Basic iOS Security Analysis

Basic iOS Security Analysis John Downey | @jtdowney

http://www.ﬂickr.com/photos/kev_bite/3756381893/ Walled Garden

http://www.ﬂickr.com/photos/12394349@N06/318947809 Structure of an App

IPA FILES • Mac OS X • /Users/[user]/Music/iTunes/iTunes Media/Mobile Applications
• Just a zip ﬁle

$ unzip -l "Mobile Menus 1.0.ipa" Archive: Mobile Menus 1.0.ipa
Length Date Time Name -------- ---- ---- ---- 0 08-10-11 19:01 Payload/ 0 08-16-11 17:19 Payload/Menus.app/ 102 08-10-11 16:58 Payload/Menus.app/Data.plist 1241 08-10-11 16:58 Payload/Menus.app/datebar.png 1475 08-10-11 16:58 Payload/Menus.app/[email protected] 1422 08-10-11 16:58 Payload/Menus.app/datebar_leftarrow.png 1815 08-10-11 16:58 Payload/Menus.app/[email protected] 1185 08-10-11 16:58 Payload/Menus.app/Info.plist 1417 08-10-11 16:58 Payload/Menus.app/information_icon.png 1720 08-10-11 16:58 Payload/Menus.app/[email protected] 68192 08-10-11 16:58 Payload/Menus.app/iTunesArtwork 229792 08-10-11 16:58 Payload/Menus.app/Menus 2041 01-08-13 05:36 iTunesMetadata.plist 30204 01-08-13 05:36 iTunesArtwork

$ plutil -p Menus.app/Info.plist { "CFBundleName" => "Menus" "DTSDKName" =>
"iphoneos4.3" "NSMainNibFile" => "MainWindow_iPhone" "CFBundleShortVersionString" => "1.0" "CFBundleSupportedPlatforms" => [ 0 => "iPhoneOS" ] "DTPlatformName" => "iphoneos" "CFBundleExecutable" => "Menus" "DTCompiler" => "com.apple.compilers.llvmgcc42" "MinimumOSVersion" => "4.0" "CFBundleDisplayName" => "Mobile Menus" "CFBundleIdentifier" => "edu.purdue.hfs.Menus" }

$ unzip -l "Mobile Menus 1.0.ipa" Archive: Mobile Menus 1.0.ipa
Length Date Time Name -------- ---- ---- ---- 0 08-10-11 19:01 Payload/ 0 08-16-11 17:19 Payload/Menus.app/ 102 08-10-11 16:58 Payload/Menus.app/Data.plist 1241 08-10-11 16:58 Payload/Menus.app/datebar.png 1475 08-10-11 16:58 Payload/Menus.app/[email protected] 1422 08-10-11 16:58 Payload/Menus.app/datebar_leftarrow.png 1815 08-10-11 16:58 Payload/Menus.app/[email protected] 1185 08-10-11 16:58 Payload/Menus.app/Info.plist 1417 08-10-11 16:58 Payload/Menus.app/information_icon.png 1720 08-10-11 16:58 Payload/Menus.app/[email protected] 68192 08-10-11 16:58 Payload/Menus.app/iTunesArtwork 229792 08-10-11 16:58 Payload/Menus.app/Menus 2041 01-08-13 05:36 iTunesMetadata.plist 30204 01-08-13 05:36 iTunesArtwork

$ file Menus.app/Menus Menus.app/Menus: Mach-O universal binary with 2 architectures
Menus.app/Menus (for architecture armv6): Mach-O executable arm Menus.app/Menus (for architecture armv7): Mach-O executable arm

$ otool -l Menus.app/Menus | grep -B2 crypt cmd LC_ENCRYPTION_INFO
cmdsize 20 cryptoff 4096 cryptsize 69632 cryptid 1 -- cmd LC_ENCRYPTION_INFO cmdsize 20 cryptoff 4096 cryptsize 69632 cryptid 1

http://www.ﬂickr.com/photos/marcusramberg/71281972/ Exploring an App

APPLICATION DATA • Property List files (.plist) • Apple configuration
file • Basically a key/value store • SQLite Database (.db/.sqlite) • Embedded relational database • CoreData abstraction layer

$ sqlite3 Model.sqlite SQLite version 3.7.12 2012-04-03 19:43:07 Enter ".help"
for instructions Enter SQL statements terminated with a ";" sqlite> .schema CREATE TABLE ZPATTERN ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTE... CREATE TABLE ZROUTE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGE... CREATE TABLE ZSAVED ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGE... CREATE TABLE ZSTOP ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER... CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UU... CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME... CREATE INDEX ZPATTERN_ZROUTE_INDEX ON ZPATTERN (ZROUTE); CREATE INDEX ZSTOP_ZROUTE_INDEX ON ZSTOP (ZROUTE);

KEYCHAIN • Secure storage on device • Protection • kSecAttrAccessibleWhenUnlocked
• Just the passcode • kSecAttrAccessibleWhenUnlockedThisDeviceOnly • Device speciﬁc key and passcode

http://www.ﬂickr.com/photos/adrianblack/3358661327/ Network Trafﬁc

TLS/SSL VERIFICATION • Apps • Rackspace iOS client • Facebook
Camera • LinkedIn • The Most Dangerous Code in the World

http://www.ﬂickr.com/photos/gsi-r/5213626727/ Decrypting an App

iPod-touch:~ root#

# apt-get install gdb Reading package lists... Done Building dependency
tree Reading state information... Done The following NEW packages will be installed: gdb 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 3585kB of archives. After this operation, 33.0MB of additional disk space will be used. Get:1 http://apt.saurik.com ios/550.52/main gdb 1518-12 [3585kB] Fetched 3585kB in 2s (1502kB/s) Selecting previously deselected package gdb. (Reading database ... 2499 files and directories currently installed.) Unpacking gdb (from .../gdb_1518-12_iphoneos-arm.deb) ... Setting up gdb (1518-12) ...

# cd /tmp # mkdir apps # cd apps/ #
cp -r /var/mobile/Applications/[UDID]/Menus.app/ . # gdb ./Menus.app/Menus GNU gdb 6.3.50.20050815-cvs (Fri May 20 08:08:42 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "--host=arm-apple-darwin9 --target="...Reading symbols for shared libraries . done (gdb)

(gdb) set sharedlibrary load-rules ".*" ".*" none (gdb) set inferior-auto-start-dyld
off (gdb) set sharedlibrary preload-libraries off (gdb) set sharedlibrary load-dyld-symbols off (gdb) rb doModInitFunctions Breakpoint 1 at 0x2fe0c1fa <function, no debug info> __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERKN11ImageLoader11LinkContextE; (gdb) r Starting program: /private/var/tmp/apps/Menus.app/Menus Breakpoint 1, 0x2fe0c1fa in __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERKN11ImageLoader11LinkContextE ()

(gdb) bt #0 0x2fe0c1fa in __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERK... #1 0x2fe0c454 in __dyld__ZN16ImageLoaderMachO16doInitializationERKN1...
#2 0x2fe0a034 in __dyld__ZN11ImageLoader23recursiveInitializationERK... #3 0x2fe09fd4 in __dyld__ZN11ImageLoader23recursiveInitializationERK... #4 0x2fe01780 in __dyld__ZN4dyldL11imageSorterEPKvS1_ ()

(gdb) dump memory /tmp/dump.bin 0x2000 0x13000

(gdb) dump memory /tmp/dump.bin 0x2000 0x13000 0x1000 + 0x1000 (4096)
= 0x2000 cryptoff

(gdb) dump memory /tmp/dump.bin 0x2000 0x13000 0x2000 + 0x11000 (69632)
= 0x13000 cryptsize

$ otool -f Menus.app/Menus Fat headers fat_magic 0xcafebabe nfat_arch 2
architecture 0 cputype 12 cpusubtype 6 capabilities 0x0 offset 4096 size 111344 align 2^12 (4096) architecture 1 cputype 12 cpusubtype 9 capabilities 0x0 offset 118784 size 111008 align 2^12 (4096)

$ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc 69632+0 records in
69632+0 records out 69632 bytes transferred in 0.085575 secs (813697 bytes/sec)

69632+0 records out 69632 bytes transferred in 0.085575 secs (813697 bytes/sec) 4096 + 4096 = 8192 offset cryptoff

69632+0 records out 69632 bytes transferred in 0.085575 secs (813697 bytes/sec) cryptsize

01 => 00

$ lipo -thin armv6 -output Menus.armv6 Menus

$ strings Menus.armv6 release init alloc dealloc description retainCount autorelease
retain respondsToSelector: conformsToProtocol: isMemberOfClass: isKindOfClass: isProxy performSelector:withObject:withObject: performSelector:withObject:

$ class-dump-z Menus.armv6 @protocol UIApplicationDelegate <NSObject> @optional -(void)applicationDidFinishLaunching:(id)application; -(BOOL)application:(id)application didFinishLaunchingW...
-(void)applicationDidBecomeActive:(id)application; -(void)applicationWillResignActive:(id)application; -(BOOL)application:(id)application handleOpenURL:(id)url; -(BOOL)application:(id)application openURL:(id)url sou... -(void)applicationDidReceiveMemoryWarning:(id)applicatio. -(void)applicationWillTerminate:(id)application; -(void)applicationSignificantTimeChange:(id)change; -(void)application:(id)application willChangeStatusBar...

REFERENCES • http://www.neglectedpotential.com/ • http://media.hacking-lab.com/scs3/scs3_pdf/ SCS3_2011_Bachmann.pdf • http://sit.sit.fraunhofer.de/studies/en/sc-iphone-passwords.pdf • Hacking
and Securing iOS Applications by Jonathan Zdziarski

Basic iOS Security Analysis

Basic iOS Security Analysis

More Decks by John Downey

Other Decks in Programming

Featured

Transcript