=48 jtdowney
0
100
Cryptography Pitfalls at BsidesMSP 2017
58376779023f009fc13d160bb3e82515?s=48 jtdowney
0
98
Cryptography Pitfalls at THOTCON 0x8
58376779023f009fc13d160bb3e82515?s=48 jtdowney
0
150
Cryptography Pitfalls at ConFoo Montreal 2017
58376779023f009fc13d160bb3e82515?s=48 jtdowney
1
220
Cryptography Pitfalls at BSidesPhilly 2016
58376779023f009fc13d160bb3e82515?s=48 jtdowney
0
75
Cryptography Pitfalls at LASCON 2016
58376779023f009fc13d160bb3e82515?s=48 jtdowney
0
110
Debugging TLS/SSL at DevOps Days Detroit 2016
58376779023f009fc13d160bb3e82515?s=48 jtdowney
1
150
Debugging TLS/SSL at DevOpsDays Boston
58376779023f009fc13d160bb3e82515?s=48 jtdowney
1
260

Other Decks in Programming

See All in Programming
Java初心者が知っておくべきプログラミングのこと - JJUG CCC 2022 Spring
9e840766611f942c7c0a9ad6987a5d78?s=48 kishida
5
550
Running Laravel/PHP on AWS (AWS Builders Day Taiwan 2022)
2f42f32689c8244280dd01d864f92079?s=48 dwchiang
0
150
Licences open source : entre guerre de clochers et radicalité
323bb1cb39e6478e559b6e13d2fdf518?s=48 pylapp
2
510
[DevTrends - Jun/2022] Arquitetura baseada em eventos
36489105af6ebd101e8f250e537e70d3?s=48 camilacampos
0
150
Beyond Micro Frontends: Frontend Moduliths for the Enterprise @wad2022
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
0
130
Get Ready for Jakarta EE 10
B489790e1a844284d7cd1fa2cd6e021f?s=48 ivargrimstad
0
800
Let's keep Commodore 64 alive for the next 40 years
85977ebfe59c2ee669f2196930f1a701?s=48 mehowte
1
110
[월간 데이터리안 세미나 6월] 스스로 성장하는 분석가 커리어 이야기
Fc03caed2b0f2a29992487fcf50dfd81?s=48 datarian
0
240
模組化的Swift架構(二) DDD速成
A3d3b179955bdea9fc05b3251f1b1f10?s=48 haifengkao
0
390
競プロのすすめ
3a10a8f9ae25b2eb5bf3579dd3141dd8?s=48 uya116
0
670
Web API連携でCSRF対策がどう実装されてるか調べた / how to implements csrf-detection on Web API
79fc33e55cacc42beef647541de24d58?s=48 yasuakiomokawa
2
470
Independently together: 
better developer experience & App performance
80d92d5d0bd0170aebf6e07589a0b571?s=48 bcinarli
0
180

Featured

See All Featured
10 Git Anti Patterns You Should be Aware of
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
638
52k
Fireside Chat
864a009ac73600c7c02e1f26629dd989?s=48 paigeccino
12
1.3k
Imperfection Machines: The Place of Print at Facebook
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
253
12k
Debugging Ruby Performance
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
65
10k
Music & Morning Musume
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
35
4.2k
How GitHub Uses GitHub to Build GitHub
78b475797a14c84799063c7cd073962f?s=48 holman
465
280k
What the flash - Photography Introduction
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
62
10k
JavaScript: Past, Present, and Future - NDC Porto 2020
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
37
3.3k
Fontdeck: Realign not Redesign
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
73
4.1k
ReactJS: Keep Simple. Everything can be a component!
Af6a12710770ad9a7cfd08c97efd40d3?s=48 pedronauck
655
120k
Building Better People: How to give real-time feedback that sticks.
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
344
17k
Building Flexible Design Systems
91cefdf141106fa10674aae74ce05890?s=48 yeseniaperezcruz
310
34k

Transcript

  1. Basic iOS Security Analysis John Downey | @jtdowney

  2. None

  3. http://www.flickr.com/photos/kev_bite/3756381893/ Walled Garden

  4. http://www.flickr.com/photos/12394349@N06/318947809 Structure of an App

  5. IPA FILES • Mac OS X • /Users/[user]/Music/iTunes/iTunes Media/Mobile Applications

    • Just a zip file

  6. $ unzip -l "Mobile Menus 1.0.ipa" Archive: Mobile Menus 1.0.ipa

    Length Date Time Name -------- ---- ---- ---- 0 08-10-11 19:01 Payload/ 0 08-16-11 17:19 Payload/Menus.app/ 102 08-10-11 16:58 Payload/Menus.app/Data.plist 1241 08-10-11 16:58 Payload/Menus.app/datebar.png 1475 08-10-11 16:58 Payload/Menus.app/datebar@2x.png 1422 08-10-11 16:58 Payload/Menus.app/datebar_leftarrow.png 1815 08-10-11 16:58 Payload/Menus.app/datebar_leftarrow@2x.png 1185 08-10-11 16:58 Payload/Menus.app/Info.plist 1417 08-10-11 16:58 Payload/Menus.app/information_icon.png 1720 08-10-11 16:58 Payload/Menus.app/information_icon@2x.png 68192 08-10-11 16:58 Payload/Menus.app/iTunesArtwork 229792 08-10-11 16:58 Payload/Menus.app/Menus 2041 01-08-13 05:36 iTunesMetadata.plist 30204 01-08-13 05:36 iTunesArtwork

  7. $ plutil -p Menus.app/Info.plist { "CFBundleName" => "Menus" "DTSDKName" =>

    "iphoneos4.3" "NSMainNibFile" => "MainWindow_iPhone" "CFBundleShortVersionString" => "1.0" "CFBundleSupportedPlatforms" => [ 0 => "iPhoneOS" ] "DTPlatformName" => "iphoneos" "CFBundleExecutable" => "Menus" "DTCompiler" => "com.apple.compilers.llvmgcc42" "MinimumOSVersion" => "4.0" "CFBundleDisplayName" => "Mobile Menus" "CFBundleIdentifier" => "edu.purdue.hfs.Menus" }

  8. $ unzip -l "Mobile Menus 1.0.ipa" Archive: Mobile Menus 1.0.ipa

    Length Date Time Name -------- ---- ---- ---- 0 08-10-11 19:01 Payload/ 0 08-16-11 17:19 Payload/Menus.app/ 102 08-10-11 16:58 Payload/Menus.app/Data.plist 1241 08-10-11 16:58 Payload/Menus.app/datebar.png 1475 08-10-11 16:58 Payload/Menus.app/datebar@2x.png 1422 08-10-11 16:58 Payload/Menus.app/datebar_leftarrow.png 1815 08-10-11 16:58 Payload/Menus.app/datebar_leftarrow@2x.png 1185 08-10-11 16:58 Payload/Menus.app/Info.plist 1417 08-10-11 16:58 Payload/Menus.app/information_icon.png 1720 08-10-11 16:58 Payload/Menus.app/information_icon@2x.png 68192 08-10-11 16:58 Payload/Menus.app/iTunesArtwork 229792 08-10-11 16:58 Payload/Menus.app/Menus 2041 01-08-13 05:36 iTunesMetadata.plist 30204 01-08-13 05:36 iTunesArtwork

  9. $ file Menus.app/Menus Menus.app/Menus: Mach-O universal binary with 2 architectures

    Menus.app/Menus (for architecture armv6): Mach-O executable arm Menus.app/Menus (for architecture armv7): Mach-O executable arm

  10. $ otool -l Menus.app/Menus | grep -B2 crypt cmd LC_ENCRYPTION_INFO

    cmdsize 20 cryptoff 4096 cryptsize 69632 cryptid 1 -- cmd LC_ENCRYPTION_INFO cmdsize 20 cryptoff 4096 cryptsize 69632 cryptid 1

  11. http://www.flickr.com/photos/marcusramberg/71281972/ Exploring an App

  12. None
  13. None

  14. APPLICATION DATA • Property List files (.plist) • Apple configuration

    file • Basically a key/value store • SQLite Database (.db/.sqlite) • Embedded relational database • CoreData abstraction layer

  15. $ sqlite3 Model.sqlite SQLite version 3.7.12 2012-04-03 19:43:07 Enter ".help"

    for instructions Enter SQL statements terminated with a ";" sqlite> .schema CREATE TABLE ZPATTERN ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTE... CREATE TABLE ZROUTE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGE... CREATE TABLE ZSAVED ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGE... CREATE TABLE ZSTOP ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER... CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UU... CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME... CREATE INDEX ZPATTERN_ZROUTE_INDEX ON ZPATTERN (ZROUTE); CREATE INDEX ZSTOP_ZROUTE_INDEX ON ZSTOP (ZROUTE);

  16. KEYCHAIN • Secure storage on device • Protection • kSecAttrAccessibleWhenUnlocked

    • Just the passcode • kSecAttrAccessibleWhenUnlockedThisDeviceOnly • Device specific key and passcode

  17. http://www.flickr.com/photos/adrianblack/3358661327/ Network Traffic

  18. None
  19. None

  20. TLS/SSL VERIFICATION • Apps • Rackspace iOS client • Facebook

    Camera • LinkedIn • The Most Dangerous Code in the World
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None

  27. http://www.flickr.com/photos/gsi-r/5213626727/ Decrypting an App

  28. None

  29. iPod-touch:~ root#

  30. None

  31. # apt-get install gdb Reading package lists... Done Building dependency

    tree Reading state information... Done The following NEW packages will be installed: gdb 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 3585kB of archives. After this operation, 33.0MB of additional disk space will be used. Get:1 http://apt.saurik.com ios/550.52/main gdb 1518-12 [3585kB] Fetched 3585kB in 2s (1502kB/s) Selecting previously deselected package gdb. (Reading database ... 2499 files and directories currently installed.) Unpacking gdb (from .../gdb_1518-12_iphoneos-arm.deb) ... Setting up gdb (1518-12) ...

  32. $ otool -l Menus.app/Menus | grep -B2 crypt cmd LC_ENCRYPTION_INFO

    cmdsize 20 cryptoff 4096 cryptsize 69632 cryptid 1 -- cmd LC_ENCRYPTION_INFO cmdsize 20 cryptoff 4096 cryptsize 69632 cryptid 1

  33. # cd /tmp # mkdir apps # cd apps/ #

    cp -r /var/mobile/Applications/[UDID]/Menus.app/ . # gdb ./Menus.app/Menus GNU gdb 6.3.50.20050815-cvs (Fri May 20 08:08:42 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "--host=arm-apple-darwin9 --target="...Reading symbols for shared libraries . done (gdb)

  34. (gdb) set sharedlibrary load-rules ".*" ".*" none (gdb) set inferior-auto-start-dyld

    off (gdb) set sharedlibrary preload-libraries off (gdb) set sharedlibrary load-dyld-symbols off (gdb) rb doModInitFunctions Breakpoint 1 at 0x2fe0c1fa <function, no debug info> __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERKN11ImageLoader11LinkContextE; (gdb) r Starting program: /private/var/tmp/apps/Menus.app/Menus Breakpoint 1, 0x2fe0c1fa in __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERKN11ImageLoader11LinkContextE ()

  35. (gdb) bt #0 0x2fe0c1fa in __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERK... #1 0x2fe0c454 in __dyld__ZN16ImageLoaderMachO16doInitializationERKN1...

    #2 0x2fe0a034 in __dyld__ZN11ImageLoader23recursiveInitializationERK... #3 0x2fe09fd4 in __dyld__ZN11ImageLoader23recursiveInitializationERK... #4 0x2fe01780 in __dyld__ZN4dyldL11imageSorterEPKvS1_ ()

  36. (gdb) dump memory /tmp/dump.bin 0x2000 0x13000

  37. (gdb) dump memory /tmp/dump.bin 0x2000 0x13000

  38. (gdb) dump memory /tmp/dump.bin 0x2000 0x13000 0x1000 + 0x1000 (4096)

    = 0x2000 cryptoff

  39. (gdb) dump memory /tmp/dump.bin 0x2000 0x13000 0x2000 + 0x11000 (69632)

    = 0x13000 cryptsize

  40. $ otool -f Menus.app/Menus Fat headers fat_magic 0xcafebabe nfat_arch 2

    architecture 0 cputype 12 cpusubtype 6 capabilities 0x0 offset 4096 size 111344 align 2^12 (4096) architecture 1 cputype 12 cpusubtype 9 capabilities 0x0 offset 118784 size 111008 align 2^12 (4096)

  41. $ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc 69632+0 records in

    69632+0 records out 69632 bytes transferred in 0.085575 secs (813697 bytes/sec)

  42. $ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc 69632+0 records in

    69632+0 records out 69632 bytes transferred in 0.085575 secs (813697 bytes/sec)

  43. $ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc 69632+0 records in

    69632+0 records out 69632 bytes transferred in 0.085575 secs (813697 bytes/sec)

  44. $ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc 69632+0 records in

    69632+0 records out 69632 bytes transferred in 0.085575 secs (813697 bytes/sec) 4096 + 4096 = 8192 offset cryptoff

  45. $ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc 69632+0 records in

    69632+0 records out 69632 bytes transferred in 0.085575 secs (813697 bytes/sec) cryptsize

  46. $ otool -l Menus.app/Menus | grep -B2 crypt cmd LC_ENCRYPTION_INFO

    cmdsize 20 cryptoff 4096 cryptsize 69632 cryptid 1 -- cmd LC_ENCRYPTION_INFO cmdsize 20 cryptoff 4096 cryptsize 69632 cryptid 1

  47. 01 => 00

  48. $ otool -l Menus.app/Menus | grep -B2 crypt cmd LC_ENCRYPTION_INFO

    cmdsize 20 cryptoff 4096 cryptsize 69632 cryptid 0 -- cmd LC_ENCRYPTION_INFO cmdsize 20 cryptoff 4096 cryptsize 69632 cryptid 1

  49. $ lipo -thin armv6 -output Menus.armv6 Menus

  50. $ strings Menus.armv6 release init alloc dealloc description retainCount autorelease

    retain respondsToSelector: conformsToProtocol: isMemberOfClass: isKindOfClass: isProxy performSelector:withObject:withObject: performSelector:withObject:

  51. $ class-dump-z Menus.armv6 @protocol UIApplicationDelegate <NSObject> @optional -(void)applicationDidFinishLaunching:(id)application; -(BOOL)application:(id)application didFinishLaunchingW...

    -(void)applicationDidBecomeActive:(id)application; -(void)applicationWillResignActive:(id)application; -(BOOL)application:(id)application handleOpenURL:(id)url; -(BOOL)application:(id)application openURL:(id)url sou... -(void)applicationDidReceiveMemoryWarning:(id)applicatio. -(void)applicationWillTerminate:(id)application; -(void)applicationSignificantTimeChange:(id)change; -(void)application:(id)application willChangeStatusBar...

  52. REFERENCES • http://www.neglectedpotential.com/ • http://media.hacking-lab.com/scs3/scs3_pdf/ SCS3_2011_Bachmann.pdf • http://sit.sit.fraunhofer.de/studies/en/sc-iphone-passwords.pdf • Hacking

    and Securing iOS Applications by Jonathan Zdziarski